Barnes & Thornburg's Cloud Computing Blog header

Cloud Services Providers


2011 - The Year of the Hack?
January 5, 2012 2:44 PM | Posted by John Watkins | Permalink

As 2011 has come to a close, it may be remembered as the “year of the hack.” Last week, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service. We have reported on similar incidents since the inception of this blog.

If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to “old fashioned” businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper

Read the rest of this post, after the jump.

read more
Comment | 
NIST issues “US Government Cloud Computing Technology Roadmap”
November 11, 2011 10:37 AM | Posted by Kevin Erdman | Permalink

The National Institute of Standards and Technology (NIST) recently released a three volume work in progress relating to U.S. government adoption of cloud computing technologies. In the preliminary discussion, the security requirement is noted as “not considered to be fully met at present.” Cloud Providers, and cloud users, should be aware of the development of federal guidelines, as a new federal standard may have a significant effect on cloud computing standards of care. The full three volumes, and related information, may be found at the NIST cloud computing center, and the deadline for comments is December 2, 2011.

 

While NIST is working on developing federal contracting standards for security, non-governmental entities must also be concerned about security for compliance with data breach laws, in some particular industries for regulatory compliance, and generally for marketing considerations. Despite there being a variety of types of cloud computing customers, “as-a-service” providers often take a one-size-fits-all approach to security. Each such cloud provider generally has a security policy, and that is all it will agree to, regardless of whether it satisfies the individual customer’s particular security needs, in order to keep costs down, and such cloud providers seem hesitant to provide customers with unique services. A more cooperative discussion regarding security of data may be needed, both from a contractual agreement standpoint and a risk management standpoint, and the results of the discussion should be documented with appropriate contractual language.

 

Typically, outsourcing providers resist granting broad audit rights to its customers, and cloud computing “as-a-service” providers are even more reluctant. To protect the interests in the security of data, cloud users may demand a quality audit of an “as-a-service” provider which would require a significantly more in-depth look into the Cloud Computing Provider’s computer systems and propriety methods. As a customer is relinquishing even more control of its data than under a more traditional service contract, the desire/need for an audit should be greater. These concerns are also compounded if that “as-a-service” provider utilizes a third party hosting company to host the data and process the “as-a-service” provider’s application. In such an instance, customers should consider requiring the right to audit such third party host’s data centers and security systems.

read more
Comment | 
Governments Concerned About the Use of Public Clouds
January 19, 2011 11:06 AM | Posted by Roy Hadley | Permalink

A recent report by the European Network and Information Security Agency (ENISA) entitled "Security and Resistance in Governmental Cloud" basically approved the use of private and community clouds but cast doubt on public clouds. In fact, as an illustration of this concern, the report states that the Canadian government has instructed its agencies not to use clouds where the servers are outside of Canada, even if they are owned by Canadian companies.

Apparently, the fear of the U.S. Patriot Act and the ability of the U.S. and other governments to easily access data in public clouds is a concern. As the cloud grows, companies and governments will have to grapple with how to address the security and privacy of their data when using public clouds. Given the ongoing Wikileaks matter and other recent security and privacy breaches, this is not a trivial concern.

read more
Comment | 
It’s a New Year: Time for a Cyber Legal Check-Up
January 4, 2011 10:47 AM | Posted by John Watkins | Permalink
The New Year always brings New Year’s Resolutions. One of the best resolutions a business can make is to have a legal check-up. Legal check-ups can be coordinated by in-house counsel. If a company does not have in-house counsel, outside counsel can do the job.

Although a legal check-up (or audit) should cover all aspects of a business, information technology issues should certainly be a key area of focus. It is not uncommon in companies for the IT Department and the Legal Department to function independently. Ideally, these Departments should work collaboratively.

We've listed some of the key issues to consider, after the jump.

 read more
Comment | 
Microsoft to supply cloud e-mail and messaging services to USDA
December 9, 2010 4:59 PM | Posted by Joan Long | Permalink
As reported in many news outlets, including the in the Wall Street Journal, Microsoft won a major government contract to supply cloud email and messaging services to the U.S. Department of Agriculture (USDA). The deal covers 120,000 USDA employees, who previously were using 21 different email systems across the department's locations. The USDA systems will be migrated over the next month to Microsoft's cloud-based Business Productivity Online Suite, which includes Exchange, SharePoint and Office Communication applications.

A USDA spokesperson noted the size and complexity of the migration required not only a trusted enterprise-ready solution, but also a partner who could navigate everything from archiving to authentication to mobile phone support. read more
Comment | 
New Study Compares Terms and Conditions of Various Cloud Services Providers
November 29, 2010 1:31 PM | Posted by John Watkins | Permalink
Simon Bradshaw, Christopher Millard and Ian Walden of the Cloud Legal Project at the Queen Mary University of London School of Law recently published a 47-page paper comparing the terms and conditions of 31 cloud-based services provided by 27 discrete providers. The paper is available for download here.

The study confirms many of the observations we and others have previously made regarding the form terms and conditions for cloud-based services; most notably, an effort to disclaim liability for the use of cloud-based services.   read more
Comment | 
 
About the Blog –This blog provides commentary and perspective on cloud computing and cyber security.