Outlook is Cloudy

Cloud computing has become an exciting evolution in how we deliver, access and use services over the Internet.  The Cloud offers organisations many benefits and opportunities.  However, these opportunities and benefits do not come without a number of security risks that need to be considered.
Ireland is uniquely positioned to handle these issues.  In an article with the CSO Online Magazine titled “Ireland hopes security measures attract big cloud providers” I outline a number of these benefits.  In my opinion these benefits include the high quality of information security professionals that are based here, our experience in managing and running large datacentres and the cloud security research that is going on in various universities.
I have also taken on some active roles to ensure that we as an industry can address the security challenges the cloud present.  To this end I am happy to say I have been appointed the Chief Operations Officer for the Common Assurance Maturity Model (CAMM).  The objectives of CAMM are to:
  • Provide a framework to in support of necessary transparency attesting the Information Assurance Maturity of a Third Party Providers & Suppliers (e.g. Cloud providers).
  • Publication of results in an open and transparent manner, without the mandatory need for third party audit functions, or due diligence engagements.
  • Allow for data processors to demonstratively publicise their attention to Information Assurance in comparison to other supplier’s levels of compliance, and security profiles.
  • Negating the operational requirement for time consuming, expensive, subjective, and resource intensive bespoke arrangements to attest security and compliance.
I have also taken a position on the board of the UK and Irish Chapter of the Cloud Security Alliance.  The Cloud Security Alliance (CSA) is a “not-for-profit organisation with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.” We have some exciting events planned, including a chapter meeting in Dublin to be held later this year, so watch this space.  If you are interested in cloud security you should join the UK and Irish Chapter of the Cloud Security Alliance as it will provide you with the resources to develop and hone the skills required for this evolving environment.
If you are wondering what are the security challenges that we face with moving to the cloud I recommend that you read the Cloud Security Guidance White Paper from the Cloud Security Alliance and also ENISA’s excellent white paper on Cloud Computing.
You can also review my presentation on the Cloud Security below;

ENISA Publishes New White Paper On Security Awareness

Over the summer I worked on a project with ENISA to produce a white paper “Obtaining Support and Funding From Senior Management“.  The paper is now available on the ENISA website

This is  very important paper as one of the most important things to ensure the success of any information securtiy awareness programme is to have the appropriate support and funding from your senior management.  If you are considering rolling out an Information Security Awareness programme then you should have a look at this white paper to ensure that you get the appropriate support from your senior management.

Updated Security Awareness Guide Availble

Two years ago ENISA published an excellent guide on how to raise information security awareness within your organisations.  A new version of the guide is now available and well worth the time taken to download and read it.  Security awareness can be one of the most effective defence measures you can invest in.  Once you have created a culture of security within your organisation and trained users on how to identify potential threats your greatly reduce the ability of attackers to breach your organisation.

Information Security Summer School

Now that the summer is here, although it is hard to believe that given the weather we are having, it is time for summer schools.  As an information security professional you can join in the summer fun too.

The European Network and Information Security Agency (ENISA) and the Institute of Computer Science of the Foundation for Research and Technology – Hellas (FORTH-ICS) are jointly hosting a week long seminar in September to bring together information and network security professionals to discuss many of the challenges that we face.

The list of speakers looks good and includes the likes of Dr. Richard Clayton and has a broad range of topics that will be of interest to many of us.

The summer school will be held from the 15th to the 19th of September on the island of Crete.  Looking out at the rain a trip to Crete looks pretty attractive at the moment.

Disclosure Debate Continues

The Thursday the 29th of May edition of the Irish Independent had an interesting article in its Digital Ireland supplement discussing whether or not Ireland should have mandatory data disclosure laws similar to those in the United States.  I am quoted in the article in support of the introduction of such legislation while Owen O’Connor and Paul C Dwyer highlight some reasons why they feel we do not need it. 

The Irish Times on Friday the 30th of May includes an article where the Data Protection Commissioner, Billy Hawkes, acknowledges that Ireland is likely to see data disclosure legislation being introduced. 

In its 2007 Annual Report the European Network and Information Security Agency (ENISA) also calls for data disclosure laws to be introduced.

A recent poll at the 2008 Infosec show also shows that over 70% of IT Managers surveyed believe UK companies should be required to disclose security breaches exposing personal information.

I will post at a later date outlining the reasons I believe we should have such laws introduced and countering some of the points that Owen and Paul make.  In the meantime I would be interested in hearing your opinion as to why you think data disclosure laws should or should not be introduced.

ENISA Publishes Report on Infosec Certification Schemes

Last year I worked on a project group with ENISA (the European Network and Information Security Agency) that studied the whole area of certification schemes within the information security industry.  The group looked at the different schemes focuses at personal accreditation, product certification and organisational certification schemes.  The merits of certification were discussed in detail and ENISA have now published their report

The main recommendations from the report are;

  • Personal accreditation schemes should be encouraged by the EU for individuals depending on their job profile, from the end user up to the Chief Security Officer.
  • Companies should look at independent schemes to measure and certify their Information Security Management Systems against. 

In the report, ENISA also suggests an “ISO 27001 lite” should be developed for SMEs.  I have to say I disagree with this as I believe ISO 27001 can be made to fit organisations of any size.  What we need to do is make the understanding and adoption of the standard easier for SMEs.  When you mention ISO accreditation, or indeed any ISO accreditation, to an SME they immediately think of the cost of hiring expensive consultants to roll it out.  So what we need is an interpretation guide for the SME rather than a new and separate standard like “ISO 27001 lite”.

The full report. is available on ENISA‘s website.  If you look in the reference section you will see they refer this blog and my post, which was developed as the result of the workshop in November ’07, listing the various information security certification schemes that are available.