One of the fun things about being in Information Security is the amount of change our profession goes through. In a sense, we might pity the accountant, the sales person, or others whose role in the corporation has been well defined for many years. Our role is centered on understanding the use (and therefore protection of) information, and as such our job is as dynamic as that which we seek to protect. Now if I haven’t mistaken this role, how the CISO approaches her job is about to fundamentally change (again).

FROM GENESIS TO EXODUS

In the beginning, one might have called security management very “military-minded”. And to some extent, we still have lots to learn from those whose business it is to understand conflict and develop strategy. Over time (I’ll offer the widespread adoption of Ethernet as the tipping point) security management became very MIS/EE focused. If you had experience in both areas (a military perspective and MIS credentials) you should have been in a pretty sweet position circa 1998ish.

At some point over the last few years, we’ve added “risk” to the lexicon. Faced with asymmetric tactics and rapid changes in technology landscapes – we realized that our perimeter was bogus, and that security would never be something that we could totally engineer. As such, smart people started telling us our jobs was not about “secure” but “secure enough”. Risk and risk analysis became the method with which we establish that balance point. And leading companies now integrate strong risk analysis into the SDLC. These companies use risk expression rather than “best practice” to establish policy and prioritize project resources based on how tangibly the project might contribute to the organizational bottom line.

But we were able to do all that because of the amount of certainty we had (or didn’t have) surrounding our knowledge of the threat, asset, control, and impact landscapes (represented by the dotted line in the diagram to your left). In a sense, our ability to manage was predicated on the information we had at our fingertips. Some information had significant amounts of certainty we could associate with it. From the technical information side, over the past couple of years we’ve actually started to figure out what metrics we might be able to gather (just not necessarily what those metrics really mean). From a managers perspective, the CISO’s office generally has an idea of who is managing what and how proficient they might be at that job.

ADDRESSING CLOUD COMPUTING

But that’s about to change. Like you, my understanding of “the Cloud” and what that (loaded) term means is evolving. As best as I can tell, from the perspective of the CIO/CSO office, the Cloud is not just about “cost savings”, the Cloud transition is about how to gracefully lose control over computing assets. And if I can compare that grace to the beauty of Olympic ice skating or gymnastics, so far, it doesn’t look like we’ll get high scores from the International Judges.

As an example, one concept I’m starting to see repeated often is that “there are some things that we just won’t move to the Cloud”.

This, in my humble opinion, might not be realistic:

1.) It assumes that the security department will have a veto. Maybe you will and maybe you won’t. But let me say that I would err on the side of “won’t”. For example, even in the case of stuff covered by “compliance” (you know, that critical Confidentiality stuff we’d never move to the Cloud), vendors will be quick to sell “certified solutions” (we’re already seeing this, actually).

2.) It assumes that data (and therefore confidential information) is like a liquid. We can control its flow and divert it into the rivers and streams we wish it to. Let me assert that data is like a gas – it expands to fill whatever computing space and processes are available.

3.) Building on #2, that statement also assumes that the utility of information manipulation can (and should?) be sacrificed for the sake of Confidentiality. I’m not sure this is a lesson we can draw from the past 20 years of information security history. The reason I think that information is like a gas is because the user does their own risk assessment regarding policy violation and if it’s the only way to get the utility they need from the data, they’ll go ahead and use the thumb drive anyway. If putting critical data into the Cloud is going to get the job done in a manner that makes the user more useful to the organization they serve, then the user tends to take the risk (right or wrong).

SO HOW CAN SECURITY MANAGEMENT PREPARE?

Back to that “changing roles” idea I presented you with earlier, if the move to Cloud computing is about gracefully giving up control over assets then we need to address how to do that. Remember how I said that we were starting to be able to concern ourselves with “how much security is enough“, and how that was predicated on some strong information? Yeah, that strong information is going away thanks to the Cloud. That strength of information is a significant part of the “control” we have to gracefully give up. So now, in order to understand what is “secure enough“, we’re going to have to understand from our Cloud vendors, how much trust is enough? Then, when we don’t have enough trust, how much transparency is enough? If you want to get information analyst about it, we’re trying to decide how much uncertainty is acceptable?

In this manner, the CISO’s office will change. Some folks have already been re-branding their roles from “Information Security” into “Information Assurance”. Like the Cloud itself, it’s not a particularly revolutionary shift, the label just reflects one stage in a gradual evolution. But I think that title is apt, because now in addition to worrying about measuring things like control effectiveness, A/V coverage, and risk, we’re going to have to understand things like: what level of Governance information are we going to require from which vendors? Once we have that Governance information, what are we going to actually do with it in order to make decisions?

And so now if I’m right, the CISO will find herself evolving from General to Engineer to Analyst in order to get back to General.

Tags: cloud computing, cloud security, information assurance, risk analysis, risk management, security management

This entry was posted on Wednesday, May 6th, 2009 at 1:55 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.