Re: Trying to manage the move to the cloud

[Nathan Zierfuss <nathan.zierfuss () ALASKA EDU>]

Data protection requirements are also one of the ways we are trying to keep sensitive data out of the cloud but 
starting to think about the next 3-5 years when more vendors are offering cloud based ERP resources which will need to 
hold sensitive PII or PHI now would be good. Two areas we are working on are risk frameworks and liability limitations. 
Risk frameworks to think about what we are and are not willing to accept from a vendor or ourselves in the use of cloud 
based services. Establishing liability boundaries in procurements & contracts to know where our risk is by saying at 
point A I'm responsible for this data and what happens to it and at point B you are and we have all agreed to it. 
Rather then the blanket indemnification that currently happens in default licensing and contracts. Developing these 
areas now will be key to dealing with the cloud since stopping it has not been an effective or efficient tactic. 

Nathan Zierfuss, CISSP, Senior IT Security Officer
-
Technology Oversight Services, University of Alaska
910 Yukon Dr. Suite 105, PO Box 755320
Fairbanks, Alaska 99775-5320
-
Ph: (907) 450-8112  Fx: (907) 450-8381

On Mar 11, 2011, at 7:11 AM, Jeffrey I. Schiller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Mar 11, 2011 at 10:37:16AM -0500, Bob Bayn wrote:
> > Our Information Security Policy includes this little statement:
> >
> > "Offsite storage, processing or backup of PSI/CID [private sensitive
> > information/critical institutional data] must use service providers
> > evaluated and approved by the responsible data steward in
> > consultation with OIT. OIT is directed to publish standards that
> > conform to this
> > policy<https://it.usu.edu/policies/htm/information-security/selection-of-cloud-computing-services>."
>
> I like this approach. I am not a big fan of "You may not do that,
> period." style policies. If central IT has comparable solutions to a
> service in the cloud that someone wants to use, that is one
> thing. However often this isn't the case. So if you say "you must use
> central IT's services" and the person needs to use the cloud service
> to do their job, in effect you are saying "you cannot do your job."
> Guess what happens then. And yes, I know that they probably can do
> their job without using the particular cloud service at issue, but it
> probably requires more work (which may not be appreciated by their
> supervisor!).
>
> One of the big challenges that we have in security is getting security
> to align with human nature. When we ask people to do something that
> goes against the grain of human nature, compliance will always be low
> and risk will always be increased. I can rant more on this topic, but
> I won't pollute this thread with it :-)
>
> I would recommend first, a data classification policy. Followed by an
> evaluation of various offering out there and a mapping of which class
> of data is appropriate for which cloud service (if any).
>
>                        -Jeff
>
> - --
> _______________________________________________________________________
> Jeffrey I. Schiller
> Information Services and Technology
> Massachusetts Institute of Technology
> 77 Massachusetts Avenue  Room N42-283
> Cambridge, MA 02139-4307
> 617.253.0161 - Voice
> jis () mit edu
> http://jis.qyv.name
> _______________________________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iD8DBQFNeknD8CBzV/QUlSsRApWmAJ9sIk964Vz5chRhNfvznHBD+KDa1wCg2u3n
> EfgMFVPwex0/4bo4FqcGpaM=
> =Jr4w
> -----END PGP SIGNATURE-----