Where are your assets?

Jan. 21, 2010
John McCumber weighs the benefits, risks of moving information to the ‘cloud’
I was seated at a business dinner last night in Silicon Valley. Around the table at the Four Seasons Hotel sat several technology luminaries representing software companies, government and well-known internet darlings that had made many of their investors and employees quite wealthy. I was privileged to be among them, and the erudite conversion was even more enjoyable than the gourmet meal and excellent Napa Valley wines being served.

Shortly after my grilled sea bass arrived, the topic turned to cloud computing. Several of the guests were intimately involved in this emerging information technology concept. The technologists at the table were able to dive much deeper than the normal platitudes of expected benefits, and we discussed the underlying technologies necessary to actually begin to achieve the cost savings and future capabilities touted at seminars and conferences. Concepts and architectures including thin clients, virtualization and remote storage and retrieval (as well as the nagging security issues) were put forth to be debated. This engaging roundtable discussion took us through the main course, dessert and followed us into the lounge for after-dinner drinks.

During the dialogue, one of the technology industry representatives pointed out that government technology leaders in Washington had been pushing government toward a “cloud environment” and were confronted with push-back from many senior chief information officers. These CIOs were concerned about outsourcing control of sensitive data about American citizens to companies that may end up storing the data virtually anywhere in the world. He mentioned the fact that President Obama’s new national CIO felt it shouldn’t be allowed to be a stumbling block to achieving the projected cost savings and benefits of ubiquitous cloud data services.

After hearing this rather glib dismissal of a recognized security issue, I immediately turned to see the looks on the faces of the government technology executives, and was rewarded to see their obvious expressions of concern with this stance. I could immediately tell exactly the types of people who were “pushing back” on the Washington, D.C.-based visionaries. One looked up from his pot du crème’ and slowly shook his head. “I heard that opinion, too,” he said, “but I am not sure it represents all of us in government.” His carefully chosen words were obviously an understatement.

As the conversation was moving out toward the fireside lounge, I found myself musing about parallels to this Utopian vision of managing sensitive government information assets. It was the responsibility of these government executives to protect citizens’ private data, and they were yet to be convinced that simply flinging it all “into the cloud” could be done while continuing to be an effective steward of the data. How do you manage an asset that’s not under your control? I chuckled to myself as I envisioned a discussion I could enjoy with an insurance agent.

Me: I want to get some insurance on my property and vehicles.

IA: Absolutely. Where is your home located? (Checking insurance tables based on cost of home, location, etc.)

Me: We’ve outsourced our living arrangements in this new economy. My wife and I travel all the time, so we have someone deliver the stuff we need when we need it. It’s the same with our cars. We just rent them wherever we are.

IA: Sounds, well, interesting. How do you get your clothes and other personal possessions?

Me: We simply call our outsourcer to tell them where we will be. We then tell them what clothes we need based on the weather, and what musical instruments, books and family pictures we want there. It has amazing benefits!

IA: Are they insured for any losses that happen to your stuff?

Me: I’m not sure. That’s why we need insurance from you. What happens if one of my guitars is stolen, damaged or becomes lost? What about my wife’s jewelry or our clothes?

IA: I would assume you would hold your outsourcer responsible in that case. Don’t they exercise control over your items?

Me: Well, sometimes they do. However, we also have the delivery service companies who transport the stuff, the various hotel, B&B and vacation rental staff that sometimes have oversight, as well as family members and friends we allow to use our stuff when we don’t need it. Many people are handling our assets. Ultimately, however, it’s our stuff, and I need to manage the risk to these investments we’ve made. We want insurance.

IA: I’m not sure I can help you. There’s no way I can assess the risk in this case, and it would be very difficult to assess liability given the innumerable places your personal property may be at any given time. I can’t insure you for potential losses when we can’t determine who is exercising control over your assets. Here’s my card. Call me when your kids settle down.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: [email protected].