InformationWeek's Cloud Computing Destination

Wolfe's Den Interview: Pacific Labs CIO Talks Cloud Computing Security

In that panel session, Trend Micro CEO Eva Chen fielded my question on cloud computing by noting that cloud changes how enterprises approach protecting their resources.

Johnson noted that he'll be more comfortable with cloud computing vendors when they accept some liability for data losses. Johnson kindly agreed to expand on his thoughts in an e-mail after the panel. We picked up the thread of cloud security, and also discussed effective security spending, the rise in malware and cybercrime, and the top security priorities over the next few years:

InformationWeek: How is cloud computing changing the ability to respond to threats?

Jerry Johnson: Detection and containment, the two thrusts we at PNNL are focusing on, become much more difficult.

On detection: It's impractical to place sensors on the cloud provider's network to sniff for unusual behavior. (There's privacy of other tenants' information to consider, cloud networks are too geographically disparate, there are proprietary protocols, and there's too much and too volatile traffic to characterize what's normal.)

On containment: Cloud computing is premised on the ability to quickly openly pass traffic to, from, and between many compute resources. Containment is the antithesis of that.

InformationWeek: How does the increase in the reliance of storing critical data in the cloud impact corporate security, user privacy, and data governance?

Johnson: We have not yet moved into the cloud for applications such as these, but are looking hard at it as an alternative to our existing, on-premise ERP solutions. Security is a major factor in that alternatives study. One industry researcher has estimated the cost of personal identify information data breaches to be $202 per victim.

PNNL's human resources database contains social security numbers for more than 83,000 individuals (active and inactive staff from both PNNL and other Battelle entities, plus beneficiaries). Using the $202 per victim benchmark, that means breach of our network and the HR database has a potential cost of $16.8 million! I'll be more comfortable storing personal identify information in the cloud when the cloud providers are confident enough in their security that they willing to accept that financial risk.

InformationWeek: What do you see as the top three security priorities in the next 3 to 5 years?

Johnson: Rigorous patch and configuration management -- the time to exploit is very small, and the attack vector using spear phishing and social engineering is targeting unpatched vulnerabilities.

Certificate-based perimeterization: Managing firewall rules is simply too unwieldy and too restrictive for a mobile workforce.

Data rights management: Protecting the "crown jewels" using encryption-based technologies, but still enabling authorized people to get their jobs done.