Cloud // Software as a Service
09:23 AM
Alexander Wolfe
Alexander Wolfe
Connect Directly

Wolfe's Den Interview: Pacific Labs CIO Talks Cloud Computing Security

Jerry Johnson, chief information officer of Pacific Northwest National Laboratory, offers insights into cloud security, the war on cybercrime, and the expansion of the perimeter.

For this week's security-focused column, I had the privilege of interviewing Jerry Johnson, CIO of Pacific Northwest National Laboratory. Jerry participated in my recent InformationWeek 500 security experts' roundtable panel -- a video of which you can watch embedded at the bottom of this article.

In that panel session, Trend Micro CEO Eva Chen fielded my question on cloud computing by noting that cloud changes how enterprises approach protecting their resources.

Johnson noted that he'll be more comfortable with cloud computing vendors when they accept some liability for data losses. Johnson kindly agreed to expand on his thoughts in an e-mail after the panel. We picked up the thread of cloud security, and also discussed effective security spending, the rise in malware and cybercrime, and the top security priorities over the next few years:

InformationWeek: How is cloud computing changing the ability to respond to threats?

Jerry Johnson: Detection and containment, the two thrusts we at PNNL are focusing on, become much more difficult.

On detection: It's impractical to place sensors on the cloud provider's network to sniff for unusual behavior. (There's privacy of other tenants' information to consider, cloud networks are too geographically disparate, there are proprietary protocols, and there's too much and too volatile traffic to characterize what's normal.)

On containment: Cloud computing is premised on the ability to quickly openly pass traffic to, from, and between many compute resources. Containment is the antithesis of that.

InformationWeek: How does the increase in the reliance of storing critical data in the cloud impact corporate security, user privacy, and data governance?

Johnson: We have not yet moved into the cloud for applications such as these, but are looking hard at it as an alternative to our existing, on-premise ERP solutions. Security is a major factor in that alternatives study. One industry researcher has estimated the cost of personal identify information data breaches to be $202 per victim.

PNNL's human resources database contains social security numbers for more than 83,000 individuals (active and inactive staff from both PNNL and other Battelle entities, plus beneficiaries). Using the $202 per victim benchmark, that means breach of our network and the HR database has a potential cost of $16.8 million! I'll be more comfortable storing personal identify information in the cloud when the cloud providers are confident enough in their security that they willing to accept that financial risk.

InformationWeek: What do you see as the top three security priorities in the next 3 to 5 years?

Johnson: Rigorous patch and configuration management -- the time to exploit is very small, and the attack vector using spear phishing and social engineering is targeting unpatched vulnerabilities.

Certificate-based perimeterization: Managing firewall rules is simply too unwieldy and too restrictive for a mobile workforce.

Data rights management: Protecting the "crown jewels" using encryption-based technologies, but still enabling authorized people to get their jobs done.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Here’s what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.