Wolfe's Den Interview: Pacific Labs CIO Talks Cloud Computing Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Software as a Service
Commentary
10/5/2009
09:23 AM
Alexander Wolfe
Alexander Wolfe
Commentary
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Wolfe's Den Interview: Pacific Labs CIO Talks Cloud Computing Security

Jerry Johnson, chief information officer of Pacific Northwest National Laboratory, offers insights into cloud security, the war on cybercrime, and the expansion of the perimeter.

For this week's security-focused column, I had the privilege of interviewing Jerry Johnson, CIO of Pacific Northwest National Laboratory. Jerry participated in my recent InformationWeek 500 security experts' roundtable panel -- a video of which you can watch embedded at the bottom of this article.

In that panel session, Trend Micro CEO Eva Chen fielded my question on cloud computing by noting that cloud changes how enterprises approach protecting their resources.

Johnson noted that he'll be more comfortable with cloud computing vendors when they accept some liability for data losses. Johnson kindly agreed to expand on his thoughts in an e-mail after the panel. We picked up the thread of cloud security, and also discussed effective security spending, the rise in malware and cybercrime, and the top security priorities over the next few years:

InformationWeek: How is cloud computing changing the ability to respond to threats?

Jerry Johnson: Detection and containment, the two thrusts we at PNNL are focusing on, become much more difficult.

On detection: It's impractical to place sensors on the cloud provider's network to sniff for unusual behavior. (There's privacy of other tenants' information to consider, cloud networks are too geographically disparate, there are proprietary protocols, and there's too much and too volatile traffic to characterize what's normal.)

On containment: Cloud computing is premised on the ability to quickly openly pass traffic to, from, and between many compute resources. Containment is the antithesis of that.

InformationWeek: How does the increase in the reliance of storing critical data in the cloud impact corporate security, user privacy, and data governance?

Johnson: We have not yet moved into the cloud for applications such as these, but are looking hard at it as an alternative to our existing, on-premise ERP solutions. Security is a major factor in that alternatives study. One industry researcher has estimated the cost of personal identify information data breaches to be $202 per victim.

PNNL's human resources database contains social security numbers for more than 83,000 individuals (active and inactive staff from both PNNL and other Battelle entities, plus beneficiaries). Using the $202 per victim benchmark, that means breach of our network and the HR database has a potential cost of $16.8 million! I'll be more comfortable storing personal identify information in the cloud when the cloud providers are confident enough in their security that they willing to accept that financial risk.

InformationWeek: What do you see as the top three security priorities in the next 3 to 5 years?

Johnson: Rigorous patch and configuration management -- the time to exploit is very small, and the attack vector using spear phishing and social engineering is targeting unpatched vulnerabilities.

Certificate-based perimeterization: Managing firewall rules is simply too unwieldy and too restrictive for a mobile workforce.

Data rights management: Protecting the "crown jewels" using encryption-based technologies, but still enabling authorized people to get their jobs done.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Commentary
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
Slideshows
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
News
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll