Today, I will present "Information Security In The Cloud" at the New York Higher Education Technology Forum. The presentation will deliver a high-level overflow of some things to keep in mind when moving to a cloud-based infrastructure.
The one point that I hope to get across is that, in order to create real value, CIOs must hold cloud service providers to at least the same levels of expectation as they hold their internal IT organization. In other words, when a CIO expects an uptime from 99.99% from the internal IT group, a cloud offering should be able to deliver the same. If a CIO expect to run an infrastructure component for $25,000 (all-inclusive), the cloud offering should be at most the same price. If the CIO expects regulatory compliance and performance monitoring from the internal groups, he should do the same from a cloud offering.
Too often, business are willing to accept a lower level of quality from cloud offering. For example, some of the cloud providers that I have worked with directly typically do NOT promise an minimum uptime, or when they do, it is at most 99.9%. Taking such of offering would often reduce the quality of the end-user service offerings.
The presentation outline is as follows:
- Traditional information security
- Cloud Considerations
- Top Threats (based on the Cloud Security Alliance report of March, 2010)
After I have done the presentation, I'll post the slide deck and I may even record an on-demand version for those who are interested. Don't expect a technical talk, or one that goes in great depths: that would be unsuitable for the audience, and I only have 45 minutes (including discussion).