What's Most Misunderstood About Cloud Computing?

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Everyone is talking about cloud computing these days - but are they having the right conversations?

H. Peet Rapp is an information security auditor who sits on ISACA's Cloud Computing Work Group, and he's co-author of the white paper Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives.

In an exclusive interview, Rapp discusses:

Rapp entered the IT audit/compliance profession in 2003, after publishing the widely read paper "An IT Executive's Overview of the Sarbanes-Oxley Act of 2002." With his firm, Rapp Consulting, he has audited, provided risk assessments and developed IT control frameworks for more than 70 organizations and developed a reduced IT control set for non-accelerated filers.

TOM FIELD: What is the latest on the state of cloud computing? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today With H. Peet RAPP, a member of ISACA's Cloud Computing Workgroup, and the co-author of a new white paper, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. Peet thanks so much for joining me.

H. PEET RAPP: It's great to be here, Tom.

FIELD: Maybe you can start out by telling us a little bit about yourself and your current work please?

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

RAPP: Sure. I am a Certified IT Auditor, a CISA, and nearly a Certified Information Security Manager, known as a CISM. Now, I am between assignments, and during this time I have had the opportunity to go deep into the cloud and become aware of the various different IT security issues you are going to find in cloud computing today.

FIELD: Now, we mentioned up front you are on ISACA's Cloud Computing Workgroup.

RAPP: That's correct.

FIELD: What is this group, Peet and what is the role of this group?

RAPP: ISACA's Cloud Computing Workgroup consists of IT security and audit specialists from across five different continents, all ISACA members, and we came together last month and identified the various different IT security concerns in the cloud, and we are going to be providing this information in a book, which is currently being written, hopefully to be published by this coming July.

FIELD: Well, big question for you now, given all of the talk about cloud computing. What would you describe as the state of cloud computing today and maybe separating some of the myths from the realities?

RAPP: Okay. What has been unfortunate in a lot of the media hype today regarding cloud computing is coming from the various different cloud service providers hoping to gain traction with potential prospects. The cloud offers clients supposedly unlimited benefits of scalability, on demand computing needs, able to provide services on an as used basis with little to no capital expenses. In other words, if you use a lot of the service, you pay for that. It is pretty much equating cloud computing very much the same as any other utility such as gas or electricity -- you pay for what you use. Unfortunately, what has been coming through in these presentations doesn't include what is not becoming recognized as serious cybercrime. One of the things that is going to be happening in cloud computing is various different clients databases are going to be aggregated into one cloud. So, if a cyber criminal comes into one cloud, they are going to have access not to one client's database but dozens, perhaps even hundreds. So, you are getting these very, very large balls of low hanging fruit that could be accessible to these cyber criminals, and this is no laughing matter. Security criminals out there today are increasingly sophisticated, and they are going after these types of data for money for profit. In fact, cybercrime several years back surpassed the loss to society that had been ongoing from, say, illicit drugs.

FIELD: So, given the landscape and all the conversation that we hear about cloud, what would you isolate as being most misunderstood about cloud computing in the marketplace today?

RAPP: The most misunderstood stuff about cloud computing today is basically the issue of cybersecurity. Again, little to nothing in the media has been devoted to cybercrime/cybersecurity issues, and I believe a good understanding of cloud computing today was that for every business advantage afforded through cloud computing, you are going to have an equal level or even a greater compelling issue in cloud security risks.