Skip Links

Are lawyers getting in the way of cloud-based security?

At Cloud Security Alliance Congress, some say lawyers too often are hindrance to better security

By , Network World
November 07, 2012 02:18 PM ET

Network World - ORLANDO, Fla. -- In an age where enterprises and their employees are being relentlessly targeted with malware-based phishing, denial-of-service and other attacks, the ability of the IT security staff to defend their networks and valuable corporate data faces yet one more obstacle, according to some: their own company lawyers.

TECH DEBATE: Should security be on-premise or in the cloud?

Cloud Security Alliance keynote

Company lawyers are busy stopping attacked organizations from sharing information in any way with IT security professionals in different organizations because these lawyers are scared that any shared information would somehow hurt the company, said Dave Cullinane, CEO of startup Security Starfish and former CISO at eBay, who gave the keynote address at the Cloud Security Alliance Congress in Orlando Wednesday.

"Lawyers are saying, 'Don't share that information, we don't know where it will go,'" said Cullinane, chairman of CSA, the group that's bringing together vendors and enterprises to set guidelines for security in cloud-based computing environments.

Cullinane noted it's ironic that lawyers are playing this role in slowing down the sharing of attack information among IT security professionals, while attackers work together on malware to constantly improve their ability to compromise corporate targets. Cullinane said this situation must change, and there needs to be found a good way to anonymize data about attacks to encourage information-sharing.

Cullinane recalled that when the infamous RSA data breach occurred, and he was at the Bay Area CSO Council at the time, he learned "one guy was considered federal and he got a full briefing about what happened at RSA, but he couldn't tell the rest of us. That's silly." Security professionals benefit from understanding ongoing attacks, and sharing information means they could have a better chance at defense, he pointed out.

The reality is that U.S. businesses operate very globally now, as do businesses almost everywhere, and the idea that U.S. law enforcement is somehow going to be able to assist in investigating and resolving attacks against companies is becoming less and less viable, suggested Cullinane. Companies need to be aware that much of the time they will be left to their own resources.

"When I left eBay, we saw a lot of attacks coming from the cloud," Cullinane said. Sometimes the problems emanated from customer PCs where malware was attacking even in the midst of customer transactions. And now the recent massive denial-of-service attacks on about a dozen U.S. bank websites is another reminder of how grim things are getting -- and how sharing information would help IT staffs in getting the big picture.

In another keynote today at CSA, Tim Rains, a director in Microsoft's Trustworthy Computing group, alluded to the fact that lawyers -- as well as C-level management -- at a company considering cloud services to hold data are often the ones who make the decision to go ahead or not. One CISO at the conference, who asked not to be identified by name, said his corporate attorney is the one with a final say over using cloud services, and the answer is typically "no" due to security worries.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News