How Secure Is Cloud

Making Leaders Successful Every Day
May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
by Chenxi Wang, Ph.D.
for Security & Risk Management Professionals

© 2009, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.
For Security & Risk Management Professionals
Executive Summary
Amid a downturn economy, organizations increasingly look to cloud computing to improve operational
efficiency, reduce headcounts, and help with the bottom line. But security and privacy concerns present
a strong barrier-to-entry. In an age when the consequences and potential costs of mistakes are rising fast
for companies that handle confidential and private customer data, IT security professionals must develop
better ways of evaluating the security and privacy practices of the cloud services. An effective assessment
strategy must cover data protection, compliance, privacy, identity management, secure operations, and
other related security and legal issues. The ultimate goal: Make the cloud service work like your own IT
security department and find ways to secure and optimize your investments in the cloud.
table of Contents
Cloud Computing Has The Industry Abuzz
But What About Security And Privacy?
Why Cloud Security Deserves Special Scrutiny
Handling Cloud Security Concerns
Security And Privacy
Dealing With Compliance
Other Legal And Contractual Issues
recommendations
Users Of Cloud Services Should Pay Special
Heed To Cloud Security
WHAT IT MEANS
Cloud Computing Will Change The Role Of IT
Security Professionals
Supplemental Material
NOTES & RESOURCES
Forrester interviewed 10 vendor and user
companies, including Boeing, Google, Qualys,
salesforce.com, The Jericho Forum, Websense,
and other end user organizations.
Related Research Documents
“Businesses Take BC Planning More Seriously”
February 29, 2009
”Future View: The New Tech Ecosystems Of Cloud,
Cloud Services, And Cloud Computing”
August 28, 2008
“IT Outsourcers Enhance Buyers’Options For
Enterprise Managed Security Services”
July 7, 2008
May 8, 2009 | Updated: August 4, 2009
A Close Look At Cloud Computing Security Issues
This is the first document in the“Secure Cloud Computing”series.
by Chenxi Wang, Ph.D.
with Jonathan Penn and Allison Herald
2
2
5
10
11
12

© 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009
2
Cloud computing has the industry abuzz
Cloud computing is omnipresent today. Many organizations are using cloud applications on a daily
basis — Forrester’s Enterprise And SMB Software Survey, North America And Europe, Q4 2008,
shows that 21% of software decision-makers are using or piloting software-as-a-service (SaaS),
another 26% is considering adopting SaaS.1
Business strategists are eyeing cloud as the next cost-
saving and efficiency measure. There is even a movement at the national level: Vivek Kundra, the
country’s recently named federal CIO, is being tasked to push the adoption of cloud-based services
across the federal IT landscape.
The enormous interest in cloud computing can be credited to these tangible benefits:
· Operational benefits. A cloud-based infrastructure, with its robust, massively redundant
infrastructure, can often provide better uptime and availability. Additionally, because cloud
services start with a prebuilt foundation, provide good support for easy provisioning, and allow
consistent upgrades, using a cloud service can expedite the launch of new IT projects and can
help to speed up innovation.
· Financial benefits. The pay-as-you go model, instead of investing capital expenditures
upfront, allows greater flexibility in cash flow. This means that companies can scale gracefully
according to demand and fund more projects simultaneously, all without having to plan
capacity, investments, and personnel a priori. Moreover, your ongoing operational overhead
should be lower, as someone else is managing your operations. Taken together, your total cost of
ownership using a cloud service should be lower than a traditional on-premise alternative.2
· Better support for collaboration and community computing. Collaboration and community
computing allows multisource input and multiparty computing, which is what cloud computing
does best. Community computing and collaboration brings benefits that are not attainable with
local computation only — an example is cloud-based threat services, such as distributed denial of
service attacks (DDoS) or spam detection. A cloud service that has a wide visibility of the Internet
traffic would see the onset of an attack more quickly and accurately than any local threat detector.
But What about security and privacy?
Cloud computing comes in many forms: There are SaaS providers like salesforce.com; platform-
as-a-service (PaaS) like Amazon’s SimpleDB; Web services that offer application programming
interfaces (APIs) that enable developers to exploit functionality over the Internet, such as Yahoo!
Maps and Flickr; and even traditional hosting services like those offered by Savvis and AT&T.3
Why Cloud Security Deserves Special Scrutiny
Cloud computing differs from traditional outsourcing because in the latter model, it is still very
much standalone computing — either you take your server and put in someone else’s data center, or
you have a service provider managing your devices. You know exactly where your data/host is and

© 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009
3
what resources, if any, you share with others. Cloud computing decouples data from infrastructure
and obscures low-level operational details, such as where your data is and how it’s replicated.
Multitenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud
computing services. These differences give rise to a unique set of security and privacy issues that
not only impact your risk management practices, but have also stimulated a fresh evaluation of legal
issues in areas such as compliance, auditing, and eDiscovery.
Recently, an online privacy group — The Electronic Privacy Information Center (EPIC) — lodged
a formal complaint against Google’s security and privacy practices to the US Federal Trade
Commission (FTC).4
EPIC’s complaints are centered around three points: 1) Google heavily
advertises their security controls to consumers, yet disclaims all responsibilities in their Terms of
Service; 2) the “harm” caused by the recent Google Docs privacy breach; and 3) Google’s security
and privacy controls are inadequate. While this complaint is targeting Google’s consumer services,
some of the specific points, including the Google App privacy flaw, apply to enterprise customers.
Many agree that security and privacy represent a strong barrier-to-entry and are top-of-mind for IT
organizations considering adopting cloud services. Forrester interviewed close to a dozen vendors
and IT users about the security issues for cloud computing. We synthesized those conversations to
three main areas (see Figure 1):
· Security and privacy. Concerns such as data protection, operational integrity, vulnerability
management, business continuity (BC), disaster recovery (DR), and identity management
(IAM) make up the list of security issues for cloud computing. Privacy is another key concern —
data that the service collects about the user (e.g., event logs) gives the provider valuable
marketing information, but can also lead to misuse and violation of privacy. One way for
customers to evaluate a provider’s security and privacy practices is through auditing, which can
help to lend some visibility into the vendor’s internal operations. However, auditing goes against
the very grain of cloud computing, which attempts to abstract away the operational details by
providing easy-to-use interfaces and APIs. A cloud provider may not allow internal audits, but
they should offer provisions for some form of external audits on their infrastructure and
network.
· Compliance. Users who have compliance requirements need to understand whether, and how,
utilizing the cloud services might impact your compliance goals. Data privacy and business
continuity are two big items for compliance. A number of privacy laws and government
regulations have specific stipulation on data handling and BC planning. For instance, EU and
Japan privacy laws demand that private data — email is a form of private data recognized by
the EU — must be stored and handled in a data center located in EU (or Japan) territories.
Government regulations that explicitly demand BC planning include the Health Insurance
Portability and Accountability Act (HIPAA), Federal Financial Institutions Examination
Council (FFIEC), Basel II, Payment Card Industry (PCI), and the UK Contingency’s Act.5

4
· Legal and contractual issues. Liability and intellectual property are just a few of the legal issues
that you must consider. Liability is not always clear-cut when it comes to cloud services. The
same goes for intellectual property (IP). For some services, the IP issue is well understood —
the cloud provider owns the infrastructure and the applications, while the user owns her data
and computational results. In other cases, the division is not quite so clear. In software mashups,
or software components-as-a-service, it can be difficult to delineate who owns what and what
rights the customer has over the provider. It is therefore imperative that liability and IP issues
are settled before the service commences. Other contractual issues include end-of-service
support —when the provider-customer relationship ends, customer data and applications
should be packaged and delivered to the customer, and any remaining copies of customer data
should be erased from the provider’s infrastructure.
Figure 1 Cloud Computing Issues Checklist
Source: Forrester Research, Inc.45778
Area Topics
Security and
privacy
Compliance
Other legal
and
contractual
issues
Data segregation and protection
Vulnerability management
Identity management
Physical and personnel security
Data leak prevention
Availability
Application security
Incident response
Privacy
Business continuity and disaster recovery
Logs and audit trail
Specific requirements (e.g., PCI, HIPAA, EU privacy, Basel II, FFIEC)
Liability
Intellectual property
End of service support
Auditing agreement

5
Handling cloud security concerns
Google’s recent security bug, which led to a population of Google doc users inadvertently sharing
their docs with a wider audience than they intended, is but one example of security flaws that could
happen with cloud services.6
In 2007, one of salesforce.com’s employees fell victim to a phishing
attack, which led to the leak of a salesforce.com customer list. This in turn resulted in another wave
of phishing attacks targeting these customers.7
Similarly, payroll SaaS provider Automatic Data
Processing (ADP) has also been the victim of phishing attacks.
Steve Whitlock from the Jericho Forum said:
“Like many others, we see huge potential and benefits for moving into ‘the cloud,’ but we see
risks, security issues, and interoperability issues. The community has much work to do to
make the cloud a safe place to collaborate.”
Security And Privacy
Securing your applications or data when they live in a cloud provider’s infrastructure is a
complicated issue because you lack visibility and control over how things are being done inside
someone else’s network. However, the security concerns that you would have if things were
operating on-premise, such as securing infrastructure, applications, and data, should also apply for
the cloud services. Because you don’t have the same level of control or access to recourse actions
when things go wrong, you need to take extra care in evaluating the vendors’ security and privacy
practices.
For security and privacy, companies must consider these aspects: data protection, identity
management, vulnerability management, physical and personnel security, application security,
incident response, and privacy measures. Take data protection, for example: You should engage in
these evaluation activities with your vendor: 1) review the vendor’s data protection techniques for
both data at rest and data in motion and ensure the strength of cryptosystem (if any) is adequate for
your requirements; 2) ensure that the provider has adequate documentation for auditors; 3) review
the vendor’s authentication and access control procedure and ask if any third party (e.g., third-party
service provider) may have access to the data or infrastructure and how; 4) review the vendor’s
architecture to ensure proper data segregation; and 5) if data leak prevention (DLP) is a requirement,
review the vendor’s DLP deployment to prevent against insider attacks (see Figure 2).

6
Figure 2 Security And Privacy Checklist
Topic Speciﬁc concerns
Data
protection
Vulnerability
management
Identity
management
Physical and
personnel
security
Availability
• Data segregation
- How do you separate my data from other customers?
• Data-at-rest protection
- Where do you store my data?
- Encryption and data integrity
- Access control and authentication
- Documentation for auditors
• Data-in-motion protection
- How do you get data from me to you?
- How do you transfer data from one place to another?
• Data leak prevention capabilities (if applicable)
• Can any third party access my data (your service providers) and how?
• Can you ensure all my data is erased at the end of service?
• Show evidence of your vulnerability management program
• How often do you scan for vulnerabilities on your network and applications?
• Can I conduct an external vulnerability assessment on your network and how?
• What’s your vulnerability remediation process?
• Can you integrate directly with my directories and how?
- Review the architecture of integration
- Ensure it doesn’t create a security risk for my own infrastructure.
• If you keep your own user accounts:
- How do you secure user IDs and access credentials?
- How do you handle user churns (e.g., provision and de-provision accounts)?
• Can you support SSO and which standards?
• Can you support federation and which standards?
• Restricted and monitored access to critical assets 24x7
• If dedicated infrastructure is desired, ensure isolated and ask, how often do you scan for
vulnerabilities on your network and applications?
• Background checks for all relevant personnel? How extensive?
• Do you document employee access to customer data?
• Have you gone through a SAS 70 audit,Type I or Type II? Can you share the audit result?
• How many nines do you guarantee in the SLA?
• What availability measures do you employ to guard against threats and errors?
- Do you use multiple ISPs?
- Do you have DDoS protection and how?
• Provide availability historical data
• What is your downtime plan? E.g., service upgrade, patch, etc.?
• What is your peak load and do you have enough capacity for such a load?

7
Figure 2 Security And Privacy Checklist (Cont.)
Dealing With Compliance
Regulations, such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA), and HIPAA, and
industry standards like the Payment Card Industry Data Security Standard (PCI DSS) mandate
controls over the operation of infrastructure, systems and the handling of critical data. Cloud
computing has the potential of putting compliance at risk, as it requires you to hand over IT
controls to someone else and in the process of doing so introduces uncertainties in these aspects:
· Business continuity and disaster recovery. You should understand what your vendor’s BC and
DR plan is. Make sure that it has proper documentation of its processes, for review and auditing
purposes. Whenever necessary, ask for a third-party BC audit.
· Logs and audit trails. Logs and audit trails are important for forensic investigation. But
since cloud providers often use multitenancy logging, access to logs is not always available.
Companies that have investigation and discovery needs should make sure to negotiate access to
their logs and audit trails. It is also important for the vendor to produce evidence that the logs
are tamper-proof, and that they can keep the logs and audit data for as long as your discovery
needs require.
Topic Specific concerns
Incident
response
Privacy
• What is your procedure in handling a data breach?
- Can notification occur within a specified time period?
- In what format do notifications go out and what info do they contain?
• Ensure that the vendor’s incident response procedures do not violate our own incident
response requirements.
• Ensure that critical data (e.g., payment card number) is properly masked and only
authorized individuals have access to the entirety of the data.
• Show me how you protect digital identities and credentials and use them in cloud
applications.
• What data do you collect about me (logs, etc.)? How is it stored? How is the data used?
How long will it be stored?
• What are the conditions under which third parties, including government agencies, might
have access to my data?
• Can you guarantee that third-party access to shared logs and resources won’t reveal critical
information about my organization?
Application
security
• Do you follow OWASP guideline for application development?
• Do you have a rigorous testing and acceptance procedure for outsourced and packaged
application code?
• What about third-party apps (components) you use in your services?
• What application security measures (if any) do you use in your production environment
(e.g., application-level firewall, database auditing)

8
· Specific compliance requirements. Many companies have their own compliance requirements
for service providers, which may include SAS-70 compliance, PCI-certification, ISO 27001,
or others. You should gather these requirements as the prerequisite for selecting prospective
vendors. For a SAS-70 audit, for instance, you need to differentiate between Type I and Type II
audits, as the former is for documented practices and the latter is for tested practices.
Companies that are considering contracting cloud services should understand that compliance is
ultimately your responsibility. The cloud services are merely a tool; it is your responsibility to select
the right tool to help you perform business functions and achieve compliance at the same time (see
Figure 3).
Figure 3 Compliance Checklist
Business
continuity
and disaster
recovery
• Do you have any DR and BC planning documents and can we review them?
- Ensure the procedures are at least as robust as our own.
• Can we do a BC audit?
• Where are your recovery data centers located?
• What service-level guarantee can you offer under DR conditions?
Logs and
audit trails
• Can you accommodate timely forensic investigation (e.g., eDiscovery)?
• Can we agree on provisions in the SLA for investigation?
- What would we have access to? How?
• How long do you keep logs and audit trails? Can you keep them as long as we desire?
• Can we have dedicated storage of logs and audit trails, and how?
• Show evidence of tamper-proofing for logs and audit trails
Specific
compliance
requirements
• Are your data centers under local compliance requirements? If so, which ones?
- Does the local compliance requirements violate our own?
• Are you SAS-70 compliant (if applicable)?
• Are you ISO-27001 compliant (if desired)?
• Can you prove that you are compliant for:
- California A.B. 21?
- PCI?
- HIPAA?
- Basel II?

9
Other Legal And Contractual Issues
Legally speaking, data/application in the cloud is not treated the same as data/application in your
network. Precedence set in courts, such as Warshak v. US, adopted this position.8
In Warshak v. US,
the court opinion stipulates that if “. . . a user agreement explicitly provides that emails and other
files will be monitored or audited,” this knowledge can “extinguish his reasonable expectation of
privacy.” This decision puts into question what it means to have data “monitored or audited” by a
service provider. Does the fact that Google operates on your Gmail content constitute “monitoring”?
And if so, do you, as a user, lose your reasonable expectation of privacy? Users need to be aware of
these issues:
· Liability. The fact that the laws do not treat data in the cloud the same as data on-premise leads
to complicated liability discussions. There have been a few regulation and legislative efforts
to require service providers to contractually acknowledge their responsibility for protecting
the client’s data. The notable examples include PCI 12.8, California’s A.B. 211, and the recent
American Recovery and Reinvestment Act (ARRA)’s HITECH provisions.9
But the principle
of extending liability to the service provider and their associates is new ground in legislations.
In practice, users must approach the liability discussion individually. You need to specify a set
of detailed liability conditions and consequences, including any recourse actions and financial
compensations, and include them in the negotiated service-level agreement (SLA).
· Intellectual property. Another issue that often comes into dispute is intellectual property,
which in this case covers the ownership of and rights in data and services placed in the
cloud. Using cloud services typically means that you are leaving digital footprints wherever
the provider desires, sometimes in far-flung places where you don’t know how information
is policed. Recently, Facebook updated its terms of services to stipulate that Facebook has
perpetual ownership of the data that users upload to Facebook, even after you discontinue the
use of its services.10
To avoid getting into a tangled IP dispute with someone like Facebook, you
should work with your legal, compliance, and business staff to first lay out a set of ownership
requirements that describes which data, applications, and logs you own and your rights to use
them. This should also include the stipulation of rights to use by the cloud provider and any
possible third party (see Figure 4).

10
Figure 4 Legal And Contractual Issues Checklist
R ec o mme n da t i o n s
Users of cloud services Should pay special heed to cloud security
While cloud computing is able to deliver many benefits, organizations should not jump on the
“cloud”wagon without a compelling business driver and a clear understanding of the security,
privacy, and legal consequences. Users of cloud services should not automatically assume that
you are sacrificing security by moving into the cloud, but at the same time, you should not trust
your cloud provider implicitly to deliver security. You can improve your chance of a successful
cloud adoption by exercising the following:
· Gather legal and regulatory requirements first for a feasibility assessment. Laws and
regulations may prevent the use of cloud services — that’s why you need to engage in
a feasibility study first. The study should involve any certification requirements (e.g., PCI
certified vendor, SAS 70 compliant, etc.), geographical limitations, or possible regulatory
requirements against multitenancy. Engage your legal, risk, and compliance officers early on
in this process.
· Thoroughly vet your provider. Use the checklists included here to narrow in on your“must-
have”and“negotiable”requirements. Vendors that fail to meet the“must-have”requirements
should be screened out. Deal with gaps in the“negotiable”terms with recourse actions
and financial compensations. Pay special attention to operational details that are often
obscured by cloud services, such as location of data, events logged, replication method, and
infrastructure redundancy.
Liability • What recourse actions (e.g., financial compensation, early exit of contracts, etc.) can we
agree on in the event of a security incident or failures to meet SLA?
• What conditions under which . . . ?
Intellectual
property
• Can we stipulate in the SLA that all my data (or applications), including all replicated and
redundant copies, are owned by me? Ensure that your service agreement does not lead
you to relinquish any IP rights.
• Scrutinize the language in the terms-of-service that governs the ownership of and rights to
information that you place in the cloud.
End of service
support
• Specify what the cloud vendor will deliver at the end of the service period.
- Will data be packaged and delivered back to me? If so, in what format?
- How soon will I have all my data back?
- Will any remaining copies of data be erased completely from your network? If so, how
soon will it happen?
• Specify any fees that may incur at the end of the service.

11
· Work guidelines and standards into the SLA. Communicate industry standards and
guidelines that are specific to your operations to the vendor and incorporate them into the
SLA. Ask the vendor to provide definitive evidence, such as industry certifications, to prove
that they have the capability to meet these standards and guidelines.
· Seek ongoing assurance that your service providers are compliant. When in doubt, ask
for audits. You can request an audit of your provider’s infrastructure and applications prior
to service commencement, but also periodically afterward to ensure ongoing compliance.
A reputable cloud provider should allow reasonable audit requests. Work with your vendor
to agree on a set of audits that reveal useful information without being disruptive to the
vendor’s infrastructure and operations.
· Use a third-party, unbiased cloud assessment service. As an added level of assurance,
consider contracting a third-party, unbiased cloud assessment service. When you outsource
your operations, most likely you’ll also outsource security expertise.11
This means that
you’ll have little skill in-house to do a proper evaluation of cloud services. A third-party
evaluation service, such as those offered by Hyperic and HP, may be exactly what you need.
Hyperic focuses more on performance and SLA monitoring, while HP’s cloud assurance
service focuses more on secure operations. You should look to these assessment functions:
1) security assessment in the form of network/application scans and penetration testing;
2) performance — load testing and login capacity testing; and 3) availability and uptime
assessment.
W H A T I T M E A N S
Cloud computing will change the role of IT Security professionals
Today, the security and legal landscape for cloud computing is rife with mishaps and uncertainties.
In the long run, however, cloud operators will continue to find economies of scale, not only in
their core services, but also in their treatment of security.
To take full advantage of the power of cloud computing, end users need to attain assurance of the
cloud’s treatment of security, privacy, and compliance issues. To that end, we need an industry
with open standards, clearer regulations, and community-driven interoperability. A standards-
based approach will make it easier for vendors to support flexibility, agility, and expanded cloud
service offerings such as collaboration, and it will also make it easier for customers to evaluate
cloud vendors and build trust in its privacy and security promises.
With the rising popularity of cloud computing and the emergence of cloud aggregators and
integrators, the role of an internal IT security officer will inevitably change — we see that an IT
security personnel will gradually move away from its operations-centric role and step instead into
a more compliance and requirements-focused function.

12
Supplemental MATERIAL
Companies Interviewed For This Document
Google
HP
Qualys
salesforce.com
The Jericho Forum
Websense
Endnotes
1
In Forrester’s Enterprise And SMB Software Survey, North America And Europe, Q4 2008, when asked
“How interested are you in adopting software-as-a-service?”, 21% of respondents indicated they already
adopted or were piloting; 26% said they were interested or considering adopting; and 54% said they have no
interest at the moment.
2
Information and knowledge management professionals must roll out collaboration applications, particularly
if travel budgets are slashed. But in capital-constrained times, the upfront cash outlay and financial risk of
on-premise solutions can prevent many projects from being funded. Fortunately, cloud-based collaboration
service providers offer a cash-flow-friendly alternative to on-premise installation for projects including
email overhauls, wiki workspaces, and Web conferencing. And cash-flow-friendly is a concept that every
chief financial officer (CFO) will understand. See the October 29, 2008, “Talking to your CFO About Cloud
Computing” report.
3
Strategists at product and service purveyors, big and small, are pondering the right paths to take as a variety
of Web and Internet “cloud” technologies and cloud services offerings envelop the market. Three myths are
fogging up the options: 1) Cloud service offerings are one large market; 2) cloud equates to virtualization;
and 3) cloud providers will compete primarily on price. How should IT vendor strategists sell to or compete
with emerging cloud service providers? We cut through the mist to segment the offerings into five cloud
services markets. Two of these markets, Web-based services such as Google and software-as-a-service
offerings such as salesforce.com, are known markets delivered from the cloud. These combine with three
new cloud-infrastructure-as-a-service markets: 1) app-components-as-a-service; 2) software-platform-
as-a-service; and 3) virtual-infrastructure-as-a-service. To capture these new cloud service providers as
customers, IT vendor strategists must create new business units, evolve existing offerings, and evaluate
when to act as a supplier — and when to compete. See the August 28, 2008, “Future View: The New Tech
Ecosystems Of Cloud, Cloud Services, And Cloud Computing” report.
4
In the past EPIC has successfully filed a similar action against Microsoft’s Passport service and won fines
and concessions. For more information see: “New Privacy Complaint Filed Against Google (And The
Cloud),” Search Engine Land (http://searchengineland.com/new-privacy-complaint-filed-against-google-
and-the-cloud-16974).
5
Business continuity (BC) planning consists of three critical phases: business impact analysis (BIA), risk
assessment (RA), and plan documentation. In our Forrester/Disaster Recovery Journal Business Continuity
Preparedness Survey, Q4 2008, we found that businesses are taking the time to complete each phase and

13
regularly update BIAs, RAs, and plans. This is due in part to the increasing priority that businesses place on
BC readiness, but it’s also due to the increasing scrutiny businesses are under from both internal auditors
and external parties such as regulatory bodies, strategic partners, and even customers. Security and risk
management professionals, particularly CISOs and BC directors and managers, must ensure that their own
planning efforts are on par with those of their peers and pay close attention to the areas where businesses
are struggling: testing more thoroughly and frequently, involving business owners in the process from start
to finish, and ensuring the BC readiness of strategic partners. See the February 26, 2009, “Businesses Take
BC Planning More Seriously” report.
6
In March 2009, Google found a bug in its Google Doc application that allowed shared permission without
user’s knowledge. Details of the bug and its fix can be found in Google’s support forum at http://www.
google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en.
7
In 2007, one of salesforce.com’s employees fell victim to a phishing attack, which led to the leak of a
salesforce.com customer list. This incident led to a further Phishing wave targeting these customers. For
more details of the incident see, Brian Krebs, “Salesforce.com Acknowledges Data Loss,” The Washington
Post, November 6, 2007 ( http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_
acknowledges_dat.html).
8
In 2007’s Warshak v. United States, the circuit court opinion reads: “In instances where a user agreement
explicitly provides that emails and other files will be monitored or audited . . . , the user’s knowledge of this
fact may well extinguish his reasonable expectation of privacy. Without such a statement, however, the
service provider’s control over the files and ability to access them under certain limited circumstances will
not be enough to overcome an expectation of privacy.”
9
ARRA Subsection D, starting at section 13400, stipulates responsibilities of business associates for covered
entities in the event of data disclosure. This is new and the precedent for it is California AB 211, section
1, 56.36 (b), which applies disclosure penalties to “any person or entity who has negligently released
confidential information or records concerning him or her in violation of this part.” The California law
is broader, and the penalty is higher than the federal one, but the principle of extending liability beyond
providers and payers is new ground in both. This is the very first time that laws adopted HIPAA security
provisions (and the civil and criminal penalties for violating them) to partners and business associates of
covered entities as well as the entities themselves.
10
On February 16, 2009, Facebook updated its terms of service to stipulate that the company now has
permanent rights to anything users upload to, display on, or created on Facebook, even after they cease
to be a Facebook member. After three days of industry outrage, Facebook reverted to its original terms
temporarily on February 19. The management team is now working on new terms of service agreement.
11
IT services clients increasingly bundle security services into their comprehensive outsourcing deals with
major full-service providers like IBM, Northrop Grumman, and Wipro. Managed security services (MSS)
now account for more than $3 billion a year of major service provider revenue, and business growth is
accelerating as IT clients continue to sharpen the focus on security. See the July 23, 2008, “IT Outsourcers
Enhance Buyers’ Options For Enterprise Managed Security Services” report.

Forrester Research, Inc. (Nasdaq: FORR)
is an independent research company
that provides pragmatic and forward-
thinking advice to global leaders in
business and technology. Forrester
works with professionals in 19 key roles
at major companies providing
proprietary research, consumer insight,
consulting, events, and peer-to-peer
executive programs. For more than 25
years, Forrester has been making IT,
marketing, and technology industry
leaders successful every day. For more
information, visit www.forrester.com.
Australia
Brazil
Canada
Denmark
France
Germany
Hong Kong
India
Israel
Japan
Korea
The Netherlands
Switzerland
United Kingdom
United States
Headquarters
Forrester Research, Inc.
400 Technology Square
Cambridge, MA 02139 USA
Tel: +1 617.613.6000
Fax: +1 617.613.5000
Email: forrester@forrester.com
Nasdaq symbol: FORR
www.forrester.com
M a k i n g L e a d e r s S u c c e s s f u l E v e r y D a y
For a complete list of worldwide locations,
visit www.forrester.com/about.
Research and Sales Offices
45778
For information on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com.
We offer quantity discounts and special pricing for academic and nonprofit institutions.

How Secure Is Cloud

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to How Secure Is Cloud (20)

Recently uploaded (20)

How Secure Is Cloud