please answer the case

INTERACTIVE SESSION: TECHNOLOGY HOW SECURE IS THE CLOUD? New York-based investment banking and financial strict processes and guidelines for managing its data services firm Cowen and Co. has moved its global centers. We know our data are in the U.S. and we sales systems to the cloud using Salesforce.com. So have a report on the very data centers that we're far, Cowen's CIO Daniel Flax is pleased. Using cloud talking about says Flax services has helped the company lower upfront tech- Another alternative is to use a cloud provider that nology costs, decrease downtime and support addi give subscribers the option to choose where their tional services. But he's trying to come to grips with cloud computing work takes place. For example, cloud security issues. Cloud computing is indeed Terremark Worldwide Inc. is giving its subscriber cloudy, and this lack of transparency is troubling to Agora Games the option to choose where its many applications run Terremark has a Miami facility but One of the biggest risks of cloud computing is that is adding other locations. In the past. Agora had no it is highly distributed Cloud applications and appli- say over where Terremark hosted its applications cation mash-ups reside in virtual libraries in large and data remote data centers and server farms that supply Even if your data are totally secure in the cloud, business services and data management for multiple you may not be able to prove it. Some cloud corporate clients. To save money and keep costs low, providers don't meet current compliance require cloud computing providers often distribute work to ments regarding security, and some of those data centers around the globe where work can be providers, such as Amazon, have asserted that they accomplished most efficiently. When you use the don't intend to meet those rules and won't allow cloud, you may not know precisely where your data compliance anditors on-site. are being hosted, and you might not even know the There are laws restricting where companies can country where they are being stored send and store some types of information - person The dispersed nature of doud computing makes it ally identifiable information in the European Union difficult to track unauthorized activity. Virtually all (EU), government work in the United Sates or appli- cloud providers use encryption, such as Secure cations that employ certain encryption algorithms. Sockets Layer, to secure the data they handle while Companies required to meet these regulations the data are being transmitted. But if the data are involving protected data either in the United States stored on devices that also store other companies or the EU won't be able to use public cloud providers data, it's important to ensure these stored data are Some of these regulations call for proof that encrypted as well systems are securely managed, which may require Indian Harvest Specialtifoods, a Bemidji, confirmation from an independent audit Large Minnesota-based company that distributes rice, providers are unlikely to allow another company's grains, and legumes to restaurants worldwide, relies auditors to inspect their data centers. Microsoft found on cloud software provider NetSuite to ensure that its a way to deal with this problem that may be helpful. data sent to the cloud are fully protected. Mike The company reduced 26 different types of audits to Mullin, Indian Harvest's IT director, feels that using a list of 200 necessary controls for meeting compli- SSL (Secure Sockets Layer) to encrypt the data gives ance standards that were applied to its data center him some level of confidence that the data are environments and services. Microsoft does not give secure. He also points out that his company and Every customer or auditor access to its data centers, other users of cloud services need to pay attention to but its compliance framework allows auditors to order their own security practices, especially access from a menu of tests and receive the results. controls. Your side of the infrastructure is just as Companies expect their systems to be running vulnerable, if not more vulnerable, than the 24/7, but cloud providers haven't always been able to provider's side," he observes. provide this level of service Millions of customers of One way to deal with these problems is to use a Salesforce.com suffered a 3-minute outage in early cloud vendor that is a public company, which is January 2009 and others several years earlier. The required by law to disclose how it manages informa- January 2009 ourage locked more than 900,000 tion Salesforce.com morts this requirement, with subscribers out of crucial applications and data needed to transact business with customers. More than 300,000 customers using Intuit's online network of small business aplications were unable to access these services for two days in June 2010 following a power outage Agreements for services such as Amazon EC2 and Microsoft Azure state that these companies are not going to be held liable for data losses or fines or other legal penalties when companies use their services. Both vendors offer guidance on how to use their cloud platforms securely, and they may still be able to protect data better than some companies' home-grown facilities Salesforce.com had been building up and redesigning its infrastructure to ensure better service. The company invested $50 million in Mirrorforce technology, a mirroring system that cre- ates a duplicate database in a separate location and synchronizes the data instantaneously. If one data- base is disabled, the other takes over. Salesforce.com added two data centers on the East and West coasts in addition to its Silicon Valley facility. The company distributed processing for its larger customers among these centers to balance its database load. Sources: Seth Fincberg, Shadow on the Cloud?" Information Management, August, 2010; Ellen Messmer *Secrecy of Cloud Computing Providers Raises IT Security Risks," IT World, July 13, 2010; John Edwards, "Cutting Through the Fog of Cloud Security Computerworld. February 23, 2009: Wayne Rash, "Is Cloud Computing Secure? Prove It Work, September 21, 2009: Robert Lemos, "Five Lessons from Microsoft on Cloud Security." Computerworld, August 25, 2009, and Mike Fratto, Cloud Control, Information Week, January 26, 2009 CASE STUDY QUESTIONS 1. What security and control problems are described in this case? 2. What people, organization, and technology factors contribute to these problems? 3. How secure is cloud computing? Explain your answer 4. If you were in charge of your company's informa- tion systems department, what issues would you want to clarify with prospective vendors? 5. Would you entrust your corporate systems to a cloud computing provider? Why or why not? MIS IN ACTION Go to www.trust.salesforce.com, then answer the following questions: 1. Click on Security and describe Salesforce.com's security provisions. How helpful are these? 2. Click on Best Practices and describe what subscribing companies can do to tighten security. How helpful are these guidelines? 3. If you ran a business, would you feel confident about using Salesforce.com's on-demand service? Why or why not