Sister CISA CISSP

May 21 2010   3:18PM GMT

First Dance in the Cloud

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Well, it finally happened: I got asked to audit information that is stored in a cloud by a third-party vendor.

I’ve acquired the controls, such as password polices, presented in a browser to my client. Several questions came immediately to mind:

1. Given that web browsers are still fundamentally insecure, how does the vendor address such issues? SSL is likely the easy answer here. Let’s hope so. Is data transmitted in the clear after the login? Let’s hope not.

3. Given the prevalence of phishing Trojans, how are vendors and clients going to address illegal and invisible capture of credentials? Do we had this to the vmware profile? That may be the only option. With VMWare Reader being free, one image can go on a lot of desktops (M$ may not like this much).

4. Where’s the confidential data sitting? Is it encrypted? Who has the keys? How is the vendor managing employee access?

I’ll keep you posted.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: