Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

Summer of Cloud Incidents

by Jay Heiser  |  September 25, 2013  |  2 Comments

Although the actual events took place at widely varying times, the summer of 2013 has witnessed the public release of 3 major ‘inappropriate use of the cloud’ incidents.

On July 28, Oregon Health & Science University (OHSU) felt compelled to notify 3,044 patients that while there was no reason to believe that their data had leaked, or been misused, it was in a place that it shouldn’t be, and they wanted to apologize. Several physicians had decided that their personal GoogleDrive accounts would be an appropriate place to share data, and while this undoubtedly was a convenient place to compare notes on their patients, they hadn’t undertaken a HIPAA BA with the service provider.

The following day, July 29, NASA’s Office of Inspector General released a report that “found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk.”  (NASA has a LOT of data in the public cloud.)  Citing a laundry list of weak cloud control practices, including not asking the permission of the non-existent Cloud Czar, the OIG further stated that “in four cases NASA organizations accepted the cloud providers’ standard contracts that did not impose performance metrics or address Federal privacy, IT security, or record management requirements,” concluding from this that “As a result, the NASA systems and data covered by these five contracts are at an increased risk of compromise.” (see page iv)  I agree that most standard contracts are extremely non-committal about levels of security service, but such a direct correlation between risk and contract verbiage seems….well, cloudy to me.

A month later, on August 28, the US Federal Trade Commission issued a complaint against LabMD for a 2007-8 incident in which the Limewire client had been installed on one of their servers, resulting in personnel data being compromised through that P2P system.  Reminiscent of the OHSU incident, it is yet another case of people of good will who are just trying to get their job done by using spreadsheets to supplement the weakness of IT-provided systems. It appears that Limewire was the private toy of the sysadmin, and not used to support the spreadsheet-based workgroup, but unfortunately, the directory they used was shared to that service.  Unusually for a ‘privacy breach’, it seems that personal data was actually obtained by somebody who tried to use it to commit financial fraud.  5 years after this undisciplined use of the cloud on the part of a sysadmin, LabMD is now required to spend the next 20 years allowing a CISSP to assess their posture.

 

2 Comments »

Category: Cloud IT Governance     Tags: , , ,

2 responses so far ↓

  • 1 Ian Bruce   September 26, 2013 at 11:26 am

    Indeed an overcast summer from a computing perspective.

    I think it’s clear we need to think about data security differently. We’re still too focused on securing an “environment” when we really need to think about how we secure specific files. Security needs to travel with the file, wherever it goes. Our data is increasingly fleet-of-foot, and this trend is only accelerating with greater workforce mobility and the explosion in collaboration technology.

    Thanks – great post.

  • 2 Ryan Tracey   October 1, 2013 at 6:58 pm

    It’s not about having a Cloud Czar – it’s about providing a secure platform to those people of good will who are just trying to get their job done and feel like they have no alternative.