Stories by Thomas J. Trappler

NASA's cloud audit holds value for all

NASA's Office of the Inspector General (OIG) recently audited and evaluated the efficacy of the space agency's efforts to adopt cloud-computing technologies. The resulting report, "NASA's Progress in Adopting Cloud-Computing Technologies," includes six recommendations "to strengthen NASA's IT governance practices with respect to cloud computing, mitigate business and IT security risks and improve contractor oversight." While the recommendations are specific to NASA, their underlying concepts can be leveraged by any organization that wants to more effectively adopt cloud-computing services.

Written by Thomas J. Trappler20 Aug. 13 20:26

Does your cloud vendor protect your rights?

From time to time, organizations are asked to provide access to data for legal reasons. Those requests can be more complicated when the data is in the cloud. But a new report sheds some light on one critical aspect of such requests.

Written by Thomas J. Trappler14 May 13 15:09

Software licensing in the cloud

Someone at my seminar in Los Angeles last month asked about challenges that the cloud poses for software licensing. That's such a broad and complex topic that it could warrant an entire seminar of its own. But this column can at least provide an overview of the issues.

Written by Thomas J. Trappler18 April 13 20:51

For credit card handlers, cloud computing guidelines just got clearer

The fact that regulations evolve at a much slower pace than cloud computing technologies can lead to confusion regarding how to meet regulatory requirements in the cloud. If a client moves a regulated function to the cloud and later falls out of compliance due to a shortcoming on the cloud vendor's part, the client remains accountable. So it's essential to have as much clarity on these issues as possible. Recognizing this challenge with regards to the handling of credit card data, the Payment Card Industry (PCI) Security Standards Council has recently issued guidance on how to apply PCI Data Security Standards (PCI DSS) in the cloud.

Written by Thomas J. Trappler07 March 13 15:10

Regulations and the cloud: HIPAA modification provides clarity

Many regulatory requirements that impact cloud computing were enacted before cloud computing came into existence. As a result, they don't directly or effectively address issues that can arise because of the cloud, leaving both client organizations and cloud vendors without clear guidance on how to comply. While such laws are typically updated at a much slower pace than the cloud evolves, now that the cloud is becoming more established, some regulations are starting to catch up. A case in point is the Health Insurance Portability and Accountability Act (HIPAA).

Written by Thomas J. Trappler12 Feb. 13 19:16

Your cloud contract needs to look beyond renewal time

So you've done all the right things in selecting your new cloud vendor. You went through a competitive bidding process, evaluated the bells and whistles offered by each vendor, identified the service that best meets your needs, got a great price for the first year, trained your staff on the new service, and mothballed your old in-house solution. A whole lot of work, wasn't it? Don't want to go through that again soon, do you? Well, if your contract doesn't effectively address the terms under which you can continue to use the service, then the cloud vendor may have you over a barrel at renewal time.

Written by Thomas J. Trappler20 April 12 02:56

In the cloud, your data can get caught up in legal actions

We all know that the data we rely on to run our businesses can be subject to subpoena and other government actions. Such actions create additional risks when that data is in the cloud .

Written by Thomas J. Trappler21 March 12 03:19

In the Cloud, a data breach is only as bad as your contract

Loss of control is one of the main things that gives people pause when they think about putting their data in the cloud. We've all seen how painful a data breach can be, and it can seem almost like asking for trouble to put your data in the hands of someone else. It's hard enough to prepare for a breach when you're in control. How do you do it when you put someone else in charge?

Written by Thomas J. Trappler17 Feb. 12 03:16

When your data's in the cloud, is it still your data?

When your data resides on a cloud provider's infrastructure, your ownership rights could be compromised. For example, what's to prevent the cloud provider from deciding to access your data and use it for its own purposes? That's why any contract for cloud services should include language clearly affirming your ownership of your data.

Written by Thomas J. Trappler18 Jan. 12 03:23

Cloud adviser: Where's your data?

With cloud computing, technology has advanced more quickly than the law's ability to effectively address its implications.

Written by Thomas J. Trappler14 Dec. 11 05:50

Making sure your Cloud provider can protect your data as promised

At the end of my Cloud Expo West presentation last week, I was asked, "How can we verify that a Cloud provider actually has all of these infrastructure and security mechanisms in place?" It's a great question, one that deserves a fuller answer than I was able to give in the time available.

Written by Thomas J. Trappler29 Nov. 11 02:58

Why physical security matters, even in the cloud

At the Business of Cloud Computing Conference, I caught a presentation by Marlin Pohlman, who noted that No. 3 on the <a href="">Cloud Security Alliance</a> 's "Top Threats to Cloud Computing" list is malicious insiders. This serves as a good reminder that old-fashioned physical security issues require a lot of attention when you're considering a <a href="">cloud</a> service provider.

Written by Thomas J. Trappler27 Oct. 11 02:14