Are lawyers getting in the way of cloud-based security?

ORLANDO, Fla. -- In an age where enterprises and their employees are being relentlessly targeted with malware-based phishing, denial-of-service and other attacks, the ability of the IT security staff to defend their networks and valuable corporate data faces yet one more obstacle, according to some: their own company lawyers.

TECH DEBATE: Should security be on-premise or in the cloud?

Company lawyers are busy stopping attacked organizations from sharing information in any way with IT security professionals in different organizations because these lawyers are scared that any shared information would somehow hurt the company, said Dave Cullinane, CEO of startup Security Starfish and former CISO at eBay, who gave the keynote address at the Cloud Security Alliance Congress in Orlando Wednesday.

"Lawyers are saying, 'Don't share that information, we don't know where it will go,'" said Cullinane, chairman of CSA, the group that's bringing together vendors and enterprises to set guidelines for security in cloud-based computing environments.

Cullinane noted it's ironic that lawyers are playing this role in slowing down the sharing of attack information among IT security professionals, while attackers work together on malware to constantly improve their ability to compromise corporate targets. Cullinane said this situation must change, and there needs to be found a good way to anonymize data about attacks to encourage information-sharing.

Cullinane recalled that when the infamous RSA data breach occurred, and he was at the Bay Area CSO Council at the time, he learned "one guy was considered federal and he got a full briefing about what happened at RSA, but he couldn't tell the rest of us. That's silly." Security professionals benefit from understanding ongoing attacks, and sharing information means they could have a better chance at defense, he pointed out.

The reality is that U.S. businesses operate very globally now, as do businesses almost everywhere, and the idea that U.S. law enforcement is somehow going to be able to assist in investigating and resolving attacks against companies is becoming less and less viable, suggested Cullinane. Companies need to be aware that much of the time they will be left to their own resources.

"When I left eBay, we saw a lot of attacks coming from the cloud," Cullinane said. Sometimes the problems emanated from customer PCs where malware was attacking even in the midst of customer transactions. And now the recent massive denial-of-service attacks on about a dozen U.S. bank websites is another reminder of how grim things are getting -- and how sharing information would help IT staffs in getting the big picture.

In another keynote today at CSA, Tim Rains, a director in Microsoft's Trustworthy Computing group, alluded to the fact that lawyers -- as well as C-level management -- at a company considering cloud services to hold data are often the ones who make the decision to go ahead or not. One CISO at the conference, who asked not to be identified by name, said his corporate attorney is the one with a final say over using cloud services, and the answer is typically "no" due to security worries.

Trying to build confidence, Microsoft is striving for transparency by submitting information related to security in its Microsoft Azure, Office 365 and other cloud offerings to the CSA's Security Trust and Assurance Registry (STAR), a repository of vendor-submitted information about security practices. (A CSA official today noted third-party certification of cloud-provider security is expected to be in place next year as well to augment the service provider self-attestation found in STAR).

Microsoft has also created what it calls the Cloud Security Readiness Tool, described as a set of questions on security architecture, authentication and other topics that can be used for "starting the conversation" with executives and help them get comfortable with concepts they may not be familiar with. "There's still a lot of confusion about what cloud computing is," Rains said in his keynote.

In yet another talk, Tom Kellermann, vice president of cybersecurity at Trend Micro, gave a riveting description of East European and Asian cybercrime and espionage and how victimized companies are being "hunted" as part of a massive "colonizing of the infrastructure." He also added a few observations about lawyers.

The IT security professional is going to have to work to explain the nature of today's security threats to the company lawyer, among others, including the CIO. "Take your general counsel to lunch," he recommended.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags cloud-based securityMicrosofttrend microsecuritycloud securityebaycloud security alliancecloud computinginternet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place