In Forrester’s article titled “ A Close Look At Cloud Computing Security”  by Chenxi Wang, Ph.D. Wang states “While cloud computing is able to deliver many benefits, organizations should not jump on the “cloud” wagon without a compelling business driver and a clear understanding of the security, privacy, compliance, and legal consequences. An effective assessment strategy covering these items will help you reach the ultimate goal: Make the cloud service work like your own IT security department and find ways to secure and optimize your investments in the cloud.”

Forrester includes data protection, disaster recovery, and identity management as some of the areas under security and suggest that an audit of the potential cloud provider to see what level of security is actually provided.

As for compliance, the user should analyze how the cloud may or may not impact one’s compliance requirements.

For legal and contractual issues, Forrester advises that one understands who owns/is responsible for what, between the user and the provider (the data, the infrastructure, etc.)

Another article by Network World’s Jon Brodkin titled “Gartner: Seven Cloud – Computing Security Risks” he talks about seven security risk areas.

1. Privileged user access, sensitive data processed outside the enterprise.

2. Regulatory compliance, how does the cloud provider match your guidelines?

3. Data location, where exactly is your data housed?

 4. Data segregation, understand that your data is “sitting” next to other’s data

 5. Disaster Recovery, what happens when there is an outage?

6.  Investigating inappropriate or illegal activity may be impossible in cloud computing,

7. Long-term viability, what happens if your provider “goes away”?

Another article in Network World that reported on the RSA conference, and stated that the former technical director of NSA, Brian Snow is very concerned about vendors offering cloud computing from a security point of view. He is concerned about vendors not addressing current security issues and about new issues that cloud computing will create.   Ironically another panelist was concerned about “Big Brother” listening in on cloud computing and how this might impact enterprises’ privacy and compliance issues.

So to wrap up, the internet has security issues, and since cloud computing is in the internet, cloud computing will have those security issues, ones listed above, and ones yet to be discovered. It comes down to the risk profile for your corporation; what level of risk is right for your company relative to investing in cloud computing? Obviously part of the risk assessment depends on your type of company.  If you are a financial advisor or in stock management where your intellectual property is basically the company then cloud computing as we currently know it is not right for you at any cost savings. If you resell ping -pong balls (no offense to ping- pong ball resellers) than the risk is relatively low and the savings from cloud computing outweigh the security and other considerations. 

Have you conducted an adequate risk assessment before deciding to move to cloud computing?

RHL 03/10/10

In obtaining this information, the buyer readily gives up some information about himself.  At a minimum, his/her name and email addresses; more detailed information about his/her company, buying intentions and other demographic data if he/she wants a particular white paper or is promised a discount or savings.

This information flows into the Marketing department and usually into an automated Customer Relationship Management (CRM) tool, often under the control of the CMO but maintained by the IT department.

The video below, produced by the ACLU a few years ago, is a tongue-in-cheek representation of what might happen if this information becomes freely available.  However, with data mining tools and loose security it is not too far fetched.

Ordering Pizza in the Future

It is important to note that the EU has an entirely different view of data privacy than the US.  If you work within a multi-national and/or are collecting information about people from outside the US, you need to take added steps to secure this information.

As CMO, are you comfortable that your customer information is secure and cannot slip out of your company?  If not, do you know what steps to take to make it secure?

RHM

11/19/2009

Recent releases, pronouncements and advice from analysts have continued to muddy the waters relating to social networks and networking.

• First, it was tweeted that ESPN was banning their talent from using twitter.  This was later clarified, but a close reading of ESPN’s policy suggests that ESPN personalities will only be tweeting about the weather.

• Then, the NFL took action by issuing a new policy,  ”The NFL, which has an official Twitter account, issued an edict this week banning coaches, players and football operations personnel, or anyone representing them, from updating their status on Twitter, Facebook or other social media during games and up to 90 minutes before and after.“

• This was followed by a research report from CareerBuilder that showed that hiring managers are frequently not making (or making) hiring decisions based on what they find on Facebook pages.

• The security pros got into the act, giving strong endorsement to security luminaries, Marcus Ranum and Hord Tipton when they denounced twitter at a Forrester conference.

• Finally, McKinsey released a report on Web 2.0 that shows that companies are effectively employing Web 2.0 tools, primarily blogs, wikis, and podcosts, but internally, not necessarily externally.

Given the buzz and hype, the mixed and often confusing messages, what position should a CMO take regarding of Web 2.0 or social networking or whatever it is called?

1. The use of new tools is here.  The key is how to best use them to achieve Marketing goals.
2. Indiscriminate use poses significant risk, especially data loss.  The new tools cannot be implemented without firm corporate policies…see ESPN and the NFL for examples.
3. Proof-points exist where they are being used to achieve higher levels of customer satisfaction and in meeting customer needs…see McKinsey.  Building off knowledge learned here can position the Marketer to use these tools in identifying customer needs as well as lead generation and qualification.
4. The “best practice” implementation of these new tools is unknown.  Those using them are trying, potentially failing and trying again.  There is little or no guidance in this area; waiting for the time where guidance and direction exists will be too late in today’s competitive arena.

Does your firm have a Social Networking policy?

Are you monitoring what is being said about you and your company?  If yes, are you responding appropriately?

Do you, as the CMO, have a number of initiatives launched or teed-up using the new social networking tools, risking failure, or are you a laggard waiting until the train has left the station?

RHM – 9/21/2009

In the past, Marketing people collected and retained “portfolios” of their work, to show others, and in the event of moving to a new job to show prospective new employers. These portfolios might contain samples of creative work, brochures, campaigns, Point-of-Sale displays, and so forth. Today, these creative works tend to be electronic and contained on computers.

How can a Marketing person construct a portfolio, especially when faced with a layoff and only having access to his/her material through a company issued computer?

Can they, should they, send copies of the material to their personal email address or copy it to a flash drive or CD? If they do, will it be detectable? What about the legal and moral issues?

Starting with technical questions:

Does deleting emails sent to personal addresses make it harder to find? Not really, especially if the company is intent on looking. There are built-in Microsoft tools as well as multiple third party tools and services available.  In addition, there could/should be logs that indicate activity, pointing to both the origination and deletion of the emails. Advanced Outlook Express Recovery is an example of one of the many such tools that can be used.

What if they were copied them to a CD or thumb drive instead? This makes it a little, but not much harder.  An examination of an employee’s computer can show what was downloaded, to what and when, fairly easily. There are a significant number of forensic tools available to IT administrators to help them discover what was downloaded, if this becomes a question.

On the non-technical side.

Today virtually all companies require a new employee to sign a series of documents as part of the hiring process. One is an Acceptable Use Policy (AUP), which specifies how the company issued computer and the Internet can and should be used during daily activity and in conducting company business.  Basically, the AUP says that everything on the computer belongs to the company and that they can fire you for cause if they find you are looking at porn, gambling, selling goods on eBay, watching ESPN, or anything else they prohibit.

A second document is an Intellectual Property Policy, which says that anything developed by you, while working for the company, belongs to the company.  This prohibits you from taking the formula for Coke, or anything else you developed, while working for the company.

The key is how these documents are interpreted.

If the Marketer is parting on good terms, many companies allow the employee to take copies of past presentations, brochures, white papers, etc. that are samples of the person’s work and in the public domain.  Not allowed would be the report that shows a 200% increase in sales due to the work product.

In addition, if the employee takes generic information that he/she has downloaded off the web, there is usually no problem.  If, however, the company has an agreement with Gartner/Forrester, etc. the proprietary nature of their reports is a no-no.

My observation is that it is in an employer’s best interest to allow a laid-off employee to take his/her information. It shows that the employer trusts the employee, and that by allowing him/her to have the information it potentially shortens their time between jobs. As a result, positive feelings are maintained. It also allows the new employer to make a “better” decision, as they can evaluate the prior work product as part of their hiring decision.

If the Marketer is not leaving on good terms, the employer (1) can easily find that he/she copied information, and (2) has legal standing to cause some problems, i.e., cancelling severance pay, no recommendation, etc.

If the company conducting a layoff does not have a “walk’em out the door” procedure, the Marketer might want to work with his/her manager, saying, “I have worked here for X years, and would like to take some personal and developed information on my computer; will you spend some time copying them to a thumb drive with me?”  The manager might say, “you know what our policies are, copy what you think is appropriate and let me review it.”

If the policy is to escort the laid-off people out the door, cutting off access to their computer, the Marketer might want to provide his/her manager or the HR manager with a list of documents and/or files that he would like, and ask him to forward them to him/her.

Either way, everyone knows what is happening and the company buys into what the Marketer is doing.

When talking with potential new employers, the ability to illustrate work product provides a significant advantage. In today’s electronic age, obtaining copies of this work in the event of being laid-off is difficult, but it can be done. It requires that the Marketer understand how the company interprets its policies and/or by constructing a detailed listing of documents and files beforehand.

Are you prepared?

RHM 7/29/2009

When we were children, the adults in our life provided guidance in the form of information and direction, which they learned from their parents, or acquired themselves through the school of hard knocks. We were instructed not to touch the stove…it is hot and can hurt you; to look both ways before crossing the street…cars can hurt you; and do not run with scissors, you will put your eye out; etc, etc. Sensible advice aimed at helping us as we grew up and experienced the world, as our parents knew it.

Due to the rapid pace of technological change, only a few adults are providing guidance to their children as they learn and use internet skills and social networking tools. A Generation Y /Echo Generation person, raised on a computer, with its immediate access to information, continual linkage to their friends through IM or SMS, and seeing what their friends are doing on Facebook, lives in a different world than someone who remembers a Basic programming class or punch cards.

The issue is that neither the parents nor the children know what to do or how to act. The parents because they have not experienced it, the children because they are generally naïve and trusting, and there is scant education about social networking risks. Interestingly the Government has stepped into this void with some clear information and direction.

Accepting that there are bad people in the world, and that they will take advantage of others for personal gain, the Internet poses risks to people, countries and enterprises. The Lori Drew/Meg Meier suicide case and identify theft are examples of personal attacks. Denial of Service attacks happen daily, and are now deployed by government agencies in state-to-state conflicts. Enterprises are prime targets as BJ’s, TJX Heartland and Choice Point can attest.

On top of the security risks, there are significant marketing risks. Failure to address all of them may negatively impact the company or bring it down completely. Specifically:

1. Is the company using social networking properly? Are we employing the right mix of “traditional” communication technologies with social networking technologies? Failure to use the right mix may allow competitors to gain market share.
2. If the company embraces social networking, and has multiple people blogging and tweeting, along with multiple Facebook pages, is the right message being communicated, consistently? Is the message being undercut by rouge bloggers? See what happened at Whole Foods for an extreme example.
3. If bad people are using the information contained in the Marketing blogs, Facebook, and LinkedIn sites, along with Marketing tweets, to develop social engineering attacks on our company as a whole, or as a way to blunt our marketing programs, what our are defenses and mitigation strategies?
4. What protection is in place to stop company confidential information from leaking out through social networking postings? Are postings by a junior Gen Y person that she is “going to the trade show and we are introducing a feature that will really rock”, or that “We working on closing a multi-million dollar deal with Acme Tool and Die” a concern? What if the posting is more specific? Does everyone understand the sensitive nature of information or commenting about places or things? Making negative comments about Memphis proved to be disastrous.

The bottom line is that no one is providing adult supervision regarding the use and application of social networking tools. The knowledgeable Marketing Manager recognizes the risks, prioritizes them and then works with his department and within the company to teach, learn and lead. However, as with technologies today, speed is critical. Failure to learn, adopt and educate in 2009 may result is some of the negative issues cited above.

How well do you understand all the risks of social networking, and what are your second half 2009 mitigation plans? Will you be called on to explain how something happened when a social network goes south…which is a “when,” not an “if”? Are you prepared?

My next post will answer the question, “Would Smokey the Bandit Tweet?

RHM 6/25/2009