As a Security Professional supporting the Government, I have been bombarded with the organization using Cloud Computing for the day to day applications and operations. The move to the Cloud is easy for the end user - but is a pain and potential nightmare for those that want to secure the data and protect our Assets.

My Team and I am working our security assessment approach - following the government approved standards. However, from the EH side, am adding additional items as we won't be able to see the assets first hand and have to entrust a third party to protect us.

But aside from the obvious items (scanning from IP's of the unknown, XSS attacks, social engineering, and maybe a spearphish scenario/test case. anyone have any good items to share to add to my list of tests or maybe past experiences or "it was easy" to get to the jewels?!?!?

Thanks.
savingpvtryansdad

In regards to KamiCrazy's post, he / she asked a very important question:

"I don't have anything specific to add to the discussion but I do want to bring up that going to the cloud you are essentially outsourcing your IT. Or at least part of the infrastructure.
Is that acceptable to your organisation?"

It's interesting that this topic came up, and that this question comes up, as a major provider of webhosting services recently (within the past couple of weeks) had their customers websites defaced.  While it was likely some 'script-kiddie' looking for a thrill - they posted images similar to what might be posted on islamic militant and terror groups' sites - it still doesn't bode well for the customers, whose sites were defaced.  One such site was for a county government's Health Department.  While defacing may or may not have been the worst thing that could have happened (they also had scripts on there to auth to employee data, email, and others, so it could be a lot worse, if the attackers would've gained access to said data through XSS to gain passwords, etc,) ultimately, you have to decide how worth the costs it can be, if you're allowing the security of your 'public image' and public site to be hosted by someone else.

I'd agree fully with savingpvtryansdad, in that it certainly does make things easy for end-users and customers, sometimes, but can be an overall nightmare for IT staff, to try to manage services and security that are out of their control, to whatever extent.