Cyber Security
Keeping your information secure in the cloud By Tony Campbell CISO Correspondent
42 | Chief IT Magazine
E
ffective communication skills are probably the most As the industry shifts to procuring IT services as utility-style operational expenses, cloud services have become the most pervasive and ubiquitous strategic driver in the IT boardroom. However, the more astute C-suite executives have held off, watching the technology sector take stock as some of the initial promises of the cloud have proved to be false. The reality of what’s best for big business has emerged as a hybrid approach, blending the best of selfmanaged IT, with locally-sourced, dedicated systems, along with publicly sourced, cloud-based IT. Furthermore, the transformation to hybrid cloud brings one more conundrum for the C-suite to concern themselves with, one that is yet to be fully addressed by industry. Information security and safety, in the new world of hybrid cloud, especially given the added complexity of new architectures, shifting hardware paradigms and brand new legal considerations, have become a major headache for many. There are a variety of challenges that cloud services present the business, all of which need to be assessed and addressed prior to jumping in. • Cloud services are usually provided on multi-tenancy platforms, which is how service providers keep their price down. For customers, this means your service is installed alongside services provided to another customer, with the configuration of the cloud service being the control sitting between each tenant. There are potential risks relating to information confidentiality and availability that need to be assessed and mitigated prior to adoption. • Accountability and responsibility remains paramount. The reality is that you never relinquish the accountability for your data security, however, we are seeing delegated responsibility for service and data security transferred to the service provider through the cloud services contract. This needs to be robust and tested through your own legal department – make sure not to simply sign on the dotted line and hope for the best just because you’re working with Amazon, Google or Microsoft. • Monitor your services. Services offered in the cloud are continually evolving, especially as new development paradigms are adopted by providers, such as Agile and DevOps, so you need to be continually monitoring the changes that are occurring in services you leverage, make
sure you understand the technical, procedural and legal implications of new features. The only effective way to make sure your business remains protected and your data stays safe and secure is to build a robust architecture as a building block in your enterprise architecture capability. This will allow businesses to assess all of the contractual aspects of the cloud service that needs to be discussed with potential providers prior to handing over the company credit card. Building a Hybrid Cloud Architecture Security is a process and needs to be a constituent part of everything your business does. You’ll need to start engineering security requirements from the outset of any new transformation project, making sure you establish a thorough test plan that will assure the security of your information in production. Just because you’re creating a new cloud-based business offering doesn’t mean you can cut corners and simply trust that the service provider will handle all of your security issues. If the worst happens and your information gets stolen, you’re still accountable in terms of regulators, your customers and the media. This is a mistake many cloud customers have made over the past few years, instead of going into discussions with service providers with mandatory requirements and skeptical mindset, subscribers are blindly adopting services without reading the terms and conditions. The only consistent and dependable way to address this is to adopt a robust approach to security architecture within your enterprise and ensure security requirements management (elicitation and testing) is at the heart of every single cloud project. Security controls must be developed that work for the entire organisation, even in the hybrid cloud environment. These should be derived from your enterprise security policy, as well as any governance, risk and compliance regulations that your industry imposes. Security controls govern how you meet the enterprise security requirements and dictate how application developers create compliant software that doesn’t put your data at risk. If you don’t adhere to this enterprise security architecture approach, you’ll run the risk of taking security for granted, while the reality is your data is less secure than it ever was.