The second issue of moveIT provides experts’ insights on the benefits and threats related to the cloud, success stories of delivered cloud-based projects and interviews with industry gurus. Goyello is an international IT strategy consulting and software development company. We deliver what we promise: innovative, top quality solutions, on time and within budget. Goyello - Quality Software Solutions - Delivered With Care - https://goyello.com/.
SECURITY GURU CLOUD SECURITY STRATEGY, A COLLECTIVE RESPONSIBILITY Monica de Wit is management consultant specializing in cyber security and business continuity at Verdonck, Klooster and Associates (VKA), a Dutch IT/ Business consulting firm. In this article, she shares her views on collective security responsibility of applications and data in the cloud. MONICA DE WIT – management consultant Verdonck, Klooster & Associates is a strategic and independent Dutch IT consulting firm with a preference for complex assignments. People come first and technology follows. VKA delivers successful projects and make sure that IT lives up to its promise: making life and work easier with solutions that are smarter, more efficient and faster. 16 MOVE IT In recent years, the use of cloud services has become a viable option for IT management to help them streamline their departments, cut costs and benefit from the professionalism of their suppliers. Still, choosing the cloud doesn’t mean that you automatically land on cloud nine: it still requires a serious effort to control and secure your data. If you doubt this, please have a look at the Cloud Controls Matrix of the Cloud Security Alliance: 137 items that require your serious attention [ http://bit.ly/2qRIFhP ]. Digital back door left wide open A long list, but every point has its relevance. This is because cyber security has developed from a purely IT issue into a general concern that applies to all parts of the organization. The availability, integrity, and confidentiality of data can be seriously compromised when your digital back door is left wide open. In my experience, the concept of the ‘digital back door’ is used in a very limited and, often, purely technical way, which means that risks in other business disciplines are easily overlooked. Two areas require special attention Cloud and cloud supplier management requires an effective mix of technical, organizational, legal and purchasing competences. Requirements in terms of security and privacy should be to the point, and organizations should be able to monitor the performance of suppliers from the start. The reality is often different. The organizational development often lags behind. Within one or two years, the applications will be installed in the cloud, but it takes the organization three to five years to develop new skills and adjust their processes. This is a riskful discrepancy. Another issue is that purchasing cloud services is easy, maybe too easy. You don’t need an IT department; just one click with your mouse and the use of your credit card suffices. Upload your data and the job is done. In organizations that have a decentralized management philosophy (integral management, self-managing teams, etc.) AND where the reputation of the IT department is that of ‘a bunch of nerds who keep the network running and do not respond to business needs’, the temptation to act autonomously can be high, resulting in a dramatic risk increase. IT should be seen as the trusted advisor for purchasing cloud service, even if there is no IT maintenance required.
MANAGEMENT ADVICE Any IT manager considering cloud services should realize that services are outsourced, but the organization, as the data controller, remains solely responsible for data security and privacy. This means that: 1. You have to safeguard that the security measures of cloud suppliers, the data processors, meet your own standards. It’s great that your supplier has an ISAE or ISO certification, but have you checked the scope of it? Has your organization enough manpower and skills to manage your cloud suppliers properly or is the right to audit only a hollow phrase in the contract? By the way, who supplies your cloud supplier? Have you agreed on a Data Processing Agreement to define responsibilities according to the current Data Protection Act? 2. Authorization management is still as important as it was before, but you now need to organize the support of your suppliers in this. Can they give you the right management information, including access and logging information about their own staff? 3. You should be able to survive the breakdown of your cloud supplier. Like any organization, a cloud supplier can be hit by disaster or go bankrupt. It is important to agree an effective exit strategy and check if it works in reality. Your business continuity plan should prepare for this situation and thus minimize operational and reputational damage. 4. The legislation that applies to the supplier should not interfere or conflict with your legislation. Are there risks involved with the location of the data, the rights of governmental agencies and such? 5. The involvement of the rest of the organization is critical when developing a cloud strategy. Make your colleagues aware of the benefits, but also of the security and privacy risks. Unmonitored cloud services pose a serious threat to the security of the data. #moveITgoyello