Securing the Cloud

The last 12 months have been peppered with high-profile attacks on government departments and big corporations by hacktivists, highlighting the need for enhanced security in an age of network connectivity. 

Such threats might seem remote to many CIOs, but an attack might be coming your way sooner rather than later.

Single-issue activists are increasingly hacktivists, and recent targets have included governments, drug companies, retailers, banks, the oil industry and car-makers.  

Recent developments have increased security worries for many CIOs:

 - Cloud computing, despite its many benefits, is producing what many see as a further loss of control over where their data is stored and how it is processed
 - The increasing power, connectivity and storage capacity of mobile devices are enabling hackers to access an organisation's business systems and help themselves to vast amounts of data
 - The growth in networked systems has increased the number of points vulnerable to attack
 - The increasing sophistication of phishing attacks, with unwary users redirected to ever more credible spoof sites that steal their credentials

The  leaking of confidential data can have a serious impact on reputation and confidence. But security breaches can also wreck business-critical applications.

Both your business applications and your data can be at risk and both must be protected.

Many security experts remain opposed to cloud computing, or at least want a man with a red flag walking in front for safety's sake.

That is not having much impact on the growth of cloud, the many benefits of which I have outlined more than once in this column.

My view is that cloud computing is a logical continuation of the long-term trend to ever-increasing reliance on third parties, for better costs, responsiveness or innovation, as exemplified by traditional IT outsourcing and later by offshoring and business process outsourcing.

And cloud opposers often forget a vital point: security is not the main focus of business.

Businesses exist to make money, which doesn't mean they don't care about security but many businesses want just enough security to meet their customers' expectations and compliance obligations.

So if opposition to cloud is not the answer, what is?

Security professionals and CIOs must educate themselves and their stakeholders in cloud computing concepts, security risks and best practices, and in what cloud can deliver securely.

Here are three things to do in a cloud environment that are different from a traditional on-premises approach:

1 Focus on commercial as much as technical control.
Seek and enforce the right contractual relationships depending on the criticality of the data held. The ISO 27001 certification for information security management, or the EU Model Data Processing Agreements can often be usefully deployed.

Related:

2 Exploit the resilience offered by cloud.
Ensure that alternatives are available so that business processing can be moved away from the point of risk or the location under threat.

3 Define liability.
Reflect also that many of your systems vulnerable to cyber attacks involve cross-functional accountabilities. To ensure end-to-end security you may need to question how clear these accountabilities really are.

Some IT consultancies offer specialist expertise on cloud security, but you need to ensure they have practical experience and haven't simply read the book. 

Other useful sources include the Jericho Forum and the Cloud Security Alliance.

Smartphones and other mobile devices are also changing the security landscape.

With more traditional loopholes being closed, cyber-attacks are increasingly exploiting these newer technologies where the security risks and possible counter-measures are less well understood.

With the growth in legitimate communication outside the organisation, such as social media and of employees using their own devices at work, CIOs need to be aware of the new risks:

 - Employees may be tempted mix business with personal data
 - Processes need to be put in place to reclaim data once an employee leaves.
 - Consider maintaining an audit trail of access to business data.
 - Decide where to draw the line between monitoring business and personal activity on devices owned by employees

As with cloud, many CIOs will find external help indispensable to get their basic understanding off the ground.

Another factor changing the security picture is the emergence of the ecosystem. There is a trend for groups of vendors working in harmony, to meet the client's business and IT needs.

The number of companies in a client's ecosystem can be quite large nowadays: in one of our governmental clients it numbers over 500 firms.

Increasingly, CIOs are delegating security for systems and data to a services-integrator so that they can ensure the appropriate levels of security among all ecosystem members, with consistent contractual arrangements.

The key thing for the CIO is to ensure that accountability for security is clearly defined and, if delegated, only delegated to those qualified to accept accountability.

Christine Hodgson is Chairman of Capgemini UK

Pic: bling_rocks cc2.0