Article Options

Cloud in the Enterprise –Entrusting your Crown Jewels for Safekeeping

Rog42| October 8, 2012
1 Comments
0

vault-istock_000008366284small1.jpgPrivacy. This is more than ensuring the confidentiality of corporate information (a big enough concern in its own right). This is about the legal and business risk ramifications of entrusting Privately Identifiable Information (PII) to a third-party supplier.

 

This is like putting your money in a bank, rather than buying and protecting your own vault. It is about trust.

 

Many, if not most, enterprises have strict privacy policies, with procedures in place to ensure that PII is dealt with securely.

 

The concerns with shifting this information to cloud include:

  • Increased vulnerability to vendor attacks (rather than attacks of the enterprise) because the vendor would be hosting multiple organisations
  • Losing availability to PII should another company be investigated on a shared platform
  • The loss of transparency of who actually hosts, processes or transmits your data

 

It’s in the Architecture

 

As with any IT system it is important to consider security when architecting the solution. You DO NOT want security as an afterthought. Cloud is no different, at least when considering the technology view. As CTO’s we need to ensure that PII is secured technically, no matter the platform we choose to deliver the information.

 

Risk Management

 

My last posting on perimeter security, discussed how cloud security is less like fortifying a castle and more like driving a submarine in enemy waters.  Cloud computing differs from Traditional IT  in the control of managing risks to the business. This is now delegated to a commercial agreement, i.e. a contract with the suppliers.

 

Cloud is different from the  putting your money in the bank example in two areas:

  • The legal safeguards in most countries
  • Standards that banks are required to (and do) meet

Currently, there are a number of laws about handling PII, and these vary from country to country. By and large in Australia, you can store PII in any country that has equivalent or greater legal protections for that information.

 

These laws cover collecting, transmitting, storing, keeping and sharing PII. We need to make sure  our cloud provider understands, and explicitly adheres to these laws in the handling of this data. This translates technically by the tools and processes providers use to enforce the protection of this data.

 

Transparency in the Supply Chain

 

But it is not just your cloud provider.  From a risk management perspective, however, there is one more issue that we must consider—Cloud providers have dependent providers.

 

For example, the provider of your accounting software will have contracts with a network provider and a I/PaaS provider. Potentially they have a separate agreement with an authentication systems company. Then there are additional agreements with a company that provides the management and monitoring tools. Then the I/PaaS provider could have down-level agreements with datacentres that host their systems, provide hardware and even they may contract to a storage provider elsewhere.

 

A valid request is to ask for complete transparency over the supply chain of who is looking after your data.

What you don’t want is someone to have access to one of your cloud vendor’s provider’s systems. Especially if you don’t have any knowledge of whom these providers are, and whether they comply to the Privacy laws. It is a tricky spider web to get caught in.

 

In Short

 

Technically, there is no reason why storing PII or other sensitive information in the cloud cannot be as, or even more secure, than in your own datacentre. Especially when you consider that the vast majority of security breaches are perpetrated by an employee of the company.

 

However, you do need to consider the geographical jurisdiction, and security standards adhered to by your cloud provider.  Most importantly, you must demand full transparency from your cloud providers supply agreements, and see the safeguards they have in place to protect your sensitive data.

 

Have you experienced a situation where cloud provider vendor agreements endangered your data? Feel free to let me know in the comments section below.

Tags: cloud security| federal regulations| Privately Identifiable Information| provider agreements| system transparency View All (5)
Labels: security
Labels:
0
Comments
Nadhan | ‎10-11-2012 04:51 PM
Options

Roger, Like the post and the way you have summarized your thoughts In Short.  It resonates very well with my thoughts in this post where I assert that It's you -- not the Cloud that makes solutions more secure.

 

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)
  • Archie delivers strategic solutions focused on today’s critical and evolving business needs, linked to the growing list of Strategic Enterprise Services including Hybrid Cloud, IM&A including Social Media, Security and Mobility from BYOD to mobile applications. Archie is the author of 4 books so far, and a founding director of the Australian Cloud Security Alliance chapter.
  • Lending 20 years of IT market expertise across 5 continents, for defining moments as an innovation adoption change agent.
  • Global Marketing Manager at HP in the Converged Application Systems organization, ESSN for Cloud Maps Solution which is a key part of HP’s Converged Cloud and CloudSystem strategy. Responsible for leading marketing for Cloud Maps with a focus on creating internal & external awareness, sales & partner enablement, and demand generation. You can follow me on Twitter @BelaniDeepak
  • This account is for guest bloggers. The blog post will identify the blogger.
  • A comprehensive partner program for key service providers to jointly take advantage of the rapidly growing cloud market with HP.
  • Jim is a technology marketer with over two decades experience in product launch, branding, and product marketing
  • 15 years in the IT industry holding titles such as System Administrator, Professional Services Consultant, Technical Instructor, Solution Architect and Technical Product Marketing.
  • I've been with HP for 30 years. Half of that time was in R&D, mainly as an architect. The other 15 years has been spent in product management and product marketing. .
  • René J. Aerdts is chief technologist and leader of the Strategic Pursuits and Cloud Enablement organization within the Chief Technology Office for HP Enterprise Services. René is responsible for creating and delivering direction and content for consultative driven thematic pursuits, where leading edge technologies and offerings are part of the solution.
  • Roger has been trying to get out of Information Technology since programming COBOL on mainframes in the late '80's. But no matter in which continent he awoke, or whom employed him, his passion to enable people with technology was constant. So now he enables businesses to determine their strategy using the latest technologies like cloud computing, mobility, and big data. HP calls these Strategic Enterprise Services, Roger calls them "another day in the office."
  • Shakeeb "Shak" is responsible for HP's Cloud Solutions as Sr. Product Marketing Executive. He helps strategize HP's future directions around Cloud offerings and works closely with HP's large enterprise and strategic customers to understand their needs and requirements and help map them to HP's solutions. Prior to joining HP - Shak was with Cisco managing their Global Unified Compute and Virtualization Practice. Before that Shakeeb was with VMware in various capacities for nearly 6 years managing VMware's customers and strategic partners. Shakeeb spend almost a decade prior to VMware with other enterprise software companies such as Interwoven and Platinum Technology managing enterprise content management and enterprise performance management solutions respectively. Shak started his professional career after completing his Master's in Management from University of California, with PriceWaterHouseCoopers where he managed multiple consulting teams responsible for worldwide delivery of large enterprise solutions.


Twitter Stream
Follow Us