Cloud in the Enterprise –Entrusting your Crown Jewels for Safekeeping

vault-istock_000008366284small1.jpgPrivacy. This is more than ensuring the confidentiality of corporate information (a big enough concern in its own right). This is about the legal and business risk ramifications of entrusting Privately Identifiable Information (PII) to a third-party supplier.

 

This is like putting your money in a bank, rather than buying and protecting your own vault. It is about trust.

 

Many, if not most, enterprises have strict privacy policies, with procedures in place to ensure that PII is dealt with securely.

 

The concerns with shifting this information to cloud include:

  • Increased vulnerability to vendor attacks (rather than attacks of the enterprise) because the vendor would be hosting multiple organisations
  • Losing availability to PII should another company be investigated on a shared platform
  • The loss of transparency of who actually hosts, processes or transmits your data

 

It’s in the Architecture

 

As with any IT system it is important to consider security when architecting the solution. You DO NOT want security as an afterthought. Cloud is no different, at least when considering the technology view. As CTO’s we need to ensure that PII is secured technically, no matter the platform we choose to deliver the information.

 

Risk Management

 

My last posting on perimeter security, discussed how cloud security is less like fortifying a castle and more like driving a submarine in enemy waters.  Cloud computing differs from Traditional IT  in the control of managing risks to the business. This is now delegated to a commercial agreement, i.e. a contract with the suppliers.

 

Cloud is different from the  putting your money in the bank example in two areas:

  • The legal safeguards in most countries
  • Standards that banks are required to (and do) meet

Currently, there are a number of laws about handling PII, and these vary from country to country. By and large in Australia, you can store PII in any country that has equivalent or greater legal protections for that information.

 

These laws cover collecting, transmitting, storing, keeping and sharing PII. We need to make sure  our cloud provider understands, and explicitly adheres to these laws in the handling of this data. This translates technically by the tools and processes providers use to enforce the protection of this data.

 

Transparency in the Supply Chain

 

But it is not just your cloud provider.  From a risk management perspective, however, there is one more issue that we must consider—Cloud providers have dependent providers.

 

For example, the provider of your accounting software will have contracts with a network provider and a I/PaaS provider. Potentially they have a separate agreement with an authentication systems company. Then there are additional agreements with a company that provides the management and monitoring tools. Then the I/PaaS provider could have down-level agreements with datacentres that host their systems, provide hardware and even they may contract to a storage provider elsewhere.

 

A valid request is to ask for complete transparency over the supply chain of who is looking after your data.

What you don’t want is someone to have access to one of your cloud vendor’s provider’s systems. Especially if you don’t have any knowledge of whom these providers are, and whether they comply to the Privacy laws. It is a tricky spider web to get caught in.

 

In Short

 

Technically, there is no reason why storing PII or other sensitive information in the cloud cannot be as, or even more secure, than in your own datacentre. Especially when you consider that the vast majority of security breaches are perpetrated by an employee of the company.

 

However, you do need to consider the geographical jurisdiction, and security standards adhered to by your cloud provider.  Most importantly, you must demand full transparency from your cloud providers supply agreements, and see the safeguards they have in place to protect your sensitive data.

 

Have you experienced a situation where cloud provider vendor agreements endangered your data? Feel free to let me know in the comments section below.

Labels: security
Comments
Nadhan | ‎10-11-2012 04:51 PM

Roger, Like the post and the way you have summarized your thoughts In Short.  It resonates very well with my thoughts in this post where I assert that It's you -- not the Cloud that makes solutions more secure.

 

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Roger has been trying to get out of Information Technology since programming COBOL on mainframes in the late '80's. But no matter in which c...
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.