Upload
peak-10
View
92
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Here are 10 tips for any CIO that wants to understand Data Security in the Cloud including due diligence, determining risk vs value, and encryption.
Citation preview
10 TIPSFOR CIOS
D A T A S E C U R I T Y I N T H E C L O U D
NEW PARADIGM, NEW SKILLS
NO.1
IT organizations are typically made up of specialists
such as server technicians and network engineers.
The more cloud services you introduce into your
organization, the less the skills of these specialists
may be required. Consider job functions with broader
responsibilities and expertise that bring together IT
and business management talents – integrated services
manager, director of cloud services or ITIL management
supervisor, for example. These professions will
be increasingly necessary to direct collaborative
interactions with cloud services providers (CSPs)
that produce better cloud and business alignment,
management and security implementations.
“The more cloud services you introduce into your organization, the less the skills of these specialists may be required.”
pg 1
A business decision as important as outsourcing
to the cloud demands thorough due diligence.
Indecisiveness is another matter. Employees and
business managers want cloud services. If IT doesn’t
make them available in a timely fashion, users will
provision services themselves without giving much
thought to security. In fact, a corporate ‘no cloud’
policy may only encourage them to purchase the less
secure, non-enterprise versions of applications and
services on their credit cards.
“a corporate ‘no cloud’ policy may only encourage them to purchase the less secure, non-enterprise versions of applications and services on their credit cards.”
OVERDOING DUE DILIGENCE
NO.2
pg 2
RISK VERSUS VALUE
Extracting maximum value from cloud services is an
exercise in risk management. Are the economic gains
that a cloud solution promises greater than the risks it
entails? Balancing business risk/value is new territory
for many IT shops. An enormous variable in achieving
balance is the CSP itself; do its capabilities, integrity
(business and infrastructure) and performance history
add to or diminish risk? It is imperative to find a CSP
that is able to meet or augment your organization’s
governance practices and all that they entail, from
standards, policies and procedures to infrastructure
design, monitoring and access controls.
NO.3
“Are the economic gains that a cloud solution promises greater than the risks it entails?”
pg 3
“And be clear as to what data require the highest levels of security.”
YOURS, MINE OR OURS
NO.4
When establishing responsibilities for cloud security,
assume nothing. Be clear as to your data security
requirements, policies and practices. And be clear
as to what data requires the highest levels of security.
This is important not simply to ensure you get the right
level of protection. The more security, the more costly
the services are likely to be. Pay only for what you
truly need for specific data sets, and demand that
your CSP is able and willing to satisfy your particular
requirements. Reach definitive agreement on who is
responsible for what, and how these responsibilities
will be met over the long term.
pg 4
BYOD. Employees want their mobility and mobile
access, leaving you to provide them with secure
access to data and applications on any device,
anywhere and at any time. Isolate corporate data,
such as that stored in the cloud, from personal data
on mobile devices. Consider cloud-delivered desktops
that segment the access device from corporate
applications and data. Simply install the connecting
app on the home device; from there, everything
runs on the centralized, well-managed infrastructure.
Protect the data, not the device.
“Employees want their mobility
and mobile access, leaving you to
provide them with secure access
to data and applications on any
device, anywhere and at any time.”
SECURITY BEGINSAT HOME, PART I
NO.5
pg 5
Certain corporate and business data is accessible
only to certain employees. In many ways, they hold
the keys to the kingdom, having access to your most
critical and valuable data assets such as databases,
financial information or intellectual property. Keep
their skills and your policies for handling data
securely up to par. Implement stronger access control
procedures. Scrutinize their on-the-job activities more
closely than the average employee.
“In many ways, they hold the keys to the kingdom, having access to your most critical and valuable data assets such as databases, financial information or intellectual property.”
SECURITY BEGINSAT HOME, PART II
NO.6
pg 6
The best cloud encryption solution is the one aligned
with your enterprise’s business and security objectives.
This includes understanding all internal and external
data governance policies (including data privacy
and residency) and compliance mandates, such
as PCI, HIPAA, GLBA, Safe Harbor, etc. However,
data encryption alone does not guarantee data
confidentiality. That happens when an authorized
team controls the encryption process and the
encryption keys. When security is a regulatory
requirement, or intellectual property needs protecting,
enterprises should deploy and manage encryption
themselves. But, a trusted cloud provider can be on
the team as well; new products are coming to market
that allow secure split-key responsibility.
“The best cloud encryption solution is the one aligned with your enterprise’s business and security objectives.”
LOVE YOUR DATA?ENCRYPT IT.
NO.7
pg 7
“It also can make it more difficult to retrieve your data when you want it.”
HIDE-AND-GO-SEEK
Know where your CSPs’ data centers are located
and where they store your data. If they move
your data, you need to know that. Many CSPs
spread data among different data centers, which
may include those in other countries. This raises
jurisdictional and compliance issues. It also can
make it more difficult to retrieve your data when you
want it. If you have heavily regulated data such as
healthcare records or financial information, be sure
the provider has the experience and the necessary
third-party audit reports to satisfy all compliance
requirements, and have them prove it.
NO.8
pg 8
“Once identified and fixed, automation tools allow the CSP to apply the solution throughout the infrastructure.”
Certain aspects of cloud homogeneity, centralization
and virtualization can simplify event and log
management, allowing potential security or resiliency
problems to be spotted sooner and addressed more
quickly than they could in a traditional IT environment.
Once identified and fixed, automation tools allow the
CSP to apply the solution throughout the infrastructure.
Furthermore, CSPs can focus attention and investments
in security on a small number of highly scaled
environments. Ask the CSP about dashboards that
let you monitor and track your data, and that give
you better insight into how well its infrastructure is
performing on your behalf.
RISK MANAGEMENTADVANTAGES
NO.9
pg 9
“Seek out a provider that is capable of contributing to your strategy, providing continuing guidance, tailoring the ideal solution and bringing ideas to the table.”
DON’T GO IT ALONE
By 2015, more data and applications will be in
the cloud than not. As the Borg said in Star Trek,
“resistance is futile.” However, instead of being
assimilated, assimilate the cloud into your business
via a well-planned, well-executed strategy that
clearly spells out your complete range of security
requirements top to bottom. Don’t stop at finding a
CSP that can simply do the job. Seek out a provider
that is capable of contributing to your strategy,
providing continuing guidance, tailoring the ideal
solution and bringing ideas to the table. Cloud
computing is critical to the continuing success of your
business. Partner with a provider that wants to grow
with you and for you.
NO.10
pg 10
Get a FREE consultation TODAY:866.473.2510 | Peak10.com
Contact us about your RFP requirements