Technological innovation and development has altered how we work over the last decade, with services such as cloud computing and rules like Bring your own Device (BYOD) being implemented in many workplaces. However, without the provision of adequate security protocols this can put potentially sensitive data at risk. In the second part of a two part series we take a look at some of the best ways to ensure data security.
Data Security – due diligence
Though there are a multitude of reasons to choose a cloud computing solution for your business, there are also many potential security risks of which it is essential to be aware. Location of data, data encryption standards, projected lifecycle of the service, and complex supply chain relationships are all issues that should be considered before taking the plunge. Without due consideration, the risk of being blindsided by potential shortcomings of cloud, such as the totality of the service from a confidentiality, integrity, availability and accountability (CIAA) perspective, is high.
Even when it comes to organisations that have implemented cloud solutions, many are not appropriately equipped to assess and address security risks when they present themselves. There are a number of reasons for this, chief among which is a lack of experience with cloud solutions on the part of the organisation. As cloud computing is a relatively new technology, some firms have been slow to migrate, and are therefore unaware of the potential risks that it holds.
Sniper Scope Fatigue
Although one of the main factors for organisations failing to address data security risk is a lack of awareness of the emergent standards and frameworks for cloud assurance, there are other factors putting data at risk. One such factor is so-called “sniper scope fatigue” – the situation in which companies place too much focus on specific hyped security concerns rather than adopting a more holistic risk assessment and cloud service assurance consideration. This can be seen in the caution displayed by many businesses when it comes to the public cloud. Organisations are typically more diligent in assessing the risk of these services and tend to take a more conservative approach to their use.
Organisations need to do more to validate all cloud services and recognise that the lifecycle and service delivery model is significantly different to traditional on premise legacy services. General assumptions that private or hybrid cloud solutions are secure or “more” secure than public cloud can often be seriously misplaced as is the default assumption that legacy on premise services are “more” secure than public or private cloud services.
Choosing a third party security service specialist
Bearing in mind the various risks outlined above, it’s essential to maintain a cast-iron security solution. However, information technology systems have developed to the point at which it is no longer possible to have a small in-house IT team capable of tackling every data security issue that may arise. The rapid pace of development means that it has become difficult to source, retain or develop the full set of information security skills, resources and services that are required. This is why outsourcing to a specialist 3rd party security service provider like Ward Solutions is a sensible move. Many mature organisations have recognised this fact, and have moved to what is known as a “security programme approach.” This is where the organisation retains a small set of core skills and resources that are important or critical to their organisation – e.g. governance and risk management, and they have a structured approach to outsourcing the less critical or more highly specialised services like security operations, managed security services and security audit and testing. This arrangement is built on a committed partnership basis between customer and supplier, due to the skills required and the need for deep levels of trust and understanding of an organisation’s business to gain maximum value and protection.
Best practices for robust data security
As well as partnering with a 3rd party security service provider like Ward Solutions there are a few simple steps that you can take in order to ensure that your data is as secure as possible.
First and foremost, the risk assessment of the cloud must be performed holistically, and must consider the information assets that it contains or processes, the lifecycle of the service, and its criticality to the organisation. It’s important to understand the differences to the organisation between a cloud service delivery model and a traditional on premise solution.
Secondly, adopt appropriate frameworks, standards and best practices for your information security and risk management and ensure that your organisation has the appropriate skills and resources to manage cloud and cloud security. If you don’t, consider a security programme or partners to help you manage.
Thirdly, ensure that your proposed cloud is and will be compliant with organisation, audit, legal, regulatory and industry obligations – in all jurisdictions that you operate in. Consider a cost benefit risk analysis of the risk and proposed appropriate mitigations to address those risks and ensure that all business and technical stakeholders are informed and brought into the risks and proposed mitigation plans.
In short, deploy, migrate, control, manage, verify, trust and verify again.
For industry leading information security consultancy services contact Ward Solutions today.