When you are deciding whether or not to go to the cloud, this question will hover over you like the Sword of Damocles. Like most things, the devil is in the detail and you decide how secure your solution will be. How your data is classified, the specifics of your security perimeter’s and the policies you enforce all feed into the design of your cloud security solution.
Understanding and classifying your own data should be the first step in understanding your cloud security requirements. The complexity here lies in your unstructured data, i.e. Your mails, shared drives and documents. Identifying the owner, content and potential legislative restrictions on your data is best practice before you move it to the cloud. National and international law cannot keep up with the speed of the digital advancement and this may result in some of your data being unfit for upload to a cloud solution. Luckily, due to Ireland’s “Goldilocks Climate” (not too hot and not too cold) which results in low heating/cooling costs, most cloud providers have data centres here. This has been shown to mitigate against some of the jurisdictional laws.
Once you have classified your data and reached agreement on what data can be stored in the cloud, you will then need to design a solution with a separate security framework for each classification type. Using the strictest controls for the most sensitive data. The trade-off between security and IT flexibility will factor into any decision. Security should always be a core part of your Enterprise Architecture discussion. With cloud systems, standard security perimeter solutions are no longer enough, the entire technology stack must be secured. Each component or layer of your architecture should by default not trust other components, thus ensuring that they are all secure in their own right. Secure by design is about focusing on security from day 1 and creating negative use cases which focus on your systems potential vulnerabilities. It is important to break it down into the technical security components (encryption, identity management etc.) and the creation and enforcement of security policies.
Remember, Security is not just an IT issue, it is an enterprise business risk and should be treated as such. A dedicated focus on setting up appropriate security policies is a key component of any solution. There are several security standards which can be used as the back bone for you security policy’s from ISO 27001 to Cobit 5. These are globally recognised information security standards containing detailed policies and controls providing you with a holistic view of your cloud security.
Adherence to these standards in conjunction with a multi layered security model and correct classification of your company’s data will give all stakeholders confidence in the security of your cloud solution.
At Sogeti we work closely with our clients to deliver business specific solutions that provide real business value. Our Cloud approach is no different. We understand that no two organisations will have the same requirements when it comes approaching the Cloud which is why we have designed the OneDeliver approach to assist our clients at any and every stage of their Cloud journey.