Information is widely viewed as a company’s most important asset. And today, more than ever, cyber-threats are a looming presence that can disrupt business operations and compromise sensitive data.
The all-in-one security approach that served the industry well in the past is inadequate in today’s world that is no longer defined by a corporate perimeter. With cloud adoption accelerating, security is top of mind for those organizations looking to the cloud to innovate and improve business processes and productivity while at the same time reducing IT costs. Workforces are increasingly distributed and virtual requiring collaboration across business units as well as externally with partners, contractors and customers. The rise in adoption of cloud computing converged with mobile computing present many more potential points of entry for would-be attackers. The way in which we work is changing and approaches to information management need to adapt along with modern security models that don’t hinder worker efficiency and effectiveness.
Security can be a complex topic, often sparking apprehension towards cloud services primarily due to a lack of education. This can lead to missed opportunities and can impact future business performance. I discussed the topic with one of Canada’s foremost experts on information security, Tim McCreight. As former Chief Information Security Officer at the Government of Alberta, and currently a Managing Consultant with Seccuris, McCreight has experienced virtually every objection and concern surrounding cloud computing. McCreight shares a pragmatic approach for chief information security officers and security professionals alike to follow when assessing cloud services for your organization.
Clendenin: Why do you think cloud computing discussions often get supercharged with emotion?
McCreight: “I know there is always going to be an emotional response to cloud computing. We need to change the way we’re thinking. We have to get past that fear to making a business discussion. Have you done your due diligence to try to understand what information you are worried about? Have you actually assessed your level of data protection and data classification inside your organization? Pick the things that can work for your organization and maybe that’s a better discussion to have regarding cloud or internet services as opposed to that wall automatically going up.”
Clendenin: What approach do you recommend when looking at cloud computing from the lens of a chief information security officer?
McCreight: “I try to look at how much information you have and how you protect and store it. And, do you have a clue how you classify your data? If you are holding onto virtually every piece of information and protecting it on-premise, then you are probably spending your security dollars protecting everything to the same level. It doesn’t make business sense to be spending tens of millions of dollars protecting everything in your house the same way. What I would suggest is how can I collaborate with my clients and my customers and provide the data that they need from me, from an organization perspective, and can I give them a better platform to access that data. The discussions you need to have as IT security professionals is to reach back into the organization and start asking what’s the stuff we’re giving to our clients right now. And what information can we provide in a cloud-based service where clients or customers can gain access to that same data on their own time. I think those are the questions we need to start answering.”
Clendenin: What advantages does cloud give IT leaders from an architecture strategy perspective?
McCreight: “It gives you a better idea as to how you want to architect your systems. You get to clean up some of that legacy stuff that has been there for 10 years. This is when you start to see the additional business benefits of moving to services like cloud. You can retire some older systems, use newer technologies, and have the cloud provider do all the updates, maintenance, management, patching, etc. And, it’s not on you to do the work.”
Clendenin: There are two sides to information management – providing access and revoking access. What are your thoughts on the areas of information management and data loss prevention?
McCreight: “It is something that I have seen over the years … we do a great job of providing access, but we do a lousy job of killing it after someone leaves the organization. To have service providers demonstrate that level of commitment to an access control regime that most people need for their organization – that’s great, that’s the selling feature that many companies are looking for. Can you provide me a better level of assurance than I currently have? I think that’s a critical question to really focus on and get that level of assurance – some of the non-technical benefits of moving to a cloud service provider.”
Clendenin: What are the key questions a security professional needs to ask internally?
McCreight: “Try to understand the types of controls you need to have surrounding your data. As a company, do you know your intellectual property? Do you know your digital assets? Do you know the value of your data? How critical is your information? How sensitive is your information? Do you have a handle on who is getting access to your data inside your company today? Those are the questions you should be asking whether you are looking at a cloud service or not. When you are being asked to do more with less, security professionals need to look objectively at different types of technology and understand what the limitations are, and if the technology can help you as the security guy for your organization.”
It’s Time to Rethink Your Security Strategy:
While some organizations have a security strategy in place, new corporate information risks not previously identified will surface as people require the need to collaborate externally with partners, contractors and customers. Concurrently, organizations are now designing mobile strategies to improve productivity that require secure collaboration internally as well – from field workers to corporate employees choosing to be more efficient at work using a mobile device. A pragmatic guiding principle is to understand that ‘not all cloud service providers are equal’ and conduct a thorough security evaluation. Spend time researching which service providers are well known among the analyst community for having the advanced security practices. This will allow you to stand in front of the CEO and board of directors with 100% confidence that you have a well-crafted strategy. The advantage of cloud computing is that a best of breed strategy approach can be taken to ensure your organization is properly secured – wherever corporate information may flow.
A few final thoughts for creating a sound security strategy: 1) In most circumstances, it is best to approach cloud security from a risk-management perspective. If your organization has risk-management specialists, involve them in cloud security planning; 2) Regularly have external IT security consultants assess your company’s IT security policy, IT network, and practices of all your cloud service providers.
Take a holistic view and conduct the appropriate due diligence into new security frameworks. Challenge your own thinking and consider taking a people-centric approach to your security strategy. There are many opportunities and use cases today where cloud and mobile computing can increase the time to business value which, in turn, can enable forward-thinking companies to innovate faster and have a competitive edge.
Tim McCreight will be speaking at the Interzone conference March 11th-13th in Banff, Alberta.