Backup Collaboration Mobile Security Storage Strategy Virtualisation

Building trust in the cloud

Article Type: Strategy          Published: 01-2014         Views: 2843   



Wherever your business is in its 'cloud journey', you need to create a cloud services environment that is Secure, Trusted and Audit-Ready (STAR), argues Ken Allan, Global Information Security Leader , Ernst & Young

Not that long ago, cloud computing was little more than a speck on the horizon. We heard reports of it rapidly becoming a mainstream technology, but it had yet to yet to make a meaningful impact on our technology landscape. According to EY's Global Information Security Survey, in 2010, 30% of respondents indicated that their organisation used or was planning to use cloud computing-based services. In 2011, the percentage had risen to 44%.

By 2012, cloud computing had reached a technological tipping point: almost 60% of survey respondents said their organisation was using or planned to use cloud computing services. And yet, 38% of respondents said that they had not taken any measures to mitigate the risks of using cloud computing services. This disruptive technology was advancing faster than many could secure it.

A more recent Forrester Research report suggests that for 73% of surveyed businesses in Europe and North America, security remains a major concern when considering cloud computing.

One of the first principles of improving information security is take control of your environment. It would therefore feel counterintuitive for an organisation to surrender control of its IT infrastructure and data to a third party. And yet this approach may offer the best opportunity to address increasingly complex security and privacy challenges. Rather than becoming an organisation's worst security nightmare, cloud computing platforms may offer its best hope to create a more secure IT environment by strengthening controls and improving information and security capabilities.

No longer considered an emerging technology, cloud computing services have entered the mainstream. Today, a significant majority of organisations have either adopted or are planning to adopt some form of cloud computing technology. Whether CIOs know it or not, their data and corporate boundaries have entered the cloud. Business units, departments and business partners are engaging directly with cloud services providers without first consulting IT: a phenomenon we call "cloud creep." The lines of our once clear corporate network boundaries are now blurry.

However, despite its ubiquity, many IT executives remain hesitant to endorse a "cloud first" approach. Even worse, there are some who refuse to adopt any cloud-based service at all.

Some fear that communicating data over a public network will increase its vulnerability to cyber attacks. Others worry that cloud service providers offering the same infrastructure to multiple clients in multiple locations will not be able to maintain segregated confidentiality. Still others express concern that transmitting their data across international boundaries will expose them to diverse legal and regulatory requirements in jurisdictions with which they're unfamiliar.

Unfortunately, these fears and IT's perceived need to retain physical controls over its environment can increase an organisation's risk rather than mitigating it. Within many organisations, when business units that want to use cloud computing hear "no" from IT, they simply go off and procure the service themselves. This not only extends the organisation's IT environment without the right protections in place, but it also takes cloud computing into the shadows where IT can neither anticipate nor address the resulting risks.

IT must shift its focus from saying "no" to saying "yes" in a way that adds value to the business and protects it from mounting cyber-security risks. Developing a cloud framework that creates a secure, trusted and audit-ready (STAR) environment may be just what IT executives need to say "yes" with confidence.

Whether IT professionals like it or not, cloud computing services have become an integral part of day-to-day business activities. Between 2010 and 2012, cloud adoption rates nearly doubled. Those who have embraced cloud-based services have generated internal efficiencies, attracted new customers, discovered new avenues to market their products, increased internal collaboration and gained an overall advantage over their competitors.

It takes little more than 15 minutes and a credit card to purchase and set up a cloud solution, making it an easy workaround for business executives that too often hear "no" from their IT functions. In large organisations, the proliferation of this phenomenon without IT oversight creates growing security, privacy and financial risks to the organisation.

Even those organisations that have adopted cloud services are exposed. Often, there is a gap between the controls typically implemented in the cloud and the controls necessary to create a secure, trusted and audit-ready cloud environment.

IT executives who have not worked with the business to embrace the cloud have seen a marked increase in shadow IT within their organisation and a corresponding decrease in their influence within the organisation. In EY's 2013 Global Information Security Survey, only 17% of participants indicate that their information security function fully meets the needs of the business. Changing information security's mind-set to help the business find a path rather than block it is the challenge that organisations face.

Cloud-based services are here to stay. IT functions need to learn to either work with them or suffer the cyber-security and financial consequences that may result in having cloud adoption take place without the input and value of IT.

Page   1  2

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top

PREVIOUS ARTICLE