Johannesburg, 17 Nov 2014
As with most security decisions, when thinking about the risks involved with moving to the cloud, businesses should consider what business benefits they are hoping to achieve, versus the risks the organisation is willing to accept.
"Security is always a balance of risk versus reward," says Richard Vester, director of Cloud Services at EOH. "No security solution is a silver bullet. Anyone who tells you they can offer an absolute level of security, regardless of how it may be delivered, is talking nonsense."
The risks need to be considered in the context of the business, he explains. "Firstly, examine the data and applications you wish to migrate to the cloud, and classify them in terms of how crucial they are to the business, how sensitive the information is, and what regulations and governance rules affect that data. Once this stage is complete, a cloud service can be selected that can support the level of security, compliance, and of course availability that is required."
Vester advises that before signing a cloud services contract with the provider, read the fine print, and make sure you understand the terms and conditions, and decide whether these are acceptable to you. If the contract satisfies your organisation's own standards, that is fine, but don't accept anything less than you would accept from your own technical department. "Selecting a provider that has independent certification of its security measures is advisable too."
Ultimately, he says, there are no really good reasons why sensitive data shouldn't be stored in the cloud ? the risks, like any other risks to the business need to be managed. "Most businesses will already have a risk management strategy in place, and it is simply a matter of tweaking these strategies to cover any cloud-related matters."
An organisation's obligations with regard to compliance and privacy don't suddenly change because the data has migrated to the cloud. The strategies used to manage compliance and privacy can be applied to cloud-based platforms too, with only small adjustments needed, he explains.
"These adjustments are also fairly straightforward. Take an information-led, risk-based approach and decide what data will be stored in the cloud, and what the potential consequences would be, should a data breach occur, and that data be lost, stolen or destroyed. Once you know this, the necessary legal and regulatory obligations can be considered, particularly where personal information or sensitive financial information is concerned."
Most importantly, he says, decide what type of cloud to use. A combination of a specific cloud service deployed on a specific type of cloud can be scrutinised from a risk and control perspective, and choose a suitable combination of cloud service and type, one that has the lowest risk and most control can be adopted.
Share