By 2015,
there will be more than more than 15 billion interconnected devices on the planet,
twice the world population. In that period, the total amount of global Internet
traffic will quadruple. (Cisco(R)
Visual Networking Index (VNI) Forecast (2010-2015), June 2011)
It is
estimated that every year in the UK, identity fraud costs more than £2.7
billion and affects over 1.8 million people (National
Fraud Authority, October 2010).
Every year,
we share more of ourselves online...
Life is complicated enough...
This digital
world has brought new means for businesses to reach out to customers and our
lives are undeniably multi-channel: phone, web, chat, SMS, email, social media,
PDAs, smart phones, voice technology applications, proactive outreach, surveys,
etc... In the current economic climate, technology has also enabled organisations
to think of whole new ways of organising themselves whilst trying to strike a
fine balance between cost and value. The perceived key benefits for
organisation considering such moves are:
- reduction of capital costs;
- increased agility by divesting infrastructure and application management to concentrate on core competencies;
- opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements.
Evidently,
this has increased the popularity of cloud computing and all manners of
outsourced or managed services models. This in turn has led to an increased
distribution of our information assets to third parties. Ultimately, we place
our information and our faith in the security measures taken by those managing
it on our behalf...
Losing control gracefully...
The key
deciding factors for outsourcing services or migration to the cloud are not
new. They should mostly centre on data custody, control, security, privacy,
jurisdiction, and portability for data & code. Essentially, organisations
will have to perform the balancing act of losing control gracefully whilst
maintaining accountability when the operational responsibility of handling and
securing their information assets lie with one or more third parties. As
regulators increase their focus on data privacy (see my previous
post on EU data protection laws), organisations will be forced to increase
their discipline when entering into contractual agreements.
Tip of the day:
When considering a move of information assets outside of your own environment, transparency
and disclosure are key, so make sure that you ask the third party:
- to disclose their security controls;
- to disclose how these controls are implemented in your specific case;
- to prove their compliance to any standard/framework relevant to your business;
- to agree to liability clauses in your contract. (If they don’t, you should consider a move at the earliest opportunity and may have to consider insurance or other type of provision in the meantime).
It is crucial that businesses understand which
controls are needed to maintain the security of their information assets and it
is therefore crucial that suppliers are assessed against the business
regulatory and compliance framework.
For more security considerations for cloud computing, see my next post.
For more security considerations for cloud computing, see my next post.
As an
example, lists of hundreds of PCI DSS compliant service providers can be found
on the following publicly available sites (and it’s not just about payment
pages, you’ll also find compliant web hosts, shopping carts, etc.): Visa
Europe, Visa
Inc., MasterCard. I would
also like to recommend the excellent research work by the Cloud Security
Alliance, notably the Security
Guidance for Critical Areas of Focus in Cloud Computing. A good place to start methinks...
At the end
of the day, it’s all about risk management: if one of your third party providers
gets breached, it’s your brand that will be in the news, not theirs...
Until next time...
No comments:
Post a Comment