Several high profile cases of hacking and technical difficulties have cast a shadow over the security and reliability of cloud computing solutions. Assessing your current state of security needs and data security, and comparing this with your cloud partner’s offer, is the recommended way forward for customers.
Essentially, cloud is a disruptive technology and service model that is changing the role of the IT department as we move to “utility computing”. And just in the same way you may trust your bank with your money, despite recent upheavals in the sector, you are gradually trusting providers with your data. But how comfortable are you about putting your confidential information in someone else’s hands?
One of the most cited barriers in the adoption of cloud computing in the MENA region but also globally is security, with the fear of an organisation’s data residing outside the company. Whilst fear is understandable, it is largely misplaced as the reality is that major cloud providers often offer higher levels of security than the customer organisation can provide internally, backed up by the fact that there is a contractual commitment to secure data.
Security threats evolve by the day, sometimes by the hour or minute and this makes it increasingly hard for corporate customers to fight this battle on their own. Quite often enterprises are at a disadvantage when fighting hackers as we have recently seen in a few high profile cases.
In February 2011, the International Information Systems Security Certification Consortium published its Global Information Security Workforce Study. It found that 92% of the 10,000 security professionals surveyed wanted to have a detailed understanding of cloud computing before choosing to implement it.
Industry bodies are already working on developing security best practices for cloud computing. Version 2.1 of the Cloud Security Alliance’s guidance on governance and enterprise risk management in the cloud recommends that part of the cost savings from cloud-based contracts be reinvested in the continued scrutiny of a cloud provider’s security.
One of the first actions that enterprises need to take is to actually understand the nature of their organisation’s data. According to the ISACA (Information Systems Audit and Control Association), if the traditional rule of thumb for confidentiality in data classification is applied, 85% will be low security (and therefore, potentially deployed outside the corporate firewall), 10% will be internal (and therefore, will require a higher level of security), and only 5% will be ‘secret’ and therefore, potentially unsuitable for any open (discretionary) security regime. The trick lies in understanding which data is which.
To help them do this, companies need to update their sourcing policies so that security experts are part of every project team and perform a risk analysis to assess the security needed for each category of data before engaging a service provider. In the telecom world, data segregation via classes of service, based on the priority needed, is now common place but such fine-tuned data policies based on security and priority are still relatively new in the cloud. Yet, not all clouds are alike and companies should select a provider that will match their security and privacy needs. Low cost clouds are often appealing but they lack built-in security and policy control.
Orange Business Services has put in place a complete set of consulting offers around security and cloud, helping our customers assess their current situation and risks in order for them to take the appropriate migration path. Our solution portfolio spans public, virtual private and private clouds, as well as unified communication and collaboration solutions.
Rudolf Sarah is regional cloud director, MEA, Orange Business Services.