10 TIPSFOR CIOS

D A T A S E C U R I T Y I N T H E C L O U D

NEW PARADIGM, NEW SKILLS

NO.1

IT organizations are typically made up of specialists

such as server technicians and network engineers.

The more cloud services you introduce into your

organization, the less the skills of these specialists

may be required. Consider job functions with broader

responsibilities and expertise that bring together IT

and business management talents – integrated services

manager, director of cloud services or ITIL management

supervisor, for example. These professions will

be increasingly necessary to direct collaborative

interactions with cloud services providers (CSPs)

that produce better cloud and business alignment,

management and security implementations.

“The more cloud services you introduce into your organization, the less the skills of these specialists may be required.”

pg 1

A business decision as important as outsourcing

to the cloud demands thorough due diligence.

Indecisiveness is another matter. Employees and

business managers want cloud services. If IT doesn’t

make them available in a timely fashion, users will

provision services themselves without giving much

thought to security. In fact, a corporate ‘no cloud’

policy may only encourage them to purchase the less

secure, non-enterprise versions of applications and

services on their credit cards.

“a corporate ‘no cloud’ policy may only encourage them to purchase the less secure, non-enterprise versions of applications and services on their credit cards.”

OVERDOING DUE DILIGENCE

NO.2

pg 2

RISK VERSUS VALUE

Extracting maximum value from cloud services is an

exercise in risk management. Are the economic gains

that a cloud solution promises greater than the risks it

entails? Balancing business risk/value is new territory

for many IT shops. An enormous variable in achieving

balance is the CSP itself; do its capabilities, integrity

(business and infrastructure) and performance history

add to or diminish risk? It is imperative to find a CSP

that is able to meet or augment your organization’s

governance practices and all that they entail, from

standards, policies and procedures to infrastructure

design, monitoring and access controls.

NO.3

“Are the economic gains that a cloud solution promises greater than the risks it entails?”

pg 3

“And be clear as to what data require the highest levels of security.”

YOURS, MINE OR OURS

NO.4

When establishing responsibilities for cloud security,

assume nothing. Be clear as to your data security

requirements, policies and practices. And be clear

as to what data requires the highest levels of security.

This is important not simply to ensure you get the right

level of protection. The more security, the more costly

the services are likely to be. Pay only for what you

truly need for specific data sets, and demand that

your CSP is able and willing to satisfy your particular

requirements. Reach definitive agreement on who is

responsible for what, and how these responsibilities

will be met over the long term.

pg 4

BYOD. Employees want their mobility and mobile

access, leaving you to provide them with secure

access to data and applications on any device,

anywhere and at any time. Isolate corporate data,

such as that stored in the cloud, from personal data

on mobile devices. Consider cloud-delivered desktops

that segment the access device from corporate

applications and data. Simply install the connecting

app on the home device; from there, everything

runs on the centralized, well-managed infrastructure.

Protect the data, not the device.

“Employees want their mobility

and mobile access, leaving you to

provide them with secure access

to data and applications on any

device, anywhere and at any time.”

SECURITY BEGINSAT HOME, PART I

NO.5

pg 5

Certain corporate and business data is accessible

only to certain employees. In many ways, they hold

the keys to the kingdom, having access to your most

critical and valuable data assets such as databases,

financial information or intellectual property. Keep

their skills and your policies for handling data

securely up to par. Implement stronger access control

procedures. Scrutinize their on-the-job activities more

closely than the average employee.

“In many ways, they hold the keys to the kingdom, having access to your most critical and valuable data assets such as databases, financial information or intellectual property.”

SECURITY BEGINSAT HOME, PART II

NO.6

pg 6

The best cloud encryption solution is the one aligned

with your enterprise’s business and security objectives.

This includes understanding all internal and external

data governance policies (including data privacy

and residency) and compliance mandates, such

as PCI, HIPAA, GLBA, Safe Harbor, etc. However,

data encryption alone does not guarantee data

confidentiality. That happens when an authorized

team controls the encryption process and the

encryption keys. When security is a regulatory

requirement, or intellectual property needs protecting,

enterprises should deploy and manage encryption

themselves. But, a trusted cloud provider can be on

the team as well; new products are coming to market

that allow secure split-key responsibility.

“The best cloud encryption solution is the one aligned with your enterprise’s business and security objectives.”

LOVE YOUR DATA?ENCRYPT IT.

NO.7

pg 7

“It also can make it more difficult to retrieve your data when you want it.”

HIDE-AND-GO-SEEK

Know where your CSPs’ data centers are located

and where they store your data. If they move

your data, you need to know that. Many CSPs

spread data among different data centers, which

may include those in other countries. This raises

jurisdictional and compliance issues. It also can

make it more difficult to retrieve your data when you

want it. If you have heavily regulated data such as

healthcare records or financial information, be sure

the provider has the experience and the necessary

third-party audit reports to satisfy all compliance

requirements, and have them prove it.

NO.8

pg 8

“Once identified and fixed, automation tools allow the CSP to apply the solution throughout the infrastructure.”

Certain aspects of cloud homogeneity, centralization

and virtualization can simplify event and log

management, allowing potential security or resiliency

problems to be spotted sooner and addressed more

quickly than they could in a traditional IT environment.

Once identified and fixed, automation tools allow the

CSP to apply the solution throughout the infrastructure.

Furthermore, CSPs can focus attention and investments

in security on a small number of highly scaled

environments. Ask the CSP about dashboards that

let you monitor and track your data, and that give

you better insight into how well its infrastructure is

performing on your behalf.

RISK MANAGEMENTADVANTAGES

NO.9

pg 9

“Seek out a provider that is capable of contributing to your strategy, providing continuing guidance, tailoring the ideal solution and bringing ideas to the table.”

DON’T GO IT ALONE

By 2015, more data and applications will be in

the cloud than not. As the Borg said in Star Trek,

“resistance is futile.” However, instead of being

assimilated, assimilate the cloud into your business

via a well-planned, well-executed strategy that

clearly spells out your complete range of security

requirements top to bottom. Don’t stop at finding a

CSP that can simply do the job. Seek out a provider

that is capable of contributing to your strategy,

providing continuing guidance, tailoring the ideal

solution and bringing ideas to the table. Cloud

computing is critical to the continuing success of your

business. Partner with a provider that wants to grow

with you and for you.

NO.10

pg 10

Get a FREE consultation TODAY:866.473.2510 | Peak10.com

Contact us about your RFP requirements