- Security TWENTY
- Women in Security
Cloud computing is rendering many businesses’ data compliance policies obsolete. So argues Ron Miller, Principal Consultant at SunGard Availability Services (UK) Limited.
It might have been a buzzword within the IT industry for some years now but more recently we’ve seen the mainstream appetite for, and adoption of, cloud computing rise significantly. Whether it’s public, private or hybrid services, the promise of greater flexibility, scalability and cost-effective pricing models has been too enticing for many businesses to ignore.
The flipside, however, is that as a result of the cloud, we’re also seeing a number of companies coming under scrutiny for their data protection and compliance policies. It’s the CIOs [chief information officers] that are leading the charge here, as they become increasingly concerned over the security of their mission critical data. There is the perception that many ‘cloud’ vendors (and that’s including those companies that have simply re-branded an existing solution to jump on the bandwagon) are failing to provide a comprehensive view on where data is being stored and the information security management framework that’s in place.
Information, both data and intellectual property, is a greater source of competitive advantage for businesses now than it ever has been. In many sectors, this is driven by consumer expectations, where there is an assumption that systems will be able to perform at optimum levels 24-7. The rise of the ‘I want it now’ culture and increased customer promiscuity (when it comes to where they take their custom), is forcing companies to ensure that every aspect of their organisation and those of key partners perform with near perfect levels of availability.
In support of this, we’ve seen a definite shift over the last 25 years, where businesses across the board have progressed from IT-centric (and reactive) disaster recovery, through the processes of business continuity management and high availability (which encouraged a mind-shift towards proactive and interactive processes) to today’s age of the ‘always-on’ society where continual information availability is not simply an option, but a requirement. The word, ‘recovery’ is thus being rapidly stripped from the corporate IT vocabulary because a company’s key people and critical information must remain connected and available at all times.
Part of the challenge that remains lies in the disconnect that exists between current technology practices and outdated regulations. The public sector has addressed these problems through the introduction of the G-Cloud tender system, but a number of other heavily regulated sectors such as finance or healthcare, have found it more difficult to take advantage of the latest technology trends. Although cloud technology has played an increasingly important role in these sectors the path towards its deployment has not been an easy one: organisations have found themselves forced to jump through numerous hoops to satisfy stringent (and often outmoded and inappropriate) regulatory regimes.
Regulation is sometimes perceived as a bureaucratic burden, that is a barrier to doing business and making profit; but where that regulation is right, it can be viewed in a much more positive light as it can provide much needed signposts en-route to the goals of transparency of information security, service and availability that organisations need to achieve as they continue their journey towards cloud and/or hybrid managed ICT. To this end, as organisations become increasingly reliant on IT for core aspects of their business, it is encouraging to see new approaches towards compliance and industry standards both emerging and continuing to evolve. It is imperative that policies that support, rather than restrict, steps towards enterprise availability become both mainstream and are regarded as an essential business practice. A recent study we commissioned examining the Available Enterprise, showed that 75 per cent of CIOs considered information availability to be of great importance; however their peers at board level need to value such insights and view availability in a similar fashion. Without this, the likelihood of creating an organisation that keeps people, process and information connected at all times is compromised.
The answer to this requirement has to be about businesses engaging with third party cloud and managed services providers that they can trust. By ‘trust’ I really mean entrust; it is therefore vital that any such provider has an in-depth understanding of their client’s mission critical business processes, as well as their overall IT operation and future technology strategy. While the newer breed of cloud providers has focused on selling the benefits of the cloud, of which there are clearly many, organisations are right to be asking the potentially awkward questions of those providers, about the security and availability of their data and the infrastructure supporting it before they entrust the “family silver” to such a third party.
Demonstrating a legitimate reputation for having security, resilience and availability baked into solutions is vital to imbuing CIOs with the confidence to ensure that their strategies for optimising technology spend while ensuring their organisations can take advantage of the competitive advantages that information gives them are carried out systematically and effectively. But, there is a cautionary note for CIOs to heed as well: ultimate responsibility for security lies with the owner of the data, so whilst you may legitimately outsource to take advantage of the world of ‘as a Service’ for greater agility, efficiency and flexibility, NEVER relinquish your control or accountability. Strangely enough, this is where regulation can help firms both have their data cake and eat it!
About the writer
Ron Miller, Principal Consultant at SunGard Availability Services (UK) Limited, has been involved in IT standards as they relate to cloud security in his capacity of representing Intellect, the trade association, to help define ISO 27036 – as a member of SC27. Previously in a similar arrangement, Ron helped to define the business continuity management standard BS 25999, now ISO 22301, as well as chairing the committee that wrote the British Standard for IT disaster recovery BS 25777 and editing its successor ISO 27031.