Why security has to utilize the cloud and mobility

With only a credit card and the promise of business benefit (without IT involvement), today’s organizations are moving towards the cloud at a rapid pace; tied to this trend is the use of personal mobility devices (smartphone, tablets and laptops) and a remote workforce. A powerful combination that can provide tremendous benefit to the organization but also provide an environment where misunderstood risk can seriously impact the business.
CSO Digital

Today’s information security teams are being pushed to understand business operations and true cyber business impacts to help make informed risk decisions. This often also means guiding the business to understand the potential threats from a cyber-perspective. When it comes to the cloud and mobility from an end-user perspective they use cloud services (iCloud, OneDrive, Office365, etc…) at home, on their smartphone, with no issue or perceived risk – So why would it be different at work?  Saying “no” without an alternative is a sure way to get business to go around security for current and future projects.

I want to look at the cloud and mobility landscape from 2 information security perspectives: 1) How to secure the business operations and, 2) How to utilize as operational tool, in a 2-part blog.

The first part, How to secure the business when they do not see the potential risks involved nor at times want to involve IT or information security, since they assume that IT only slows down the process. The first reality that needs to be established is that the business IS using the cloud and personal mobile devices and IT is not going to be able to stop it from happening. So instead of trying to fight a losing battle, changing tactics is required to engage both business AND IT to better understand and guide the utilization of appropriate cloud and mobility services.

Understanding the business data value (classification) being moved and/or accessed is key to creating a proactive engagement model, along with establishing a standard for cloud and mobility upon which to build engagement model. IT must incorporate an AGILE assessment process for low value assets, get the desired business value, while focusing on the high business risk projects, all while also gaining confidence from the business. The use of collaboration services between organization and vendor to diagnose failures, or putting company’s strategic growth plan on cloud storage represent different levels of risk. When the business knows what is expected of them and IT has standards to develop solutions, managing the data and access security becomes a known and repeatable process focusing on the correct priorities – not a roadblock.

Engaging your risk management team (if there is one) to align to the organizations business risk matrix helps build credibility and makes it easier to communicate with the business – but be prepared to be surprised how the business evaluates some risks once given the right information. Personally, having a committee representing HR, legal, ERM, physical and cyber security is an excellent way to get on the same page and help effectively discuss and guide organization.

From the IT side, establishing standards for Cloud services like IaaS and PaaS (Infrastructure and Platform as a service) can quickly allow them to deploy new systems resulting in operational saving. Yet no matter how the cloud and mobility services are deployed, it is the responsibility of the organization to monitor and manage data and access at the appropriate level. Low risk/data value does not mean free range for the business.  When you know what services are being used, it becomes easier to identify rogue services.

In the next part I will talk about how security operations can leverage the cloud to extend its coverage into the mobility space.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Bjorn Gudehus
Bjorn Gudehus
With 15+ years of experience ranging from engineering roots to managing security governance and regulatory compliance to business development; providing unique insight from a consumer, supplier and consultant of security solutions and services. He believes that “proactive defense against emerging threats aligned to business risk” helps ensure operational resilience and protect critical data.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight