With only a credit card and the promise of business benefit (without IT involvement), today’s organizations are moving towards the cloud at a rapid pace; tied to this trend is the use of personal mobility devices (smartphone, tablets and laptops) and a remote workforce. A powerful combination that can provide tremendous benefit to the organization but also provide an environment where misunderstood risk can seriously impact the business.
Today’s information security teams are being pushed to understand business operations and true cyber business impacts to help make informed risk decisions. This often also means guiding the business to understand the potential threats from a cyber-perspective. When it comes to the cloud and mobility from an end-user perspective they use cloud services (iCloud, OneDrive, Office365, etc…) at home, on their smartphone, with no issue or perceived risk – So why would it be different at work? Saying “no” without an alternative is a sure way to get business to go around security for current and future projects.
I want to look at the cloud and mobility landscape from 2 information security perspectives: 1) How to secure the business operations and, 2) How to utilize as operational tool, in a 2-part blog.
The first part, How to secure the business when they do not see the potential risks involved nor at times want to involve IT or information security, since they assume that IT only slows down the process. The first reality that needs to be established is that the business IS using the cloud and personal mobile devices and IT is not going to be able to stop it from happening. So instead of trying to fight a losing battle, changing tactics is required to engage both business AND IT to better understand and guide the utilization of appropriate cloud and mobility services.
Understanding the business data value (classification) being moved and/or accessed is key to creating a proactive engagement model, along with establishing a standard for cloud and mobility upon which to build engagement model. IT must incorporate an AGILE assessment process for low value assets, get the desired business value, while focusing on the high business risk projects, all while also gaining confidence from the business. The use of collaboration services between organization and vendor to diagnose failures, or putting company’s strategic growth plan on cloud storage represent different levels of risk. When the business knows what is expected of them and IT has standards to develop solutions, managing the data and access security becomes a known and repeatable process focusing on the correct priorities – not a roadblock.
Engaging your risk management team (if there is one) to align to the organizations business risk matrix helps build credibility and makes it easier to communicate with the business – but be prepared to be surprised how the business evaluates some risks once given the right information. Personally, having a committee representing HR, legal, ERM, physical and cyber security is an excellent way to get on the same page and help effectively discuss and guide organization.
From the IT side, establishing standards for Cloud services like IaaS and PaaS (Infrastructure and Platform as a service) can quickly allow them to deploy new systems resulting in operational saving. Yet no matter how the cloud and mobility services are deployed, it is the responsibility of the organization to monitor and manage data and access at the appropriate level. Low risk/data value does not mean free range for the business. When you know what services are being used, it becomes easier to identify rogue services.
In the next part I will talk about how security operations can leverage the cloud to extend its coverage into the mobility space.