Professional Documents
Culture Documents
Both public & private sector organisations will inevitably turn to the Cloud in order to achieve operational efciencies, remain agile in their marketplace & demonstrate Greener IT.
However, as the awareness, business benets & deployment models of Cloud Computing gain momentum, the need to maintain data security, privacy and compliance becomes paramount. Ensuring that all data is secure, segregated where needed, and access to it clearly controlled, requires careful planning and consideration when adopting Cloud. Some sectors such as Government will adopt a Community model because of data classication & handling reasons, however Financial Services & Pharmaceuticals may well turn to a Private Cloud. Others may be able to benet from a true multi-tenant environment of a Public Cloud deployment, where resources and computing power may well be considerably cheaper. For most organisations though, a Hybrid model will provide the best blend of technological cost savings (Opex instead of Capex) versus business risk. Protecting your business against all applicable legislative and compliance requirements will determine whether a Cloud approach is viable for you.
The onus on the Cloud provider is to ensure that their infrastructure is secure and that customers data & applications are protected, while you the customer must ensure that the provider has taken the necessary security measures to protect your information. Trust, service maturity, auditing and availability need to be woven into the fabric of any Cloud model, with adherence to robust information security policies maintained at all times.
NCC Group plc Manchester Technology Centre, Oxford Road, Manchester, M1 7EF phone: +44 (0)161 209 5288 email: advisorysales@nccgroup.com web: www.nccgroup.com
Key questions
Is my data secure? All Cloud providers will need to demonstrate to prospective customers that their infrastructure, platforms and application services are built securely and tested rigorously for vulnerabilities. The very nature of Cloud means that virtual servers may reside on multiple physical servers, all of which may be traversing countries where your data from a legislative perspective is not allowed to reside. If encryption is used to provide condentiality, the deployment of that technology (especially in Government) has to commensurate with the business impacts of the data. Key management in Cloud may not work as it could be argued that it will not scale, but a federated key management approach, backed by an enterprise wide Escrow service, could see your existing investment leveraged. Is the environment secure? If your business is processing payments through MasterCard and Visa within a Cloud environment, then it is imperative that the physical and logical compartments are secure in order to remain compliant to PCI-DSS. Adequate access controls need to be deployed and remote management of the Cloud by the provider has to be through agreed and assured channels, demonstrating separation of duty. IT Service Continuity has to be addressed to ensure that your business is not left incapacitated during an outage. Those mature Cloud providers that have developed their services with IT governance, using industry standard security frameworks have a key differentiator over their competition. What happens to my data if theres a breach? The legal aspects of hosting data within a Cloud need to be understood; where is it stored and who has access to it. This may be complicated in a Cloud where data retention and disposal policies may not be the same as your own. Another layer of complexity is that Cloud inherently means that your data may be on the move, therefore adding complexity to a forensic investigation, which is where litigation support may be advantageous. Ensure that youre covered through contracts and Service Level Agreements and that your data is backed-up and available for an e-Discovery or forensic investigation if required. Have the applications been tested? Cloud providers need to demonstrate that their SaaS has been load and stress tested to achieve SLAs and have elasticity to handle peak demands. Platforms and applications should be routinely security penetration tested with remediation plans socialised with the customer. Applications need to be robust (functional and unit testing) for integrity, usability and availability, but savvy IT procurement managers will ensure that their Cloud provider can demonstrate secure application development and source-code analysis through industry recognised testing practices.
ACCREDITATIONS
For more information on NCC Group, Secure Test please contact: phone: +44 (0)161 209 5111 email: securetest@nccgroup.com NCC Group Secure Test Manchester Technology Centre, Oxford Road, Manchester, M1 7EF
NCC Group plc Manchester Technology Centre, Oxford Road, Manchester, M1 7EF phone: +44 (0)161 209 5288 email: advisorysales@nccgroup.com web: www.nccgroup.com