Flying confidently through the clouds

MacWillson: Chart a course to protect data in the cloud

Growth for many cloud services will accelerate as the services mature. Progress has got caught up on fears about IT security. Data theft and compromise, loss of service and phishing incursions are all very real threats.

Channel partners must address business customer concerns. Customers must be sure that cloud providers will handle customer data with care. Where exactly is the data being stored?

Customers may also question whether cloud providers have the levels of infrastructure security to ward off cyber-attacks. Are the providers able to manage, measure and report on industry regulations, and can they be accountable if they fail to comply?

Finally, who will be held responsible for the service level guarantees and business continuity?

Accenture’s empirical IT security work over many years with a wide range of organisations suggests that certain fundamentals apply in cloud computing initiatives.

IT leaders must weigh up applications and data and decide what is appropriate for the cloud. They must gauge what risks they are willing to take. For example, whether to move new product data or customer data to the cloud, in context of the benefits of doing so and the regulations that apply to the data’s new location.

You must carry out detailed due diligence on cloud provider performance, including their financials. Cloud computing providers vary in market position and approach; different vendors have different levels of IT security and data management.

Confirm that they meet key standards, guidelines, and codes of practice such as ISO 27001.

Chart the lifecycle of the relevant data assets, from development to destruction. IT managers must know where data is at all times so they know if it is being stored and shared in compliance with local laws and industry regulations at appropriate levels of IT security.

Using proven IT security principles, IT leaders must define the key security elements, knowing where encryption is needed, for example, and understanding which transport layers are important.

The regulatory complexities are enormous when doing business in multiple nations: some governments regulate the physical locations of the servers where organisations keep their data.

IT leaders cannot expect their cloud providers to be compliant for them. But they must expect them to provide what is needed to help achieve compliance.

What happens if something breaks while in the cloud? How is the data owner notified, and how quickly? How is the data recovered? These are the basics of best practice in business continuity, and they apply just as much to cloud computing as to any IT outsourcing arrangement.

Again, of course, they must align with regulatory mandates.

Educate employees on IT security policies and procedures and be very clear about how those policies and procedures relate to the cloud. For example, employees must stick to corporate IT security policies when exploring cloud services for any work-related activities, such as testing a new IT service or storing data in the cloud.

At this point, what is needed in the channel is a rebuilding of trust as well as a renewed sense of perspective. As with any other technology development, cloud computing initiatives come with their own set of risks and rewards.

But the cloud must not be treated as a threat. Implemented and managed properly, it should not add risk. It should do the opposite.

The fundamental question is one of balance: weighing, as accurately and in as much detail as possible, the risks of a data security breach against the power of the cloud to directly address many pressing business issues.

Alastair MacWillson is managing director for the global security practice at Accenture