As a former CIO, I believe the most important aspect of an IT organization’s job is to protect their IT infrastructure and data that resides within it through advanced security. While it is obviously important to implement new technologies and applications, if the environment is not safe then nothing else matters.
Part of this responsibility is disaster and business continuity planning, which protects data and ensures ongoing business activity in the event of a disruption event. The primary focus, however, is making sure the environment is protected against external threats and ensuring there isn’t any unplanned exposure of data within the environment.
Over the course of my career, security priorities have changed from technical solutions, like virus management and network security, to a more comprehensive review of all aspects of security required by regulations such as HIPAA and Sarbanes Oxley.
This was easier in many ways when you controlled all aspects of your IT infrastructure. Now, however, cloud computing (or in other words turning over a significant part of your IT infrastructure to a third party) is becoming a key part of overall IT service delivery for many companies. In past blogs I have documented the benefits of cloud-based service delivery and I believe it should be a key part of any organization’s overall IT strategy.
However, it is critical you address ensure security considerations as you migrate to a cloud-based delivery model.
So how do you accomplish this? The good news is that the major cloud providers are as concerned, or even more so, on security as you are. Their entire business model is dependent on having a secure computing environment and they focus a significant amount of staff time and financial commitment to this area.
Their focus on security is often more comprehensive, and they have access to greater technical capability, than their clients so from that perspective moving data to the cloud may actually be putting it in a more secure environment that you could manage yourself.
However, there are still things that are critical as you migrate to the cloud in order to minimize security risk and mitigate any issues that may occur.
These include the following:
- Due diligence on the providers environment, including reviewing their certifications
- Contractual terms in the hosting agreement
- Protecting the transit of data to and from the service provider
- Ongoing security reporting and audits
- Regular meetings to review any areas of concern as well as planning for upcoming activities
If you take the proper steps to select a cloud provider, ensure the agreement has terms to protect you, protect the connection to the service provider is secure and actively monitor the provider’s activity there is no reason to worry about migrating data to the cloud. In my next blog I’ll review over each of the areas above in more detail.