Mitigating Business Risk When Using Cloud Technology

Keep your data safe in the cloud

Cloud technology allows businesses of all types and sizes to run essential applications and programs—and store information—through the internet. It allows easy access to information for all who need to see it, it offers flexibility in location (critical in this time of remote work becoming more popular) and frees up time that goes towards infrastructure management. It’s a fantastic tool, but as with almost anything that happens online, there are security concerns that come with using the cloud.

There are steps that can be taken to mitigate that risk and take advantage of all that cloud technology has to offer, safely. The key is to:

Define a Strategy

Define an enterprise wide strategy for cloud adoption in order to fully consider the options available to you and enter into some real SWOT analysis.

• Why do you want to adopt Cloud Computing?
• What are the business drivers and expected benefits?
• What are the risks?

Many others have already done this so a review previous examples might be helpful. Google is your friend…

Assess your risk

We recommend building a business case for Cloud Computing based on risk.

• What data and systems should be based on cloud computing platforms and why?
• Assess the data and systems criticality for risk, what are the compelling reasons for placing this system and data in the Cloud?
• What compelling reasons are there to NOT place these in the Cloud?
• Assume breach… what will the consequences be of a data or systems breach?

 

Assess your systems

Are they in a fit state to migrate to a Cloud platform? how much integration is required?

Is a better decision to build new?

• How will legacy systems integrate?
• Is application uplift required? How will code or technology changes affect applications and connectivity.
• What are the impacts to supporting infrastructure/ middleware/ and code bases
• How does Cloud computing change functionality, management and support frameworks?
• Classify the data and systems which are potential Cloud computing candidates

Assess the Options

Cloud computing comes in all shapes and sizes, how do the options fit with the defined strategy? What are the business drivers? Many vendors provide a variety of options for licensing, consumption, processing, services and data storage.

• Be clear about your strategy and make choices based on the best match
• How mature is the vendor in provision of the services they offer?
• Are the services supported locally?
• Is the vendor a GDCO panel provider of Cloud Services?
• Does the vendor hold current NZISM Certification for the services offered?
• Has the vendor been independently security tested recently? Are the reports available for review by prospective clients?

Onshore or Offshore?

Cloud services hosted offshore can introduce more risks than the local ones, including jurisdictional, sovereignty and privacy issues. While foreign-based cloud providers in New Zealand are still subject to our legislation and regulation, they may be subject to the laws of another nation too. Where Office Productivity tools are involved, Cabinet agreed that agencies can use offshore-hosted office productivity services, provided they comply with new guidance on security requirements for using these services. The DIA and GCSB have jointly developed this guidance, which describes how the New Zealand Information Security Manual (NZISM) should be applied in the context of these offshore-hosted services. This guidance is now available:

• Security requirements for OH Office Productivity – January 2017(pdf, 472KB)
• Security requirements for OH Office Productivity – January 2017(docx, 193KB)

 

Other guidance is also available here:

https://snapshot.ict.govt.nz/guidance-and-resources/using-cloud-services/design-for-and-implement-security-controls-for-cloud-services/

 

NZISM

The New Zealand Information Security Manual, advises that agencies do not use offshore cloud providers unless their privacy, information sensitivity and information value has been fully assessed by the agency, including a comprehensive risk assessment. The provider should be able to adequately assure the agency that any specified or suggested controls have been implemented.

A review based on the NZISM mandatory and discretionary requirements may help in decision making, see the online version available here: https://www.nzism.gcsb.govt.nz/ism-document/

For government agencies there is a lot of online advice, see the information here:

 

At CANDA we are specialists in Cloud security, we are actively providing security support for a number of agency programs adopting Azure and Amazon Web Services as their Cloud Computing partners.  We have also provided security certification for the Office 365 and Dynamics 365 suite of productivity tools.

CANDA are the experts in keeping businesses safe online, and in managing NZISM certification and accreditation. If you’d like to know more about keeping your systems and data safe, get in contact and ask about our Cloud Security consultancy services.

 

Originally posted on Canda.co.nz