Are hybrid cloud environments the way forward? In the hybrid approach, the company uses its own dedicated computing to hold and process company-sensitive information, while a public cloud offering is used to hold, process and publish non-sensitive and public information.
This seems a neat way forward, addressing most of the security concerns that come with public clouds.
A good starting point would be to assemble an asset list of company information. But the trick is not being too granular, nor too broad.
Too granular and you will not see the wood for the trees because you will have possibly thousands of identifiable assets. Too broad and you will not get much value out of the exercise.
For example, “all employee data” is too broad, whereas identifying each employee’s payroll data as an asset is way too granular.
A reasonable way to treat this would be to have one asset identified as containing all “employee static data” and this would be classified as personal-sensitive because it would contain a mixture of publicly available information and information identified by the Information Commissioner's Office (ICO) as sensitive (ethnicity, gender, bank details and so forth).
Another asset could be “company employee data” and classified as company-sensitive. Brochures and advertising material could be another asset and would be classified as public. Company finance information could be broken into three separate assets, with one being public, one being company-internal, and the third being company-sensitive.
Once you have assembled an asset list of all company information, you can then take informed decisions of how that data should be stored and processed. Public information can be stored and processed in the cloud, whereas employee personal-sensitive and company finance-sensitive should be stored and processed in-house.
Some information that is sensitive, but not accessed or not used very often, could be stored in the cloud in encrypted form to protect its confidentiality, then downloaded from the cloud, decrypted and processed in-house when needed.
Some cloud suppliers offer the option of a completely private cloud created within their public cloud offering. These offerings can mirror a company’s complete IT infrastructure with dedicated access control (LDAP, Microsoft Active Directory, for example), firewalls, VPNs, application servers, etc.
However, the buying company must check that any service level agreements (SLAs) and terms and conditions provide adequate protection, including system backups and overall service availability, and meet the requirements of compliance with the ICO’s guidelines for the protection of data and other regulatory requirements. These SLAs and Ts&Cs must also meet the company's own requirements for the protection of its data.
One final thought on buying service from a cloud supplier irrespective of whether you are buying a basic service such as email or a private cloud, you need to ensure that the service being offered is secure. Having an ISO 27001 certificate is not, in my opinion, sufficient. You do need to see and understand the associated statement of applicability and ensure that your information security requirements are built effectively into any contract.
If in doubt, involve an IT (and information) security professional from the earliest stages of planning. Good security is cheaper when built-in and not added as an afterthought.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.