What the CIO should know about security in the cloud

Recent history shows us that the world doesn’t end when we introduce change. The people who should feel threatened by the introduction of cloud-based services are those who refuse to adapt and change their mindset.

A colleague and I were yesterday discussing some of the opportunities now available: it’s now feasibly possible to open a business and provision all the IT services you need without having to purchase a single piece of hardware: from your laptop computer you can set up your CRM database, develop and host your website on Salesforce.com, produce all your documentation through Google Apps, create server storage space on Amazon’s EC2. If you’re concerned about spam and URL filtering, have that managed using something like Webroot‘s Email and Web SaaS. The possibilities are endless – mobile versions of SFDC enable even more flexiblity for the roving sales people. Are the days of the IT department numbered? You join a company, they mail you your laptop, your security token and authentication credentials – and wham, you’re part of the organisation. Need to correspond with colleagues: you do it through your organisation’s private Facebook Group. Meeting time? There’s plenty of video conferencing solutions out there: I found CloudMeeting. Might be worth a try.

There are SaaS payroll services and hosted systems for employees to do their expenses on such as GlobalExpense.

The entrepreneurial CIO is already looking at ways to take advantage of all this. The opportunity to achieve the truly flexible, agile, cheap, manageable, IT infrastructucture has arrived. Is it all secure? I’ve yet to talk to a CIO who’s even considered that question or wants to sully his/her board presentation with anything so mundane.

Like anything else, it’s all in the implementation. Choose the right vendors, ask them the right questions, give your employees the right information and there’s no reason why working in-the-cloud can’t be a magnitude more secure than the way we currently work. Here’s my short check list of things for the CIO to consider

1. You can outsource services to the cloud but you can’t outsource the responsibility for security. If there’s a data breach, it doesn’t matter that your service provider might have been negligent, the liability is yours. You must do the proper up front due-diligence.

2. The management processes around assigning and closing user accounts is critical. If you’re struggling to get this right now then it’s not going to be getting any easier when your services are all externalised.

3. Fast, reliable, high bandwidth connectivity is not ubiquitous. If you’re reliant on your sales teams to always be able to connect to their cloud-based service consider that even in the UK you can’t always get a decent broadband connection or GPRS signal. Elsewhere the situation may be even more desparate.

4. You can’t depend on an SLA guaranteeing up-time as being the foundation of your business continuity plan. Assume that one day the cloud will burst and it might be a while before your service comes back online.

5. I’ve tried to avoid talking about compliance here because, quite frankly, it all becomes very complex when things move into data centres hosted goodness only where. There’s also the case of what happens to the memory space your business utilised when the virtual server space you purchased is no longer required and absorbed back into the cloud. Is your data really gone? How will you know? What about if you’re subsequently subpoenaedyle Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal






font-family:”Times New Roman”;

mso-fareast-font-family:”Times New Roman”;}

@page Section1

{size:612.0pt 792.0pt;

margin:72.0pt 90.0pt 72.0pt 90.0pt;







/* Style Definitions */


{mso-style-name:”Table Normal”;





mso-padding-alt:0cm 5.4pt 0cm 5.4pt;





font-family:”Times New Roman”;




for information that was virtually stored in the cloud on server space that you no longer own?

6. My completely biased opinion that your information security officer is one of the most important people on your team. Make him/her an ally and use their knowledge about compliance, skills on risk assessment, and the natural tendency that most of us security folk have to ask difficult questions and spell out potential pitfalls.