As more of the business world considers transitioning from on-premise to Platform as a Service (PaaS) and Software as a Service (SaaS) solutions, important security issues are coming to light. Unsurprisingly, the technology is advancing faster than these questions are being answered. That leaves CIOs, IT departments, and Security Specialists facing a conundrum.
Earlier this month, at the fourteenth annual Philadelphia Premier CIO Forum, leading CIO’s and senior IT executives in conjunction with the Executive Advisory Council, met to gain insights and practical solutions to business challenges.
Our SVP of Digital Supply Chain Solutions, Ron Fijalkowski, joined a panel discussion with Chris Shull, CIO Engagement Partner with Tatum, and Syd Weinstein, COO & CTO of PeopleMetrics—hosted by George Sullivan CIO at Delaware County Community College.
The panel discussion aimed to help alleviate some of the confusion and concern regarding cloud based security. Our CIO provided guidance in resolving the issues cloud solutions raise, based on industry best practices and his experience with SDI clients.
Extending Services Without Extending Liabilities
Any time an organization extends service offerings into the cloud, there are associated risks. The organization may have little or no control over data once it goes beyond their physical walls. Understanding this reality is key to addressing issues before they become problems. Some questions that organizations need to consider are:
- Will moving data and services to offsite backups increase the potential for unauthorized access or security breaches?
- Are email addresses considered personal information and, if so, will a breach of email addresses require a service provider response?
- Do services such as payroll and mail increase security exposure when moved offsite?
These questions, and many more, are simply part of the due diligence that any organization must perform before making the decision to move to the cloud.
Standards of Evaluation
Since cloud services are not typically IT security services, they don’t specifically encompass the IT requirements that an on-premise infrastructure adheres to. This isn’t a limitation of PaaS or SaaS, it’s simply not what they were designed to do. Cloud services are focused on the services themselves (mail, content management, CRM, etc.), while IT security is about securing those services.
This fact makes it difficult to attempt to apply IT security standards directly to the cloud services being considered. It becomes critical to evaluate and understand the security of the infrastructure supporting the services. Standards like OSI 27001 may not apply directly to a cloud based service, but they will likely apply to the technology underlying that service.
Measuring Compliance
Deciding whether a particular cloud service provider meets an organization’s security needs can often involve internally creating a customized questionnaire. This process can be time consuming and may risk exposing internal information.
One compromise to this issue is to apply the appropriate industry business standard, such as SOC or GAMP control, to the service provided. This will provide a broad benchmark in terms of security compliance. From there, the organization can drill down any security requirements specific to their wants and needs.
Making the Move
The explosion of cloud-based services has created a lot of confusion and concern for IT security specialists. Where they once managed every aspect of an organization’s IT infrastructure, they are now faced with handing many services over to offsite providers. To help ease this transition, it is important to understand the underlying issue and address any concerns before making the transition.
