We have seen unprecedented change in business and user working styles. Some businesses have moved exclusively to cloud and datacentre, some have done what looks the opposite and started bringing the edge of their network back into a physical domain that they control, but this isn’t strictly true, because every device will still reside with its user.
However, we can see that people are looking to a more hybrid and flexible way of working and the need to secure multiple environments is increasing, not decreasing, for most.
Part of the problem we have faced traditionally has been the perception of risk and ensuring that businesses understand they are not moving the responsibility for the data they hold simply by changing or diffusing its geography. The level of third-party data breach has driven levels of concern higher and the physical location of data is part of that concern.
Of course, this is by no means the only reason for diffused or multiple datacentre options, but awareness of this is very important.
When choosing a provider and datacentre, there are some key security considerations and some of these should be included in your service-level agreement (SLA), so having security involved in the specification and procurement is a very good idea.
We were initially sold cloud because it was secure and resilient and now they want us to buy cloud security and resilience solutions, so reading the small print is vital – and assume nothing.
What can security professionals do? Become more business-focused, understanding the organisation’s ways of working, the needs of the users and how technology can enable and improve business effectiveness and efficiencies within a framework of risk management, not risk avoidance.
Communicate with peers and business leaders in a more professional and business-like manner so that risks are fully articulated, appropriately and pragmatically mitigated in line with agreed risk appetites, with risk acceptance and ownership being within the business, not the security team.
Things to consider:
- Do you know exactly what data will reside where?
- Have you agreed to data being moved as part of cost-control measures?
- As such, will you be informed of any moves?
- Have you placed hard end-points to ensure data may not be moved beyond those points to unsuitable locations or locations that may cause contractual issues with clients?
- Do your existing client contracts have any regulatory requirements for stored data?
- Do you have a right of physical audit of all locations?
- What security assurances and certifications do the premises have, physical and information?
- Is third-party or supplier security audit part of your standard business practices?
The more connected we are to our information assets, the better. This isn’t just a security issue and it isn’t an IT issue – it’s a business issue. That means information sharing and availability need to be as comprehensively considered as the security of the information.