Not just Safety in Numbers

Posted on October 28, 2010


The UK’s National Security Strategy was published this week (18 October 2010)

It came as no surprise that CyberAttack was clearly identified as a apriority. The interesting insight across the areas of key concern – terrorism, military crisis, major incidents and natural hazards – is the realisation that CyberAttacks effect two of these other three areas. Emphasising how intimately dependent so many aspects of our modern world are on the Internet.

Cybersecurity as a premeditated intent is quiet rightly at the forefront of not just government but commercial organisations planning as business continuous its force march online in greater degree’s than ever before. But this must be kept in context and balanced with a fact based risk assessment or both public and private sectors risk incurring disproportionate costs and fostering fear inappropriately.

Cloud Computing offers many benefits to organisations challenged with the onerous burden of Cybersecurity. Counter intuitive to some, but on closer assessment there are few organisations who can deliver the security, redundancy and availability of credible cloud Service Providers.

This is not a green light to rush lemming like to the Cloud but a head’s up to the fact that there are real benefits that can be leverage through the economies of scale and specialisation of dedicated service providers. Especially the SME sector, but that does not exclude Large Enterprises alike who can benefit from the price points such economies of scale offer, which is too cost effective and efficient to ignore.

Where an independent organisation may struggle with ISO27001, BS25999, PCI (Payment card Industry), SAS 70 amongst other gilt edge measures of competence and compliance audit, this level of security and compliance is available through some of the mature Cloud service providers.

The tangible benefits extend beyond the security benefits but into areas of straight forward business marketing and profile building. Through the delivery of your own services and consumption services through such secure providers organisations can enjoy brand and service association value transfer increasing sales for example.

The health warning in this is the approach organisations take to moving to the cloud. Vetting and qualifying what they are actually getting and where accountability lies in terms of remedies and each of transfer in and transfer out. The reality is that few organisations will actually try and sue the Microsoft or Google’s of this world, and if you take the time to check the service terms you will probably find you have already been contracted into a corner. See my earlier blog on ‘Click Through’ for more on that.

One of the hat’s I wear is that of an external Systems Auditor (CISA ), and an increasingly active part of my functions working with companies to both validate their own internal risk profiles against their businesses IT service dependencies and then qualify and vet these against external offerings. This activity is inextricably woven into a partnership with either an in-house legal team or external legal advisors, the output being a clarity and meaningful roadmap for the business to tap the potential of Cloud Computing to address compliance and security issues.

My favourite is to look for service providers who will write a check for any breach of Service Level Agreements (SLA’s). I am not a fan of the ‘extended free service’ angle, as this is to me a cop-out and potentially a crude for of persuasive reasoning to continue with what could potentially be a sub-standard service, and your best move is actually to terminate and move. SLA’s should have teeth and cash is a time proven motivator!