Story image

A four-step-plan towards cloud resilience in an age of data security

23 Apr 2018

The internet has had a profound and positive impact on our personal and professional lives in terms of connectivity and efficiency, however, it is not without risk. Having one's private information stored remotely on the cloud can put them in a vulnerable position as hackers, companies and spy agencies seek to get hold of that information for monetary or intelligence gain.

The ramifications of having a data breach are ten-fold for government agencies who handle sensitive information such as personal, financial or criminal records. Even a minor breach has the potential to put a country’s security at risk or damage the valuable trust that exists between a government and its citizens.

Currently, there are more than 44 million items of content on federal government sites in Australia and more than 1,200 federal government websites. Given this volume, and the extensive travel schedule of politicians, staffers and workers in government agencies, having access to data stored on the cloud while being on the move is critical. However, is the convenience worth the risk?

Understanding the risks

In order for government agencies to utilise the cloud, it is vital that they understand the risks involved and the sentiment of the citizens they serve, many of whom feel uneasy over the prospect of their private information being stored on the cloud. Results of the 2017 Australian Community Attitudes to Privacy Survey revealed that 93% of Australians don’t want their data to be stored overseas and 73% don’t want their data shared with other organisations.

A safer path towards the cloud

With digital transformation being a top priority for government departments at all levels, the selection of the most secure cloud provider and cloud service via a rigorous, systematic procurement process is vital. This is because while control of private data is transferred to the cloud provider, the risk and ultimate responsibility remain with the agency owning the data.

One method developed by government cloud experts for measuring engagement and assessing risks on providers is called PAAM. The methodology of PAAM (Plan, Assess, Acquire and Manage) brings a deeper understanding of risks involved and improves management of these risks. Risk cannot be managed if it is not discovered, understood and monitored. A risk in one domain, such as security, can have impacts on the effectiveness of other domains such as legal and regulatory. Therefore, risk cannot be considered in isolation.

The methodology forms a staged approach that acts as an enabler for government departments and Agencies to bridge the gap between the intent of a cloud strategy and the security measures required to operate it securely.

Plan: Planning is the most critical aspect of cloud adoption. It sets the target state, the business goals, and defines the answer to the question ‘where do we want to be?’. Planning starts by identifying strategic business drivers, including key stakeholders and the targeted end state from a business outcomes perspective.

Assess: The Assess phase is the most effort intensive aspect of PAAM. It is the key activity in defining the target state’s legal, technical and security viability and shapes the plans for realisation.

Acquire:  Once the target state has been defined, validated and a comprehensive assessment has been conducted, legal counsel is engaged to ensure that terms are incorporated into the contract allowing for management of identified risks, and ensure contractual terms are technically and strategically effective.

Manage: Manage is critical to the business realisation of the target state defined in the Plan stage.  Cloud is an ongoing monitoring challenge for any organisation that manages classified, legal, or sensitive data (including that of private citizens). The data owner retains risk for the operation of the cloud deployment regardless of cloud provider, as such monitoring of the service in an ongoing manner is crucial to determine any changes in risk. 

Implementing a process such as PAAM rather than a set-and-forget mindset can ensure organisation partners with the most appropriate cloud partner in the first instance but also has a system in place to ensure their strategy can evolve with constantly changing regulatory and security requirements.

Article by MNTR director - Cyber Security Practice, Ash Smith.

Microsoft urges organisations to tackle data blindspots
Despite significant focus placed on CX transformation, over a third of Australian organisations claimed that more than one in five of their projects failed.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Renesas develops 28nm MCU with virtualisation-assisted functions
The MCU features four 600 megahertz CPUs with a lock-step mechanism and a large 16 MB flash memory capacity.
DOCOMO ranked world's top mobile operator in 5G SEP applications
NTT DOCOMO has been ranked the world's leading mobile operator in terms of applications for candidate standard-essential patents.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
Gartner’s top 10 data and analytics trends for 2019
Data is the fuel for the modern world, and analytics the engine. Gartner has compiled the top 10 trends to watch this year.
How CIOs can work with colleagues to drive new competitive advantages
"If recent history has taught us anything, it’s that the role of the CIO is always changing, and that it won’t stop changing anytime soon."