Story image

A four-step-plan towards cloud resilience in an age of data security

23 Apr 18

The internet has had a profound and positive impact on our personal and professional lives in terms of connectivity and efficiency, however, it is not without risk. Having one's private information stored remotely on the cloud can put them in a vulnerable position as hackers, companies and spy agencies seek to get hold of that information for monetary or intelligence gain.

The ramifications of having a data breach are ten-fold for government agencies who handle sensitive information such as personal, financial or criminal records. Even a minor breach has the potential to put a country’s security at risk or damage the valuable trust that exists between a government and its citizens.

Currently, there are more than 44 million items of content on federal government sites in Australia and more than 1,200 federal government websites. Given this volume, and the extensive travel schedule of politicians, staffers and workers in government agencies, having access to data stored on the cloud while being on the move is critical. However, is the convenience worth the risk?

Understanding the risks

In order for government agencies to utilise the cloud, it is vital that they understand the risks involved and the sentiment of the citizens they serve, many of whom feel uneasy over the prospect of their private information being stored on the cloud. Results of the 2017 Australian Community Attitudes to Privacy Survey revealed that 93% of Australians don’t want their data to be stored overseas and 73% don’t want their data shared with other organisations.

A safer path towards the cloud

With digital transformation being a top priority for government departments at all levels, the selection of the most secure cloud provider and cloud service via a rigorous, systematic procurement process is vital. This is because while control of private data is transferred to the cloud provider, the risk and ultimate responsibility remain with the agency owning the data.

One method developed by government cloud experts for measuring engagement and assessing risks on providers is called PAAM. The methodology of PAAM (Plan, Assess, Acquire and Manage) brings a deeper understanding of risks involved and improves management of these risks. Risk cannot be managed if it is not discovered, understood and monitored. A risk in one domain, such as security, can have impacts on the effectiveness of other domains such as legal and regulatory. Therefore, risk cannot be considered in isolation.

The methodology forms a staged approach that acts as an enabler for government departments and Agencies to bridge the gap between the intent of a cloud strategy and the security measures required to operate it securely.

Plan: Planning is the most critical aspect of cloud adoption. It sets the target state, the business goals, and defines the answer to the question ‘where do we want to be?’. Planning starts by identifying strategic business drivers, including key stakeholders and the targeted end state from a business outcomes perspective.

Assess: The Assess phase is the most effort intensive aspect of PAAM. It is the key activity in defining the target state’s legal, technical and security viability and shapes the plans for realisation.

Acquire:  Once the target state has been defined, validated and a comprehensive assessment has been conducted, legal counsel is engaged to ensure that terms are incorporated into the contract allowing for management of identified risks, and ensure contractual terms are technically and strategically effective.

Manage: Manage is critical to the business realisation of the target state defined in the Plan stage.  Cloud is an ongoing monitoring challenge for any organisation that manages classified, legal, or sensitive data (including that of private citizens). The data owner retains risk for the operation of the cloud deployment regardless of cloud provider, as such monitoring of the service in an ongoing manner is crucial to determine any changes in risk. 

Implementing a process such as PAAM rather than a set-and-forget mindset can ensure organisation partners with the most appropriate cloud partner in the first instance but also has a system in place to ensure their strategy can evolve with constantly changing regulatory and security requirements.

Article by MNTR director - Cyber Security Practice, Ash Smith.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
The disaster recovery-as-a-service market is on the rise
As time progresses and advanced technologies are implemented, the demand for disaster recovery-as-a-service is also expected to increase.
Cohesity signs new reseller and cloud service provider in Australia
NEXION Networks has been appointed as an authorised reseller of Cohesity’s range of solutions for secondary data.
The key to financial institutions’ path to digital dominance
By 2020, about 1.7 megabytes a second of new information will be created for every human being on the planet.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
NVIDIA sets records with their enterprise AI
The new MLPerf benchmark suite measures a wide range of deep learning workloads, aiming to serve as the industry’s first objective AI benchmark suite.
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.