Story image

A four-step-plan towards cloud resilience in an age of data security

23 Apr 18

The internet has had a profound and positive impact on our personal and professional lives in terms of connectivity and efficiency, however, it is not without risk. Having one's private information stored remotely on the cloud can put them in a vulnerable position as hackers, companies and spy agencies seek to get hold of that information for monetary or intelligence gain.

The ramifications of having a data breach are ten-fold for government agencies who handle sensitive information such as personal, financial or criminal records. Even a minor breach has the potential to put a country’s security at risk or damage the valuable trust that exists between a government and its citizens.

Currently, there are more than 44 million items of content on federal government sites in Australia and more than 1,200 federal government websites. Given this volume, and the extensive travel schedule of politicians, staffers and workers in government agencies, having access to data stored on the cloud while being on the move is critical. However, is the convenience worth the risk?

Understanding the risks

In order for government agencies to utilise the cloud, it is vital that they understand the risks involved and the sentiment of the citizens they serve, many of whom feel uneasy over the prospect of their private information being stored on the cloud. Results of the 2017 Australian Community Attitudes to Privacy Survey revealed that 93% of Australians don’t want their data to be stored overseas and 73% don’t want their data shared with other organisations.

A safer path towards the cloud

With digital transformation being a top priority for government departments at all levels, the selection of the most secure cloud provider and cloud service via a rigorous, systematic procurement process is vital. This is because while control of private data is transferred to the cloud provider, the risk and ultimate responsibility remain with the agency owning the data.

One method developed by government cloud experts for measuring engagement and assessing risks on providers is called PAAM. The methodology of PAAM (Plan, Assess, Acquire and Manage) brings a deeper understanding of risks involved and improves management of these risks. Risk cannot be managed if it is not discovered, understood and monitored. A risk in one domain, such as security, can have impacts on the effectiveness of other domains such as legal and regulatory. Therefore, risk cannot be considered in isolation.

The methodology forms a staged approach that acts as an enabler for government departments and Agencies to bridge the gap between the intent of a cloud strategy and the security measures required to operate it securely.

Plan: Planning is the most critical aspect of cloud adoption. It sets the target state, the business goals, and defines the answer to the question ‘where do we want to be?’. Planning starts by identifying strategic business drivers, including key stakeholders and the targeted end state from a business outcomes perspective.

Assess: The Assess phase is the most effort intensive aspect of PAAM. It is the key activity in defining the target state’s legal, technical and security viability and shapes the plans for realisation.

Acquire:  Once the target state has been defined, validated and a comprehensive assessment has been conducted, legal counsel is engaged to ensure that terms are incorporated into the contract allowing for management of identified risks, and ensure contractual terms are technically and strategically effective.

Manage: Manage is critical to the business realisation of the target state defined in the Plan stage.  Cloud is an ongoing monitoring challenge for any organisation that manages classified, legal, or sensitive data (including that of private citizens). The data owner retains risk for the operation of the cloud deployment regardless of cloud provider, as such monitoring of the service in an ongoing manner is crucial to determine any changes in risk. 

Implementing a process such as PAAM rather than a set-and-forget mindset can ensure organisation partners with the most appropriate cloud partner in the first instance but also has a system in place to ensure their strategy can evolve with constantly changing regulatory and security requirements.

Article by MNTR director - Cyber Security Practice, Ash Smith.

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill.