How to move your business to the cloud part 1

Rapid adoption of cloud computing requires a clear understanding on what and how you will manage the move.  I had discussed that cost and trust are the key driving factors for cloud adoption in a previous blog. In this blog I'll expand on the key things companies should consider when moving to the cloud.

A while ago, I had a room full of executives from a major mining organization. Our discussion was about cloud trust. In the discussion the CTO asked me a great question - "If you were working for me, what would you do to secure our environment as we adopt the cloud?" 

Here's a digest of what I recommended:

First I asked - Do you know what you are trying to protect? Problem most organization face is knowing what they should invest the most into protecting. In the cloud security trends report posted by Microsoft indicated that about 40% of organizations do not have a uniform classification methodology. As you see all industries that where surveyed in this report indicated that almost half of them do not classify their data. It's only logical that if their data is not classified based on importance of the data that the organization protect everything as equal, unfortunately this model is flawed by design, since all data is not equal.



Part 1 - Understand your data. Classification of Data is the single most essential exercise an organization should set funds, and time aside.  Truth is that discovery and classification of data can be a daunting effort, and take years to do thoroughly. But what I proposed is a rapid assessment.  In my paper “Data Classification for cloud readiness” I had recommended the following ideas:
  1. A simple plan following a free method that involved a  PLAN, DO, CHECK, ACT model from MOF to plan and  discover your organizations data assets. I recommend you focus on assets that are critical to the success of the organization, ideally structured data (over unstructured) is also a simpler task - eg don't start by trying to classify e-mail. In a future blog I'll discuss the issues of managing a classification system for unstructured data. For now consider your CRM, or HR data system.
  2. Next select a classification terminology model that addresses your needs. My opinion is use a simple 3 tier model. Low, Medium, and High. Focus on protecting your sensitive data, and be ready to revise the model or reclassify data.  For instance;
    1. High or sensitive data -
      1. Will losing the data break your company?  This should be the most critical of critical data to your business. Loosing data about some great sales lead, or personal information about salaries are terrible, but most companies will recover from this type of incident, as such my examples are only  medium sensitivity. Also as much as it hurts to think about this, losing customer data is terrible, but again most organizations will survive, think about TJMax, Target, Home Depot, and Kmart. None of them went out of business for loosing customer data - again medium level sensitivity (unless a regulation trumps my logic and mandates you to mark the data sensitive).
      2. Will someone go to jail? Financial pre-disclosure?..  Protection of this data may be essential = highly sensitive.
      3. Key operational data - eg SSL certs. Loose these, and a hacker may impersonate you. And you may have limited, or no recourse to recover = highly sensitive.
      4. A regulation requires you to mark the data sensitive.
    2. Low sensitivity -
      1. If the public has access to it, or will be given permission to view access it, set it to Low
    3. Medium -
      1. For now everything that is general business communications, operation data, etc can be labeled as medium sensitivity.

  1. Next  Define data ownership methodology. Ensure you have owners, custodians, administrators, and users are identified.
  2. Now Implement the model. At first this should take very little technology. The effort needs to be done at a policy level, with buy in from the owners and administrators. The real key to success is getting your staff to follow the guidance to label based on sensitivity.
  3. And finally revise, and reclassify. Be aware that you may not hit the mark on the first try.


Data classification, was step one….In my next blog I will look at step 2, how to institute a BYOD model that makes use of all those devices that your employees carry around with them… day and night…

Comments

Post a Comment

Popular posts from this blog

Protecting sensitive data

Image
Last month I wrote an article on key things to consider when protecting high valued assets or sensitive data. The article called Security Tip of the Month: Protecting Highly Sensitive Information addressed some of the key items that organizations should consider when protecting data that has the possible impact on an organization that is irreparable. As my article stated the cost of protecting this data tends to be higher than most data. Fact is that this data is not traditionally just sensitive such as credit card data, or HR data. Key indicators of what is High Value Data can be summed up like this. Assets that are considered to be of high value will frequently have the potential to cause the following conditions if they are lost or divulged: •        Loss of life - such as an informant list •        Regulatory fines - such as financial performance data •        Significant damage to the business - such as code signing and encryption keys (private) or trade secrets
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can
Read more

Why is privileged access important?

Image
Last year about this time I had published updates to the Azure Secure Workstation that was originally released two years ago. And This month the solution has been considerably rewritten and revised to provide a better more complete management for privileged access!  Collaborating with two great security experts James Noyce, and Mark Simos The content got a massive overhaul, and a broad perspective on what it takes to build and manage a comprehensive privileged access solution, including account management, device management, intermediaries such as VPN's and interfaces such as Web and Cloud services. Additionally, the solution was uniformly designed with three distinct security levels that anyone reading the article can deploy from a more flexible Enterprise security, to a comprehensive isolated PAW or privileged Access Management. Over the past two years I've been working to explain and illustrate how you can use a cloud-based solution to build an effective Zero tr
Read more