How to move your business to the cloud part 1

Rapid adoption of cloud computing requires a clear understanding on what and how you will manage the move.  I had discussed that cost and trust are the key driving factors for cloud adoption in a previous blog. In this blog I'll expand on the key things companies should consider when moving to the cloud.

A while ago, I had a room full of executives from a major mining organization. Our discussion was about cloud trust. In the discussion the CTO asked me a great question - "If you were working for me, what would you do to secure our environment as we adopt the cloud?" 

Here's a digest of what I recommended:

First I asked - Do you know what you are trying to protect? Problem most organization face is knowing what they should invest the most into protecting. In the cloud security trends report posted by Microsoft indicated that about 40% of organizations do not have a uniform classification methodology. As you see all industries that where surveyed in this report indicated that almost half of them do not classify their data. It's only logical that if their data is not classified based on importance of the data that the organization protect everything as equal, unfortunately this model is flawed by design, since all data is not equal.



Part 1 - Understand your data. Classification of Data is the single most essential exercise an organization should set funds, and time aside.  Truth is that discovery and classification of data can be a daunting effort, and take years to do thoroughly. But what I proposed is a rapid assessment.  In my paper “Data Classification for cloud readiness” I had recommended the following ideas:
  1. A simple plan following a free method that involved a  PLAN, DO, CHECK, ACT model from MOF to plan and  discover your organizations data assets. I recommend you focus on assets that are critical to the success of the organization, ideally structured data (over unstructured) is also a simpler task - eg don't start by trying to classify e-mail. In a future blog I'll discuss the issues of managing a classification system for unstructured data. For now consider your CRM, or HR data system.
  2. Next select a classification terminology model that addresses your needs. My opinion is use a simple 3 tier model. Low, Medium, and High. Focus on protecting your sensitive data, and be ready to revise the model or reclassify data.  For instance;
    1. High or sensitive data -
      1. Will losing the data break your company?  This should be the most critical of critical data to your business. Loosing data about some great sales lead, or personal information about salaries are terrible, but most companies will recover from this type of incident, as such my examples are only  medium sensitivity. Also as much as it hurts to think about this, losing customer data is terrible, but again most organizations will survive, think about TJMax, Target, Home Depot, and Kmart. None of them went out of business for loosing customer data - again medium level sensitivity (unless a regulation trumps my logic and mandates you to mark the data sensitive).
      2. Will someone go to jail? Financial pre-disclosure?..  Protection of this data may be essential = highly sensitive.
      3. Key operational data - eg SSL certs. Loose these, and a hacker may impersonate you. And you may have limited, or no recourse to recover = highly sensitive.
      4. A regulation requires you to mark the data sensitive.
    2. Low sensitivity -
      1. If the public has access to it, or will be given permission to view access it, set it to Low
    3. Medium -
      1. For now everything that is general business communications, operation data, etc can be labeled as medium sensitivity.

  1. Next  Define data ownership methodology. Ensure you have owners, custodians, administrators, and users are identified.
  2. Now Implement the model. At first this should take very little technology. The effort needs to be done at a policy level, with buy in from the owners and administrators. The real key to success is getting your staff to follow the guidance to label based on sensitivity.
  3. And finally revise, and reclassify. Be aware that you may not hit the mark on the first try.


Data classification, was step one….In my next blog I will look at step 2, how to institute a BYOD model that makes use of all those devices that your employees carry around with them… day and night…

Comments

Post a Comment

Popular posts from this blog

2020 predictions

Image
2020 is coming upon us, and it's time to reflect on my 2019 predictions I made, and look forward to this coming year with another technology prediction. So let's get started - first off - a lookback to see  progress in the areas I outlined, possibly no earth shattering results, but progress.  2019 retrospective - New UX - probably not as much evolution as I would have wanted to see in this area. For now, we use windows, android, IOS, and it's pretty much the same UX as it's been for a while. IoT the simple assistant - IoT continues to be the hot area of growth. I consider this more evolution than revolution. As we see IoT based technology being embedded into more and more devices. Cloud growth advances in   astonishing speeds - This past year all three cloud providers made strides in the cloud worth noticing.  AWS entered the quantum computing market with Bracket, introduced an in-house...
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can...
Read more

What is the Security Threat Landscape in 2024?

Image
 I was working up a question that I thought would make a great blog. the question is in 2024 what is the the security threats landscape? Here's the key take aways that I considered. Proactive Mindset : Today’s threat landscape demands a proactive mindset. Organizations are moving away from reactive security measures and are instead focusing on identifying potential intrusion points and actors before an incident occurs . Cyber Threats evolving : Cyber threats are leveraging AI, exploiting vulnerabilities in mobile and cloud platforms, and targeting data breaches. The rise of connected cars has led to concerns about automotive hacking. Ransomware attacks have become more sophisticated, causing significant damage to organizations. The proliferation of IoT devices on a 5G network presents new security challenges. As systems become more integrated and automated, they also become more vulnerable to cyber threats.  Remote Work and Digitization : The rush to adapt to pandemic-inspired...
Read more