Earlier this year I was given the opportunity of presenting the concept of cloud computing to delegates from the Chemical industry. I remember when I put the title slide up, and then made the bold claim that – Cloud computing, and in particular public Cloud Service Providers should be considered for ALL sectors even those securing industrial control systems and the broader ‘Critical Infrastructure’ industry.
I don’t think I was universally liked at that moment.
Perhaps I should try and explain before I alienate all readers, by no means am I saying that all data must be moved into a public cloud, nor am I saying that no data should be moved to the public cloud. The first thing that needs to be considered is the concept of legal and regulatory obligations. There may be some data that needs to sit within certain geographical boundaries, and if you cannot assure where the data will ultimately reside then it may not be possible to work with certain service providers.
Of course the next point becomes key; ‘Risk Appetite’. Of course this concept is not new, but ultimately how much risk are you willing to tolerate? Of course this will vary on the type of data you have, and the potential impact of such data being unavailable, losing its integrity, or being publicly disclosed. The presentation I delivered fundamentally focused on this concept, whereby there will be many data sets within an organisation that could be managed by third parties, but equally certain data sets that demand the level of transparency required when hosted internally.
In 2009, when I worked with the European Network Information Security Agency (ENISA), on the paper entitled ‘Cloud Computing Risk Assessment’ we considered the use case of cloud computing within an e-Health context. We then followed up in 2011 the paper ‘Security and Resilience in Governmental Clouds where we identified that there were “major weaknesses of a public cloud solution for governmental organizations are related to the lack of governance, the large number of tenants (users) in the cloud and to the strong negotiating power of the cloud provider in the definition of the contract”.
However we have begun to see public sector organisations beginning to leverage public cloud computing, and in particular utilising Data Loss Prevention in ensuring that only data that they ‘allow’ to use the public cloud traverses the internet. This approach maximises the IT budget by applying the right level of security to data, and assuring that highly classified documents remain in security zones that meet the risk appetite of the organisation.
Of course by the end of the presentation the feedback I received was positive, and in general from a Critical infrastructure perspective such a concept of security zones is well understood. Next time I think it may be best to start with a joke!
In the meantime, we have an upcoming podcast on this very topic, so be sure to tune in.
By Raj Samani
