My last blog post addressed identifying stakeholders when you run your own IT (Information Technology) show. However, the IT landscape is shifting rapidly and a large number of organisations are moving parts of their IT towards cloud providers. How does this change the scope of our cybersecurity strategy?
This fourth article is a bit of a side step, looking at your cybersecurity when you have outsourced parts of your IT to one or more cloud providers. What changes, what stays the same and what is the role of the organisation once you go into the cloud?
First of all, making the move towards the cloud can be a smart business move. If IT is not your core business, using cloud based services can save you a lot of time, resources and money. You can focus on your own business and don’t need to worry (much) about your IT.
However…
You can outsource your IT operations, but you cannot outsource your responsibility. You are the custodian or owner of the information you process, store or otherwise use and you have to protect the interests of your customers, staff and the organisation, no matter who performs your actual IT operations.
Some organisations are under the impression that once they outsource their IT, they are no longer responsible for the protection of their information. Laws and regulations like GDPR are clear in situations like these. Your cloud provider should be considered a data processor, processing YOUR data, under YOUR responsibility.
This puts an interesting perspective on the scoping and stakeholder discussion. Based on the premise that you are still responsible, you now no longer have direct control over some (or in some cases, all) of your data processing. Your service provider does that for you, and in the way they see fit. Your main controls are the contracts you have with your service provider, the guarantees they give you (on paper) and perhaps some reports and dashboards they provide you with on a regular basis.
And now is a good time to mention the old saying “The Cloud is just somebody else’s computer”. This means that your cybersecurity now depends on the security controls and strategy of your cloud provider(s) and how well they execute that. At the end of the day, a cloud provider is just another business, with people, computers and a lot of other opportunities to make mistakes that could impact your business as well, potentially impacting Personal Identifiable Information and all kinds of GDPR and regulatory requirements.
And if you are under the impression that you can dictate how your cloud provider runs their security operations, think again. In most cases, the cloud provider is substantially bigger than you, and is in a position to dictate the rules, and you have to accept them as-is.
You may wonder what you can do in this scenario. Is it all lost? I don’t think so, but you have to tread carefully. Proper care and due diligence starts the moment you consider outsourcing your IT. You should really analyse what kind of information you would like to have processed by an external party, and take into account any laws and regulations pertaining to that information.
Once you have decided to outsource parts of your IT, risk based security requirements should be an integral part of your selection criteria and process. If you make a mistake here,
it is almost impossible to fix once you have jumped on the cloud train. And when you select a cloud provider, make sure your exit strategy is part of your selection process. You may want to move to another cloud provider in the future and you need to make sure that you can do so and that your data is either destroyed or kept safe once you have moved away. You will also need to shift your security focus from prevention to detection and correction.
As you no longer dictate the IT controls, you can no longer fully enforce (preventative) controls in your IT environment. You will have to rely on your provider(s) and when they report a security incident, you need to be able to respond accordingly – (you did address incident management in yoru RFP, I hope). So your focus will shift towards controls that will help you to contain and correct any security related incidents that arise, and these will need to be on a technical, process and organisational level.
To conclude this (longer than expected) post, when you shift to the cloud your security focus will also shift. But you will still be responsible and therefore you have to keep challenging your own organisation and your providers for proper cybersecurity.
In the next post I would like to look with you at identifying the assets that need some
tender loving protection and how you could manage those.
Until next time, as always, stay safe!
Arthur Donkers
