Data security is a hot topic in cloud computing. Still, it must be addressed on the bright side and look at the opportunities offered to enterprise data managers to improve the security of their Information System. For this post, I called Alban Ondrejeck, Head of Cloud Client Security at Orange Cloud for Business. It is published following a webinar on this topic, which was held on June 21, 2017 at 11:00 am, as part of our 15th webinathon.
Security: not just a computer business
Data security is becoming increasingly central to businesses as they become digitalized. In recent years we have seen the technical nature of security (data encryption, firewall installation, etc.) enriched by a more humane approach, focused on monitoring and consulting.
“Customers are starting to realize that technology has its limits,” said Alban Ondrejeck. It is necessary to have visibility on its security system, expertise, advice: “the need for what is called a Business Security Officer is felt.”
This person, somehow RSSI (Responsible for the Security of Information Systems) dedicated client, is guarantor of the security of the customer on the selected cloud solution. He is the single security contact for the customer within the cloud provider. The goal is to reassure him by ensuring the implementation and effectiveness of security measures, by setting up indicators and playing a role of advice on its strategic security priorities.
What is the value of your data?
Data security requires first and foremost a reflection on their value. The investment will not be the same depending on the level of criticality. To evaluate this one, at least 3 additional criteria come into play:
Confidentiality: resources are used by authorized persons, unauthorized access must be denied;
Integrity: the data is complete, accurate and lawful;
Availability: the information system works properly with the least possible interruptions.
Depending on the security objectives, it is possible to define the value of the data and the level of security required. For example, an e-commerce site requires a low level of confidentiality, but its availability will be crucial, especially during promotions. These e-commerce companies have little expectation of price confidentiality (as these are public), but have a strong need for availability.
Conversely, some companies require a great deal of data confidentiality, for example banks. On the other hand, the availability may be, for this type of customers, less priority according to the services. Here, the location of the host, the legislation in force and the traceability of the data will be criteria to be taken into account first and foremost.
4 essential precautions to ensure data security
To ensure maximum security of its data, 4 points should be checked:
Localization and availability: it is essential, when entrusting data to a third party, to know where they are stored. Indeed, the legal risks vary from country to country, and data protection guarantees differ within and outside the European Union (see the interview with Master Iteanu). In addition, the location of the data must be sufficiently close to where it will be processed to minimize latency due to remoteness in the network based on the requirements of the customer’s information system.
The link between customer and supplier: the security of an information system is equal to that of its weakest link. If the protection of the telecom links, or the authentication to the access to these data, is not up to the requirements of the customer, all the security device is questioned. Storage encryption will lose its appeal if the link is not also encrypted or if access to data is not based on a robust authentication system. In the same way, if this link is not doubled, the customer can be deprived of his data in case of break. It is therefore the responsibility of the customer to know who will provide the telecom link.
Validate the competence of your provider: it is necessary to check elements such as the reputation of the supplier, the standards and labels that it has obtained, or the publications of its own experts. The ISO 27001 standard validates the fact that the company has implemented the necessary measures to prevent the loss, theft or alteration of its data. ANSSI is currently working on the creation of labels, SecnumCloud Essential and SecNumCloud Advanced, which based on a repository of requirements certify that a company offers necessary guarantees in data security.
Trust: You must also require specific contractual documents from your supplier and invest in audits to verify their reliability. Some audit bodies are qualified by ANSSI to guarantee competence, ethics and methodologies.
By following these tips, you are relieving your teams of responsibility by minimizing the risks of outsourcing to the cloud.