ET helps build STARs

EY (Ernst and Young as was) is setting out to help enterprise executives sort out their thinking as they contemplate moving to the cloud, and suggests they aim to build Secure, Trusted and Audit-Ready cloud environments.

  • 10 years ago Posted in

Ernst and Young, or EY as we now have to call the company, has come up with five insights for business executives thinking about moving to the cloud. They are available in the form of an online paper, `Building Trust in the Cloud’, which can be found here.

For any business executive that has done any reading about cloud and the issues of moving to such a different environment from the traditional `applications-on-premise’ infrastructure, the paper does not represent too much in the way of great revelations, but it does at least give enterprise executives a structure with which to build Secure, Trusted and Audit-Ready (STAR) environments.

The first of these insights, in that position not least because most enterprise executives are likely to think it the most important, concerns the subject of security for both stored data and the integrity of the systems used. The big fears are the obvious ones: that using a hosted service will lead to data being at risk from the unauthorised access, that public networks will be vulnerable to cyber-attack and that multi-tenanted hosting services will not be able to segregate different users operating on the same physical resources. The obvious safe answer, of course, is to not contemplate moving to the cloud.

But as the EY paper points out this could be a serious mistake. `Unfortunately, these fears and IT’s perceived need to retain physical controls over its environment can increase an organization’s risk rather than mitigating it. Within many organizations, when business units that want to use cloud computing hear “no” from IT, they simply go off and procure the service themselves. This not only extends the organization’s IT environment without the right protections in place, but it also takes cloud computing into the shadows where IT can neither anticipate nor address the resulting risks.’

The paper therefore suggests that the job for IT departments is to develop a cloud framework that creates a secure, trusted and audit-ready (STAR) environment that executives can say “yes” to with some confidence.

In answer to the rhetorical question: why now? The paper suggests a pretty obvious answer – because cloud is here, now, and because `those who have embraced cloud-based services have generated internal efficiencies, attracted new customers, discovered new avenues to market their products.’ There will also have been a marked increase in Shadow IT, where Lines of Business establish their own cloud services anyway.

Again, security fears are an issue here, and finding a way to help executives lay them to rest and work proactively to exploit the cloud effectively will be the answer.

`How does it affect you?’ the paper asks, and gives an answer which continues the underlying theme of the paper that cloud is here so it is better for executives to be proactive about it – and help persuade IT to be proactive about it. There is, after all, still plenty of scope for IT to exercise control over cloud services, a control that is still required in a world where Shadow IT can cause more problems than it solves.

The solution to the issues these questions raise is, EY suggests, to aim to build what the company calls a Secure, Trusted and Audi-Ready cloud environment. This based around six domains that contain the various controls and procedures required to support a STAR environment. This model can be flexible and should accommodate the different of cloud deployment models so that IT can provide clear guidance to the organization to promote responsible adoption of the cloud.

1. Organization. Cloud services impact the organisational behaviours. Organisations need to document roles and responsibilities associated with the use of cloud services and train employees regularly on these protocols.

2. Technology. IT functions should design applications according to industry security standards, encrypt the data, and implement role-based access and identity management solutions.

3. Data. IT functions need to classify and inventory data, assign data owners and securely purge data that is no longer required.

4. Operations. Business continuity management (BCM) and resiliency program policies and procedures should include periodic review and testing. Additionally, policies and procedures for BCM, change management and datacentre security should be documented to formalise roles and responsibilities.

5. Audit and compliance. Organisations should plan and execute audits in a way that minimises business interruption. For maximum assurance, organisations should engage a third party to perform the audit and certify the environment.

      6. Governance. There are many cloud options from which organisations may choose, from public cloud services, to building a private cloud, to a hybrid approach. Regardless of the deployment path organisations pursue, governance processes should be scalable, repeatable, measurable, defensible and constantly improving.

TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.
Commvault provides cloud-first organisations with greater choice and flexibility to protect and...
On the morning of September 20, Executive Director of the Board of Huawei and CEO of Huawei Cloud...
Global IT Business-to-Business (B2B) revenues, coming from data centers, IT services and devices,...