John Allison , Director of Public Sector , Checkmarx
Modern cloud environments are a double-edged sword when it comes to security , especially the protection of information . Security was much simpler when you could walk into your data centre , and in front of you were rows and rows of hard drives with your data . The downside was that it was your data centre , and you were responsible for everything , including security .
The first step in protecting sensitive data is agreeing on what sensitive data is . To quote the old saying , ‘ if everything is a priority then nothing is a priority ’. The same goes for protecting data . CIOs must work with the stakeholders to aggressively narrow what is defined as sensitive to that data , that if released will cause significant harm to the company , either reputationally or financially .
The next challenge is to agree on what the minimum security measures are required to protect that data . For some industries , there are compliance standards to support this , for others , this may fall under the ambiguous term of ‘ best business practices ’. Now comes perhaps the most difficult part of this journey , to find where the sensitive data is stored .
As the CIO finds the data , they can assess the security against the requirements .
What do CIOs / CISOs need to know about cloud security to confidently navigate the complexities of their cloud environments and protect sensitive data ? Three industry experts give us their views .
From here , a CIO can start making risk-based decisions on the prioritisation of addressing the holistic data security posture to including the CIO ’ s cloud environments . It is likely that at this point , the data is scattered across the CIO ’ s development and production environments which are on top of one or more of the major cloud providers and scattered across multiple third-party cloud services .
For the third-party cloud vendors there is only so much a CIO can do . They will certainly go through their vendor risk management process , and perhaps be able to get additional data from the vendor . This feeds into the risk decision from the CIO and establishes if there is sufficient trust to share your data with this vendor .
If the sensitive data is stored within the CIO ’ s own applications , they have a wider range of tools available to meet the security requirements .
For the third-party cloud vendors there is only so much a CIO can do .
WWW . INTELLIGENTCISO . COM 37