Here are 10 tips for any CIO that wants to understand Data Security in the Cloud including due diligence, determining risk vs value, and encryption.

1. TIPS
10
FOR CIOS
D ATA S E C U R I T Y I N T H E C L O U D

2. NO.1
NEW PARADIGM,
NEW SKILLS
IT organizations are typically made up of specialists
such as server technicians and network engineers.
The more cloud services you introduce into your
organization, the less the skills of these specialists
may be required. Consider job functions with broader
responsibilities and expertise that bring together IT
and business management talents – integrated services
manager, director of cloud services or ITIL management
supervisor, for example. These professions will
be increasingly necessary to direct collaborative
interactions with cloud services providers (CSPs)
that produce better cloud and business alignment,
management and security implementations.
“The more cloud services
you introduce into your
organization, the less the
skills of these specialists
may be required.”
pg 1

3. NO.2
OVERDOING
DUE DILIGENCE
A business decision as important as outsourcing
to the cloud demands thorough due diligence.
Indecisiveness is another matter. Employees and
business managers want cloud services. If IT doesn’t
make them available in a timely fashion, users will
provision services themselves without giving much
thought to security. In fact, a corporate ‘no cloud’
policy may only encourage them to purchase the less
secure, non-enterprise versions of applications and
services on their credit cards.
“a corporate ‘no cloud’ policy
may only encourage them
to purchase the less secure,
non-enterprise versions of
applications and services on
their credit cards.”
pg 2

4. NO.3
RISK VERSUS VALUE
Extracting maximum value from cloud services is an
exercise in risk management. Are the economic gains
that a cloud solution promises greater than the risks it
entails? Balancing business risk/value is new territory
for many IT shops. An enormous variable in achieving
balance is the CSP itself; do its capabilities, integrity
(business and infrastructure) and performance history
add to or diminish risk? It is imperative to find a CSP
that is able to meet or augment your organization’s
governance practices and all that they entail, from
standards, policies and procedures to infrastructure
design, monitoring and access controls.
“Are the economic
gains that a cloud
solution promises
greater than the
risks it entails?”
pg 3

5. NO.4
YOURS, MINE
OR OURS
When establishing responsibilities for cloud security,
assume nothing. Be clear as to your data security
requirements, policies and practices. And be clear
as to what data requires the highest levels of security.
This is important not simply to ensure you get the right
level of protection. The more security, the more costly
the services are likely to be. Pay only for what you
truly need for specific data sets, and demand that
your CSP is able and willing to satisfy your particular
requirements. Reach definitive agreement on who is
responsible for what, and how these responsibilities
will be met over the long term.
“And be clear as to
what data require
the highest levels of
security.”
pg 4

6. NO.5
SECURITY BEGINS
AT HOME, PART I
BYOD. Employees want their mobility and mobile
access, leaving you to provide them with secure
access to data and applications on any device,
anywhere and at any time. Isolate corporate data,
such as that stored in the cloud, from personal data
on mobile devices. Consider cloud-delivered desktops
that segment the access device from corporate
applications and data. Simply install the connecting
app on the home device; from there, everything
runs on the centralized, well-managed infrastructure.
Protect the data, not the device.
“Employees want their mobility
and mobile access, leaving you to
provide them with secure access
to data and applications on any
device, anywhere and at any time.”
pg 5

7. NO.6
SECURITY BEGINS
AT HOME, PART II
Certain corporate and business data is accessible
only to certain employees. In many ways, they hold
the keys to the kingdom, having access to your most
critical and valuable data assets such as databases,
financial information or intellectual property. Keep
their skills and your policies for handling data
securely up to par. Implement stronger access control
procedures. Scrutinize their on-the-job activities more
closely than the average employee.
“In many ways, they hold
the keys to the kingdom,
having access to your most
critical and valuable data
assets such as databases,
financial information or
intellectual property.”
pg 6

8. NO.7
LOVE YOUR DATA?
ENCRYPT IT.
The best cloud encryption solution is the one aligned
with your enterprise’s business and security objectives.
This includes understanding all internal and external
data governance policies (including data privacy
and residency) and compliance mandates, such
as PCI, HIPAA, GLBA, Safe Harbor, etc. However,
data encryption alone does not guarantee data
confidentiality. That happens when an authorized
team controls the encryption process and the
encryption keys. When security is a regulatory
requirement, or intellectual property needs protecting,
enterprises should deploy and manage encryption
themselves. But, a trusted cloud provider can be on
the team as well; new products are coming to market
that allow secure split-key responsibility.
“The best cloud encryption
solution is the one aligned with
your enterprise’s business and
security objectives.”
pg 7

9. NO.8
HIDE-AND-GO-SEEK
Know where your CSPs’ data centers are located
and where they store your data. If they move
your data, you need to know that. Many CSPs
spread data among different data centers, which
may include those in other countries. This raises
jurisdictional and compliance issues. It also can
make it more difficult to retrieve your data when you
want it. If you have heavily regulated data such as
healthcare records or financial information, be sure
the provider has the experience and the necessary
third-party audit reports to satisfy all compliance
requirements, and have them prove it.
“It also can make it more
difficult to retrieve your
data when you want it.”
pg 8

10. NO.9
RISK MANAGEMENT
ADVANTAGES
Certain aspects of cloud homogeneity, centralization
and virtualization can simplify event and log
management, allowing potential security or resiliency
problems to be spotted sooner and addressed more
quickly than they could in a traditional IT environment.
Once identified and fixed, automation tools allow the
CSP to apply the solution throughout the infrastructure.
Furthermore, CSPs can focus attention and investments
in security on a small number of highly scaled
environments. Ask the CSP about dashboards that
let you monitor and track your data, and that give
you better insight into how well its infrastructure is
performing on your behalf.
“Once identified and fixed,
automation tools allow the
CSP to apply the solution
throughout the infrastructure.”
pg 9

11. NO.10
DON’T GO IT ALONE
By 2015, more data and applications will be in
the cloud than not. As the Borg said in Star Trek,
“resistance is futile.” However, instead of being
assimilated, assimilate the cloud into your business
via a well-planned, well-executed strategy that
clearly spells out your complete range of security
requirements top to bottom. Don’t stop at finding a
CSP that can simply do the job. Seek out a provider
that is capable of contributing to your strategy,
providing continuing guidance, tailoring the ideal
solution and bringing ideas to the table. Cloud
computing is critical to the continuing success of your
business. Partner with a provider that wants to grow
with you and for you.
“Seek out a provider that is capable
of contributing to your strategy,
providing continuing guidance,
tailoring the ideal solution and
bringing ideas to the table.”
pg 10

12. Get a FREE consultation TODAY:
866.473.2510 | Peak10.com
Contact us about your RFP requirements