Cloud security: How CIOs deal with the risks

A panel of CIOs at a recent Computing event discuss their strategies for mitigating risks to their data in the cloud

Organisations are still responsible for their data even when stored in the cloud by a trusted supplier. A panel of CIOs at a recent Computing event discusses their strategies for mitigating risks to their corporate data wholst using the cloud.

Terry Willis, Head of Information Systems at Age UK started by outlining that responsibility isn't diminished by an organisation's cloud-use.

"The fact that your data now sits in someone else's data centre doesn't take away from your responsibility to control who accesses it," said Willis. "So we use two-factor authentication, and we make our security tools easy to use, which helps with adoption," he added.

Nico Fischbach, CTO Cloud at Forcepoint emphasised that organisations must keep track of who accesses data.

"Identity and access management [I&AM] is critical, and making sure you know who's using resources is key," said Fischbach. "You have to understand what do people do with data. We see that when an enterprise moves to something like Salesfore.com, they find that it's huge. The back-end is massive, and lots of complex processes run in there. So you do your I&AM and you have a single sign on process.

"That's the entrance gate, but once your inside, you let staff access all data. So you could have someone in sales being allowed to access HR data. You want it to be frictionless, so you leave permissions wide open, so people don't all contact the helpdesk on Monday morning. We see people making the shift to Salesforce or Office 365, and the front door is managed but the inside isn't, and you need the right tooling to understand it," he argued.

Steve Williamson, director, IT governance, risk & compliance at pharmaceutical firm GSK, said that he focuses on staff, rather than on the data.

"I focus on employees, and define what tools should be used for. So you take things like DropBox, Salesforce, Watson etc, and define what they can be used used for, and what they should not be used for. Like you could say this app is not approved for storing personal information.

"I take the approach that the majority of employees want to obey the rules, but I also want to avoid unintentional breaches. So you need more effort on defining what these apps can be used for, and then you need to educate the users on that."

Dr Justice Opara-Martins, research fellow in cloud computing at Bournemouth University, agreed that education is part of the answer.

"You have your sanctioned applications, like DropBox, but the most important thing is having set policies. You need to know who's using what file, and what sort of activities are going on. So setting up file sharing and control, and data leakage prevention policies is important. Then you have employee training, which gives users a general idea of what's going on. And it's important to set the amount of data which can be stored in sanctioned apps. Then, if an employee from a different department starts transferring private data, you'll see that, and know it's suspicious," he added.