How many people does it take to make the cloud safe?

A panel of experts discuss the roles and functions needed to provide governance and security over enterprise cloud use

You need a range of skills rather than a specific number of people in order to provide a solid security and governance stance around enterprise cloud use.

That's the opinion of a panel of experts, speaking at a recent Computing IT Leaders Forum event.

During the event, a question came from an audience member, who stated that when starting up a new company, security is always top of mind. He went on to ask about the size of team needed to provide all the different assurances needed to secure business cloud use.

"What size of team do you need to put in place when you have say 2,000 users, across three or four different CRM platforms? What's needed to run vendor relationship, certification, privilege assessment, training and everything else? This is something I think most organisations would like to know," said the audience member.

Steve Williamson, director, IT governance, risk & compliance at pharmaceutical firm GSK said that it's about the range of skills required, rather than a specific number of people.

"You need procurement, contracts, legal, security and others all doing assessments, and you need ongoing monitoring," Williamson responded. "If the applications you're looking at were on your premises you'd be doing all these things anyway, so it's not extra work. And it's really not a high workload overall. You need a quarter of a person to manage ongoing access, another quarter to produce security logs and do configurations.

"But it is hard for an SME," Williamson conceded. "Take security operations, you'd never set up a 24x7 operations centre, you'd outsource it. So you need to build the right skills and build some capability in house," he argued.

Terry Willis, Head of Information Systems at Age UK agreed, stating the workload doesn't necessarily need to be high.

"It can be fairly lightweight. Our CRM audience is about 2.5 million people. You start out with security by design, so you decide who needs what parts, you do user acceptance testing, then once it's in production it's about monitoring, and privilege access management and control.

"In many ways all these things are easier in the cloud. A large amount of our estate is in AWS. We use AWS CloudTrail [a governance, compliance, operational auditing, and risk auditing service], and put it all in S3 instances, then we're continually logging what we do, so if something goes wrong we can check that audit trial.

"It's like a house," Williamson continued. "You know you want electrics and plumbing, then you build it and it's just maintenance. You don't need a permanent plumber and electrician on site, you bring them in once it goes wrong."

Willis also explained that just because your data resides in the cloud, doesn't take away from your responsibility to manage and govern it.