Protecting Information in the Cloud

Insurance Networking News, January 2, 2013

James Kaplan, Chris Rezek, and Kara Sprague

To complicate things further, the maturity of technological and organizational solutions varies by deployment type and by application, vendor, and specific configuration.

 

Pursue a Mixed-Cloud Strategy

Different workloads and data sets have vastly different stakes when it comes to data protection, depending on the nature of the application and which phase of the software life cycle it supports—for instance, development and test versus live production. The public cloud can be a good option for developing and testing software, since this usually does not involve sensitive data. Any workload that includes personally identifiable customer information will require careful consideration before it could be hosted in a public-cloud environment. Control of data access is also important in order to protect confidential business information and intellectual property. Essentially, any data that has business value or is covered by regulation needs appropriate management and protection.

In addition, benefits from cloud migration can vary widely by workload. For example, consumer-commerce sites, where capacity demand spikes during major promotions or at certain times of the year, will benefit from taking advantage of the variable pricing available through highly scalable public clouds.

Sophisticated IT shops are developing tools to map workloads to cloud-based hosting options using criteria like mission criticality, sensitivity of data, migration complexity, and peak processing requirements. This will make it possible for IT staff to pursue a mixed-cloud strategy and drive workloads to the hosting options that best balance risk and economic value.

 

Implement a Business-focused Approach

Organizations that have mature risk-management functions—for example, large companies in heavily regulated industries such as banking—should establish a comprehensive risk-management approach for cloud computing that extends beyond technology solutions and the IT department. Design and implementation should cover the policies, skills, capabilities, and mind-sets required of the IT and risk-management organizations, as well as the operating units. The risk-management methodology should address several elements, including transparency, risk appetite and strategy, risk-enabled business processes and decisions, risk organization and governance and risk culture.

Transparency about the risks of breaches of confidential business information, intellectual property, and regulated information is essential to protecting sensitive data. Fortunately, centralized cloud platforms and expanded operational data available from these platforms allow managers to assess risks, discover breaches, design guidelines based on trade-offs between risk and value, and in many cases automate the enforcement of these guidelines.

To a large extent, the rules for the data that certain groups of employees are authorized to access and the data that must remain in the private cloud can be enforced by the cloud platform itself. Data on the company’s quarterly financial results, for instance, can be automatically blocked from leaving the secure environment of its private cloud until results have been officially released.

For organizations engaged in wholesale cloud migrations, roles and responsibilities will require significant changes—moving from specialized roles, such as server or network managers, to broader roles for integrated service managers. These service managers will be well positioned to steward business risks because their perspective is more comprehensive than that of specialized managers, for example, when making judgments on when to use private- or public-cloud resources.

For more information on related topics, visit the following channels:

• Data Management