Regulation - and not just the GDPR - will soon add an extra dimension to organisations' security planning
New threats arise every day, from new malware, newly discovered security flaws, new exploits and new attackers. Businesses have no control over this landscape but they do have control over their networks and systems. If risk scores are calculated using features such as threat, vulnerability and impact then organisations must focus on all vulnerabilities, both technical and human.
The lack of control around cloud systems has always been a cause for concern. It's not that cloud computing is less secure, but that IT is much less able to focus on the vulnerabilities, which makes security-minded individuals - who instinctively dislike the notion of trusting third parties - uncomfortable.
Security was traditionally a barrier to cloud services and it remains a common barrier to overcome today. Recently, focus has turned to legislation. Namely, how can organisations be sure they are compliant with the GDPR?
This regulation will add another dimension to organisations' security planning: the possibility of huge penalties for non-compliance.
On top of this, there are big questions over the extent of organisations' responsibility for personal data and to their applications running in the cloud - even where third parties are supposed to be responsible for security.
With the GDPR arriving in May 2018, with complete compliance expected from day one, there is not much time left to prepare.
There are other issues coming down the line too, adding to the urgency.
The first is Privacy Shield, the much debated replacement to the Safe Harbour agreement, which covered the transfer of personal data from the EU to the US until it was ruled unlawful by the European Court of Justice.
For many campaigners, Privacy Shield is little better than Safe Harbour and it is already coming under renewed legal attack. The same is true of alternative data transfer mechanisms, such as Model Clauses.
There is also the ePrivacy Regulation (applicable in the same form across the EU) that will cover telecoms and OTT or over-the-top services, which covers internet TV, voice-over-IP and video conferencing. And soon there may be new laws governing cookies (not a moment too soon) and further data protection legislation.
So, in addition to the cloud being somewhat opaque when it comes to managing risk, organisations face a tidal wave of complex, incoming regulations.
Clearly, they must make sure their risk management strategy is both robust enough and flexible enough to ride the waves. A key part in this risk management strategy is the choice of cloud service provider. How can the risks associated with cloud services be quantified?
There are various boxes that need to be ticked as a matter of course. Does the provider have ISO 27018 accreditation for protection of personally identifiable information (PII) in the cloud, for example? Where are the data centres located? Can it guarantee that data will be covered by appropriate controls, and that it is encrypted in motion and at rest? How are encryption keys handled? And does the provider have a plan in the event of the possible replacement of Privacy Shield?
In other words, will this provider supply a stable platform for your business over the next few years, and are they fully cognizant of all the regulation coming your way and theirs?
Computing's IT Leaders' Forum on 28th February will focus on Getting Ready for the GDPR.
This will examine the forthcoming legislation, and ask how IT leaders can apportion a risk score to their systems, particularly cloud services.
We will discuss the actions they can take to ensure their risk profile is commensurate to their risk appetite, and how to fix vulnerabilities when they are identified to ensure that risk remains as low as possible.
Attendence is free to qualifying CIOs, IT directors, IT managers and senior IT pros. To examine the agenda and to register, please check out Computing's IT Leaders Forum website.