Understand the ability to sell cloud security to your leadership by making a business case.
- [Instructor] Let's first talk about the business case for cloud security. This is about data that's managed and stored in the cloud, and our ability to protect the data against outside threats, such as viruses, malware, interception, theft, hardware, software failure, all sorts of things that kind of come into the mix. Security is about risk. It is about dealing with the probabilities that your data will be compromised. Can be compromised either through accidental deletion.
It can be compromised by theft. It can be compromised by privacy issues. It can be compromised by compliance issues. Talking about privacy, this is really important with cloud-based systems. We need to figure out what data is being stored, and what kind of privacy policies and restrictions and legal issues are that we have to deal with with data that exists in the cloud. So, asking questions like, will the data be handled by a proposed cloud solution be protected against intrusions on privacy? And we've seen these things in the paper before where customer information was compromised, credit card information was compromised, and even healthcare information was compromised.
Awful scary thoughts. So, there could be a third-party government request for a cloud provider to hand over customer information at some period of time. Also, legal issues, compliance issues, the ability to kind of live up to restrictions and laws, such as PII, personally identifiable information, utilization of HIPAA laws, and utilization of PCI for credit card. Another business case is efficiency. Will the protections placed on the data in the cloud enable the cloud application to function as intended without added latency or disruption? So, ultimately, as we secure things in the cloud, and we do so through identity and access management, through encryption services, through protected keys, through other mechanisms that allow us to ensure that people can't access the data unless they're authorized to do so.
However, we need to do so efficiently. We need to be able to provide access to information that exists in the cloud without causing a lot of latency to the security mechanisms. It's a fundamental trade-off in security, if we leverage something like advanced encryption, we leverage something like identity and access management, logging, other things that really kind of steal performance away from the existing application, that if we turn on every security service there is in the cloud, we may be compromising performance, and therefore, the users will complain.
However, if we don't turn on enough services, then we're making our data at risk, for hacks, for theft, for privacy issues. So, that's the trade-off, and that's what you need to consider when you consider costs. Data loss is a scary thing, because businesses really run on their information. So, will the data used by the proposed cloud solution be backed up and recoverable in the event of natural disaster or other service interruptions or disruptions? This is BCDR, business continuity disaster recovery.
The ability to set up systems to ensure that if all else fails, the data center goes away, our machine instances go away, that we have the ability to fail over to another system, fail over to another copy of the data, which is consistent and up to date. And this means that we'll basically stop our businesses from being interrupted, so even if the information is compromised, even if the information is destroyed, whether it's through security issues, natural disasters, things like that, there's a huge cost in getting that information system back, and we're trying to mitigate that risk by setting up active-active redundant-based systems, perhaps syncing your information with other cloud brands, such as if you're using Amazon Web Services as your primary, and using Microsoft as your secondary.
Anyway, there's a huge amount of cost that goes into setting up these systems, but there's a huge amount of savings that we get out of it, if, indeed, we need it. Now, compliance. Will the organization use the proposed cloud solution be compliant with the laws and regulations? Things like data privacy issues, HIPAA, that deals with PII information, personally identifiable information, healthcare data, financial data, things like that. And it's different from country to country, state to state, and you need to be aware of your own laws that really go to regulating your information in your particular jurisdiction.
This is about understanding more than anything else. We're able to put in compliance processes, compliance mechanisms, that allow us to, in essence, deal with legal issues around data protection. And if these aren't followed, there can be huge fines, there could be PR disasters, and there can be other things that would be a negative effect on the revenue of the company, and therefore, that's cost. So this is about mitigating the risk of running a foul of compliance, and the response that you'll get from the regulatory agencies, as well as the response that you'll get from the public.
- Cloud security on the infrastructure, application, and data levels
- Identity and access management
- Cloud security services: AWS, Microsoft, and third-party solutions
- Cloud encryption
- Cloud compliance services
- Planning cloud security