Understand the ability to sell cloud security to your leadership by making a business case.
- [Instructor] Let's first talk about the business case for cloud security. This is about data that is managed and stored in the cloud, and our ability to protect the data against outside threats, such as viruses, malware, interception, theft, hardware, software failure, all sorts of things are gonna come into the mix. Security is about risk, it is about dealing with the probabilities that your data will be compromised. It can be compromised either through accidental deletion, it can be compromised by theft.
It can be compromised by privacy issues. It can be compromised by compliance issues. Talking about privacy. This is really important with cloud based systems. We need to figure out what data is being stored, and what kind of privacy policies and restrictions and legal issues that we have to deal with, with data that exists in the cloud. So asking questions like, will the data be handled by a proposed cloud solution be protected against intrusions on privacy.
We've seen these things in the paper before where, customer information was compromised, credit card information was compromised, and even health care information was compromised. Awful scary thoughts. So there could be a third party government request for a cloud provider to hand over customer information at some period of time. Also legal issues, compliance issues, the ability to kind of live up to restrictions in laws such as PII, Personally Identifiable Information, utilization of HIPAA laws, utilization of PCI for for credit card.
Another business case is efficiency. Will the protections placed on the data in the cloud enable the cloud application to function as intended without added latency or disruption? So ultimately, as we secure things in the cloud, and we do so through identity and access management through encryption services, through protected keys, through other mechanisms that allow us to ensure that people can't access the data unless they're authorized to do so. However, we need to do so efficiently.
We need to be able to provide access to information that exists in the cloud without causing a lot of latency to the security mechanisms. It's a fundamental trade off in security. If we leverage something like liked advanced encryption. We leverage something like identity and access management, logging, other things that really kind of steal performance away from the existing application, that if we turn on every security service there is in the cloud we may be compromising performance and therefor the users will complain.
However, if we don't turn on enough services then we're making our data at risk for hacks, for theft, for privacy issues. So that's the trade off, and that's what your need to consider when you consider cost. Data loss is a scary thing because businesses really run on their information. So will the data used by the proposed cloud solution be backed up and recoverable in the event of a natural disaster or other service interruptions, or disruptions? This is BCDR, business continuity, disaster recovery.
The ability to set up systems to ensure that if all else fails, the data center goes away, our machine instances go away, that we have the ability to fail over to another system, fail over to another copy of the data which is consistent and up to date. And this means that we'll basically stop our bussinesses from being interrupted so even if the information is compromised, even if the information is destroyed, whether it's through security issues, natural disasters, things like that, there's a huge cost in getting that information system back and we're trying to mitigate that risk by setting up active, active redundant based systems.
Perhaps syncing your information with other cloud brands such as if you're using Amazon Web Services as your primary, and using Microsoft as your secondary. Anyway, there's a huge amount of cost that goes into setting up these systems but there's a huge amount of savings that we get out of it if indeed we need it. Now compliance, will the organization use proposed cloud solution be compliant with laws and regulations. Things like data privacy issues, HIPAA that deals with PII information, personally identifiable information, health care data, financial data, things like that.
And it's different from country to country, state to state and you need to be aware of your own laws that really go to regulating your information in your particular jurisdiction. This is about understanding more than anything else. We're able to put in compliance processes, compliance mechanisms, that allow us to in essence deal with legal issues around data protection. And if these aren't followed, there can be huge fines, there could be PR disasters and there could be other things and be a negative effect on the revenue of the company and therefore that's cost.
So this is about mitigating the risk of running afoul of compliance and the response that you'll get from the regulatory agencies as well as the response that you'll get from the public.
- Cloud security on the infrastructure, application, and data levels
- Identity and access management
- Cloud security services: AWS, Microsoft, and third-party solutions
- Cloud encryption
- Cloud compliance services
- Planning cloud security