Protecting information in the cloud
The graphic is about securing data in the cloud, taking us into the realm of cloud computing and Internet security.
At the end of my previous blog item, I mentioned that I'd be looking for situations where tightening security by adding additional controls is not necessarily the best approach, and sure enough here's one.
Putting corporate and personal data into the cloud involves a significant increase in some information risks, compared to keeping everything in-house.
Strong encryption of both data comms and storage is a substantial and obvious control - necessary but not sufficient to mitigate the cloud risks entirely. Many other information security controls can be applied to reduce the risks further. However the costs increase all the time.
Extremely risk-averse organizations may take the position that cloud computing is simply too risky, even with strong controls in place, so they partially or wholly avoid it ... which also means forgoing the benefits, including significant business and information security benefits (such as the highly resilient and flexible cloud infrastructure, supporting business continuity plus proactive capacity and performance management).
OK, so that's a situation we might explore for the "Protecting information" awareness module, but it's quite complex as described. We need to find a simpler, more straightforward way to express it - my task for today.
Strong encryption of both data comms and storage is a substantial and obvious control - necessary but not sufficient to mitigate the cloud risks entirely. Many other information security controls can be applied to reduce the risks further. However the costs increase all the time.
Extremely risk-averse organizations may take the position that cloud computing is simply too risky, even with strong controls in place, so they partially or wholly avoid it ... which also means forgoing the benefits, including significant business and information security benefits (such as the highly resilient and flexible cloud infrastructure, supporting business continuity plus proactive capacity and performance management).
OK, so that's a situation we might explore for the "Protecting information" awareness module, but it's quite complex as described. We need to find a simpler, more straightforward way to express it - my task for today.