Sunday, 10 July 2011

A new approach...

It's been a good while since my last post. I've started a new job, for the first time in a long time, I'm in the private sector and I've been dedicating my efforts into getting up to speed and changing my mindset to address the security issues for an entirely new way of thinking and working.

I've still got plenty to comment on concerning the state of information security within the public sector and the controlling bodies, more of that to come....

Back to my new role. The company I'm now working for are investigating the possibility of utilising cloud resources. Coming from the environment that I have, my immediate reaction was to balk at the prospect but, following the practices I have learnt over the years, applied a suitable risk calculation to the whole idea and it all boils down to whether you feel you can trust your cloud service provider. The benefits are immense - we are considering outsourcing our email to a cloud service which dramatically reduces the cost of the current clustered Microsoft Exchange environment and increases the availability over what is currently achieved via the in-house solution. The ability to scale up (or down) at very short notice delivers considerably more flexibility than is currently possible.

Granted, there are additional requirements on the company to ensure confidentiality of information. For cloud services, it will be imperative to implement two factor authentication, along with all the headaches and potential pitfalls (Re: RSA) that they come with.

The move to cloud services is now primarily seen as a change management project. User acceptance or more likely, the loss of Microsoft Outlook may not be as high as could be hoped and managing the perceived loss will be a primary consideration.

As I alluded to before, the issue of trust of a service provider is the stumbling block. As we meet the various service provides concerned, they become familiar and a trust relationship is built. We want to trust them and naturally, they want us to trust them. Alongside the new-found trust we have developed, is an implied trust of ALL the employees of those companies. Some of the companies we are engaged with have an employee vetting scheme. I have been the subject of vetting and I'm not impressed. Vetting is hugely effective at weeding out potential employees who have been caught misbehaving but fails dramatically when attempting to identify the luckier, or more efficient, dishonest employee. The issue of trust must be an informed decision and ultimately, it falls upon the business to make the final decision, my responsibility stops at providing full information to the board so that the decision may be an informed one.