Makarand Sawant - General Manager - IT Facilities - Deepak Fertilisers & Petrochemicals Corporation Ltd

CIO City >> Enterprise Security yearbook 2013 >> Insights Profile >>

Building Great IT Infrastructures To Regulate Risks By:- Makarand Sawant

"Providers are becoming more willing to accommodate privacy regulations through contractual commitments"

Use And Implementation Of Cloud In Business

Cloud for our business means an IT platform which offers quick availability of solutions in a cost-effective and flexible manner. Key security challenges to be considered while implementing cloud are:

• Privacy - Regulations on the treatment of personal information vary across the globe and a growing number of countries place restrictions on whether it can be stored outside of the country. It is difficult or impossible for a cloud service to provide a single level of service that is acceptable in every jurisdiction. Providers are becoming more willing to accommodate privacy regulations through contractual commitments to store data within specific countries, although this is difficult to verify.
• Jurisdiction - National and state regulatory implications extend beyond privacy considerations. • Data Retention - If business records must be archived for legal purposes, then any associated cloud-based activity must also offer a form of archiving that is verifiably robust in the storage and retrieval of data. High-end e-mail products often support such requirements, but most other cloud offerings do not.
• Process Verification - Process verification through SAS70 and other auditing standard.
• Multi-tenancy - Multi-tenancy resulting from shared use of a device can expose all tenants to a greater level of external risk due to the business practices of any tenant.
• Share Risk - In this type of multi-tier service provider arrangement, each party shares the risk of security issues because the risk potentially impacts all parties at all layers. The identification of all parties involved in providing a cloud solution is a critical factor in a total risk mitigation plan.
• Distributed Data Centers - A cloud computing environment should be less prone to disasters because providers can provide an environment that is geographically distributed.
• Physical Security - Physical external threats should be analyzed carefully when choosing a cloud security provider.
• Coding - In-house software may contain application bugs.
• Data Leakage - Data leakage has become one of the greatest organizational risks from a security standpoint. A yearly risk assessment just on the data in question should be done to make sure the mitigations meet the needs.
• Coming Regulations - Looking forward, new regulations and case law that will affect how records are kept and managed are on the horizon.
• Cloud Applications - Accessing cloud technologies requires a thin-client. The world’s most commonly used thin-client for this purpose is a web browser. This means the vast majority of all applications on the Internet have some kind of web or application server on which the business logic is implemented.
• Capable IT Staffing Challenges – IT staff has to be highly trained on the new technologies that are implemented on cloud.