Cloud computing security requires business engagement and support

As Georgia's chief information Security Officer (CISOs), Mark Reardon has always been dedicated to http://www.aliyun.com/zixun/aggregation/13634.html "> Cloud security." His job is to analyze and balance the needs of state officials and citizens. Given these factors, it is easy to imagine that "veto" is his common word.

On the contrary, Reardon has never seen himself as a role in technology reform that hinders cloud computing. He believes he is making sure these technological changes are safer. Today we are talking mainly about how the Georgia state, especially the state-led executive, uses cloud computing to reduce risk.

Searchcio.com: Can you talk about how you use cloud technology?

Reardon: We are going to migrate the information sites that are public to the cloud. I need this information to be accurate, but obviously they do not cause any loss of property, not life or death. If the site crashes, it's embarrassing for us. We want to avoid this result, but we need to consider costs when we invest.

If we can reduce the cost of input to these less-affected systems-the impact here is low, when security issues arise, such as the impact of confidential information, data integrity or damage to the availability of data-we can invest money in the protection of information that can cause significant financial impact or harm personal interests.

As a government agency, we use software as a service strategy (SaaS) for continuous business planning. Whatever happens, state governments need to ensure that key functions are run. These are currently hosted by external vendors. If necessary, government departments can log in to the host to implement the plan. If there is an outage in the data center, we cannot provide the service to our citizens is very serious. So we use SaaS to help us cope with these situations. Also, it is cost-effective to run certain applications with SaaS. The supplier will support system upgrades and repairs, we only need to log in to use.

What are some of the factors that help you make decisions about cloud computing security?

Reardon: Before making a decision, we will make reference to the risk management Framework-risk Management Framework as proposed in the Federal Information Security Management guidelines promulgated by the Institute of National Standards and technology. Operating any computing system is risky. And even if you don't, business people need to see this impact as part of the risk of delivering a service. If you put cloud computing in this big context, you can start making choices based on your needs and budget.

Back to operational sustainability: We used to manage software ourselves, but later found that introducing outsourced services would reduce costs. At the same time, different parts of the state Government can share the software, and the benefits are many. Then I will check what information, if disclosed, is there any risk of information being leaked to the outlaws? The answer is no. It is only when the system is destroyed that we are confronted with an extreme situation where the negative effects will appear. We need to analyze and measure all the different risks and decide what risks we are willing to accept.

How do you get business people involved in cloud computing security and other risk management decisions?

Reardon: This is a cliché topic, but it's rarely done: what if it is managed? In my management and Planning Department, we strive to involve stakeholders in the business sector in making decisions together. It's Georgia--but it's not always the same, with the experience I've worked in. In some places security decisions are made by the responsible security commissioners who say "no, we don't use cloud technology" and the business side can only obey. I have also encountered business parties that do not care about security factors, and they only ask the security Commissioner to "Make sure these are safe". Both of these situations are not good because, in fact, security considerations must be taken into account before making a decision.

Our idea is that the main part of security is information risk management, which needs to be taken into account when considering other risks, and secondly to meet needs. This is different, they have a lot of relevant information, but they are managed in different ways.

The next thing to do is manage the remaining risks and decisions, do I need to eliminate risk, reduce risk, or accept risk? Can I pass the risk by signing a contract with a supplier or buying insurance? These are the business decisions we need to make when we choose cloud computing. If I do not dare to decide on these issues, we will not be able to use cloud technology. This is the business decision we need to make, for example, because business needs are met and we analyze it from a risk perspective.

Are there certain problems that cause cloud computing to be so risky that you dare not touch it?

Reardon: The answer is no. We will make a decision based on the information available and the protection provided by the cloud technology provider, but not for long. I have worked in the computer industry for 34 years and vaguely remember the first phase of my PC, my computer's memory is only 1k or less. If you work in the computer industry, change is always there.

As a State security officer, my job is not to exclude the future, but to help the government make full information decisions about the risk of information. My job is to make a potential analysis of all aspects of mobile phones from the workplace to outsourced services and to provide appropriate advice to decision makers.

TechTarget Chinese original content, original link: http://www.searchcio.com.cn/showcontent_64068.htm

(Responsible editor: Lu Guang)