Melbourne Uni CSO's three rules to managing cloud security: assess, assess, assess

Well-established cloud customers may have a reasonably good understanding of the risks and procedures necessary to make the most of the model, but new entrants will face a steep learning curve that requires ongoing involvement with the business organisation to resolve, the University of Melbourne's IT security and risk management head has warned.

Speaking at the recent CSO Perspectives Roadshow, IT security and risk manager Wayne Tufek said when some business groups within the university first approached him a year ago about moving some core services to the cloud, he had to move quickly to evaluate the full spectrum of the risk it presented – and to enlist the support of business owners to make it happen smoothly.

“Understand the business, and exactly what the business is trying to do and why,” he said. “Consider the business value of the process versus the importance of the information. If the value of the information is high, and the value of the business process is high, you should give serious consideration to the risk.”

A critical part of the cloud migration, he said, was building up a team of contacts across the organisation. Crucial was to first clarify the person who owns the data: “if you don't have the concept of the data owner in your organisation, now's the time to start putting that into action,” he explained. “The data owner is someone who's not in IT – but often these people, if they're too busy or not interested, they delegate someone so they can get rid of their accountability.

Other key cloud-migration team members included the IT department; a project team; the legal department, who have an important role to play in negotiating contracts; the organisation's vendor management team; and the cloud service provider (CSP) for the services involved.

Clarity in scope and purpose helped drive the planning of the migration, particularly in terms of the data to be migrated. Data owners need to outline the data to be moved down to the field level, with Tufek using a spreadsheet to outline exactly what information was to be moved.

Accuracy is critical at this stage, since data definitions inform the contract process. When the data owner decided at the last minute to add another data field to the definition, he said, “it did put a bit of a spanner in the works. We had to go back and do the whole thing again.”

Other important risk-management questions may not come immediately to mind. These include assessing the CSP's business continuity plans; compatibility in their interfaces to ensure smooth flow of data; clarification of their maintenance processes; plans for managing development and test environments; and even whether the proposed business process needs to change.

It had been a learning process throughout the migration, Tufek said, with compromise important all around.

“I've had to come up with a bit of a process,” Tufek said. “It's through trial and error, and occasionally I've made mistakes along the way. But the process actually works by building a little bit more of the understanding of the risk, then making a decision and coming back to it. Evaluate the CSP, and assess the risk. Negotiate the contract, assess the risk – and then continually monitor and assess the risk once the contract is in place.”

By identifying the desired outcomes from the cloud migration early on, deviations from those outcomes could be quickly identified and dealt with.

“There was one instance of moving to the cloud where the vendor didn't have the right controls in place,” he said. “However, we were able to modify the business process and still use their system, whilst keeping the data in our data centre. We wouldn't have been able to provide that, which the business was happy with, without understanding the business processes and what the steps of the process were.”

Compliance with information-security guidelines – for example, the evolving ISO 27017 and ISO 27018 cloud-security standards and the SSAE-16 Service Organization Control-2 (SOC-2) reporting standard – is also important in evaluating the risk of a CSP and their compliance with data-protection and privacy guidelines.

“You want to assess the CSP, go talk to them, ask questions, review the documentation onsite, talk to people, and so on,” Tufek advised. “You can always list controls and processes, and include them as an addendum to the contract. Include regular and formal third-party assessments, access to the particular documents that accompany assessments and reviews, and even options such as regular vulnerability testing.”

Business-continuity objectives were also critical to clarify up front, with contractually-defined recovery time objective (RTO) and recovery point objective (RPO) targets necessary to ensure rapid response in the event of failure. Ditto a long enough termination period – 30 days is not long enough, Tufek warned – as well as addressing liability limits, defining when downtime calculations begin, and how issues such as the secure deletion of data and the customer's right to audit such.

Ultimately, despite the technological advancements that the CSO can bring to bear in cloud engagements, the business managers will play a critical role in maintaining the management of cloud services to business objectives. Yet despite the diversity of often conflicting IT interests within as varied a community as a large university, Tufek said that building a culture of engagement had allowed for productive and meaningful engagement with the business people.

“Some of the university faculties or business units have their own budget and IT groups, and basically do whatever they like,” he said. “There are some governance issues there in terms of making sure everyone is moving in the right direction – but where the central IT department does find out, we go speak with the data owner about the different types of risks.”

“It's pretty easy when you're working with astute people who will work with you to mitigate those risks,” he continued. “They'll help you to work with them so you can make the risk management decisions. It's more about education, and making them aware of what those risks are in the first place.”

Join the CSO newsletter!

Error: Please check your email address.

Tags cloud security

More about CrucialCSOCSPISOUniversity of MelbourneUniversity of Melbourne

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts