Businesses concerned about the security of cloud-computing systems should appoint a 'cloud purchasing czar' whose sole responsibility is to evaluate cloud service providers (CSPs) and manage their interactions between business and IT executives, a leading security consultant has advised.
Speaking at the recent CSO Perspectives Roadshow, BRM Holdich director of information security and IT assurance Jo Stewart-Rattray said the czar model – promoted by the likes of Gartner analyst Daryl Plummer – offers the important ability to bring order to what is often a chaotic process of cloud-system purchasing and deployment.
“The czar is an independent arbiter who receives cloud purchase requests, gathers intelligence as to what the business might need,,” she explained, “and then presents back to the IT leaders what the business users need – and any pitfalls there might be. They then allow the business to make the decisions.”
Empowering the business in a structured way is critical to ensure that credit card-wielding employees don't compromise information security controls by simply running up their own cloud-based services without central control or recourse. Such 'shadow IT' remains a major problem for organisations working to come to grips with the implications of cloud models.
Because the czar maintains relationships across the business, they also have the important role of being able to identify potential savings and “establishing that discussion with Finance,” Stewart-Rattray said, noting that the czar would be a specialised assistant to existing CIOs.
“Ultimately, CIOs sign off on it,” she said. “All you're doing is giving the task to someone to go out and do the legwork for you. If [I were a CIO and] someone did cloud without my knowledge, I would be miffed to the nth degree – but if they did it with my involvement, I would be chuffed that there was a specialist to go out and present those options for me. I could then go and present those options to my fellow members on the executive, and with hand on hard be able to say 'this is independent advice'.”
Stewart-Rattray, whose other advice around cloud security included paying extra attention to contract conditions for storing and managing data, noted that a cloud purchasing czar would also offer value in addressing security requirements around telecommunications and cloud services.
By working with potential CSPs and third-party cloud-services brokers at an early stage, the czar would be able to maintain a level of assurance around potential providers of telecommunications services, ensuring that they can deliver an end-to-end security infrastructure.
“There are organisations becoming cloud services brokers who look at these issues from end to end, and this is the sort of person that your cloud purchasing czar would hook into,” she said.
“They could have that sort of discussion and investigation to see that it's going to be as secure as possible from end to end, and that it meets your requirements from end to end. Due diligence is absolutely key, as it always has been, in the selection of service providers.”