Picture credit: iStockPhoto
Ten days ago I hosted a seminar on cloud security at the Public Sector Enterprise ICT conference in London. In a show of hands at the start of the discussion, the forty or so attendees were unanimous in their agreement that the issue of security is one of the most important considerations in the journey to the cloud.
Joining me on the panel was Tony Richards, the head of security at G-Cloud and Ian Gale from Bristol City Council. The panel had some great advice about how to overcome common security concerns. Here is a summary of what they think organisations can do:
- Build your knowledge: The Government’s policy around data and IT security has shifted considerably in the past few months. The objective is to reduce the amount of non-sensitive data which is unnecessarily over-protected and ensure that the most sensitive data is dealt with in the right way. It is essential that IT leads have a good understanding of these changes in order to shape conversations about security requirements with business managers. The guidance from the Cabinet Office is written for a non-technical audience and is a great tool for helping colleagues understand where they need to change their thinking.
- Be a smart buyer: The release of G-Cloud 6 puts the onus on organisations to assess their security needs in order to source the right solution. This means buyers need to do the right upfront work as part of the procurement process. The first step is to understand how the security assessment process works on G-Cloud. The digital market place blog has guidance on this along with regular updates to any changes. A second area where organisations can prepare is by assessing whether they need to compliment their in-house skills to map out their security requirements and align them to the security principles.
- Bust the ‘in-house is best’ myth: One critical area to tackle according to Bristol City Council’s Ian Gale is the perception that in-house solutions are more secure because they are controlled by the organisation. Ian pointed out it is in fact often the opposite – a supplier will invest a lot more in security than a council ever could. As G-Cloud’s Tony Richards pointed out, 60% of security breaches are internal, so working with a cloud based IT supplier shouldn’t represent additional risk.
- Prioritise the quick wins: The last piece of advice addresses the issue of gaining confidence that cloud security can work for your organisation. Recognise that moving to the cloud isn’t a ‘big-bang’ change. It needs to be gradual migration based on the business priorities. Pick what you want to migrate, do it well and build confidence.
We’ll be looking at this issue in more depth in the coming weeks through a survey with local government and central government IT leads. If you’d like to be involved in the research, please drop me a line: ivan.harris@eduserv.org.uk.