5 Things you should Know About Multi-Cloud Security

James Barnebee, CEO at Artificial Intelligence Made Easy

James Barnebee, CEO at Artificial Intelligence Made Easy

1)GLOBAL SECURITY COMPLIANCE IMPACTS THE BOTTOM LINE

SECURITY FAILURES COST MILLIONS OF DOLLARS.

In the news every day, there are stories of companies being subject to Ransomware or fined for violating privacy standards.

CyberCrime will cost the world $10.5 Trillion dollars this year. (Morgan)

For a data Breach, the largest corporate fine (as of Aug 2021) was $4.2 Million dollars. (Authors)

(Zorz)

Because most modern applications are distributed, there are many types of vulnerabilities that can arise, and these can be found anywhere- Not only in networking, infrastructure, and application layers, but also in physical plant, telecommunications, human engineering and the like.

Regular testing of all types is a good idea. While this article deals with technology architecture issues, other security aspects should not be ignored.

 2) GENERAL ARCHITECTURE PRINCIPLES

A general architecture that deals with security concerns should be mapped to security controls at all parts of the enterprise- Business Operations and Support, IT Operations and Support, Technology solutions and services, and security and risk management. Within each of these areas, specific controls will need to be created to insure compliance.

(“Enterprise Architecture Working Group | CSA”)

As security constraints cover every part of the enterprise, upper management advocacy is necessary. Many security efforts fail due to lack of stakeholder sponsorship. The C-suite (and preferably the company Data Protection Officer (DPO) and the Certified Information Systems Security Officer (CISSO) as well) should be aware of the controls and audit status of the entire enterprise.

3) GDPR, PCI, PII AND OTHER SECURITY REQUIREMENTS

There are a plethora of different security strictures (techtarget) to be aware of when working in an international environment. There are also ongoing efforts (Giannopoulou and Wang) in various organizations to provide more universal security standards across the world.

In the current environment, best practices are to design infrastructure that complies with all the countries

in scope. For example, the EU has the General Data Protection Regulation. Please be aware that there are many conditions on the implementation of these regulations (secondary usage, Data protection agreements, etc) that have to be taken into account.

WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)

A more precise definition of the terms can be found in the relevant security requirements, but to provide context, from the GDPR specification (“GDPR Archives - GDPR.eu”): “Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.”) (Wolford)

WHAT ARE PII AND PCI?

Personally Identifying Information (PII) is a term for data that can be used to select a specific individual. Whether a single piece of information in the collection, or multiple pieces that can be combined to find a specific person qualifies. The US Department of Homeland Security defines PII as : 'Any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual” (“What is Personally Identifiable Information?”)

PII security is not just good practice. There are also some places where a violation might cost a company “up to €20 million, or up to 4 percent of the annual worldwide turnover of the preceding financial year, whichever is greater”... (“GDPR fines and notices”)

 The Payment Card Industry Data Security Standard (PCI DSS) - which the US department of homeland security defines as “Security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.”

Failure to implement proper PCI security can cost a company up to $500,000 per incident. (“PCI-DSS: Security - Penalties”)

4)WHAT ABOUT HARDENED ENVIRONMENTS LIKE GOVERNMENTS USE?

For systems that need a more stringent security environment, there are complex security requirements you must meet before you can begin processing. For example, the FedRamp security protocols require a host of very specific controls across the enterprise. (“FedRAMP Security Controls Baseline document”)

These security constraints can be built-in. (*Google as an example) This then requires mapping to the company's environment and data needs. (“Google Cloud FedRAMP implementation guide | Cloud Architecture Center”)

5)HOW DOES A COMPANY ADOPT THESE POLICIES?

The company should get a Security Audit from a firm that can provide documentation of compliance with the required standards. Assuming the audit finds vulnerabilities, that analysis and remediation planning is done by the security department, Once all remediations have been done, certification and continued compliance monitoring will provide valuable insight into any security vulnerabilities that might arise

Read Also

Leveraging Effective Communications for Strengthening Cybersecurity

Leveraging Effective Communications for Strengthening Cybersecurity

Grant McKechnie, Chief Information Security Officer, Endeavour Group
How To Think Digitally And Transform Your Organization To Win The Digital Customer

How To Think Digitally And Transform Your Organization To Win The...

Dobyl Malubane, CX Business Dev & Strategy Director, Oracle Africa
The Future Of Cloud Is Mobile

The Future Of Cloud Is Mobile

Rudi Strydom, Head of IT Operations, Technology and Architecture, Imperial South Africa
Exploring New Technological Impacts

Exploring New Technological Impacts

Melissa Orchard, Digital Hub & PDC Director, Marketing; CMI, Unilever Africa
The Human Reality Of Cyber Security

The Human Reality Of Cyber Security

Henry Denner, ICT Security Officer, Gautrain Management Agency
Zelle Fraud! Or is it?

Zelle Fraud! Or is it?

Karen Boyer, Vice President Fraud, People's United Bank, N.A.