Due diligence key to Virtual Cloudsgress says security alliance

Dan Hatch News
25 Mar, 2011
Des Ward: Diligence
Des Ward: Diligence

First meeting of CSA UK sets research agenda and urges business to understand their information

Businesses should understand the information they’re putting in the cloud and understand and manage the risks to it, rather than worry about the security of their cloud service provider, the inaugural meeting of the Cloud Security Alliance UK and Ireland was told.

Meeting at the Canary Wharf headquarters of KPMG, more than 40 people – including IT professionals, senior security officers, vendors, representatives from financial institutions, security professionals, technical officers and other cloud consumers – discussed their concerns about the cloud and considered the issues surrounding cloud security which needed more support.

CSA UK and Ireland chapter president Des Ward told those gathered he believed security "as a concept died five or six years ago" and business and IT professionals needed to move beyond using "big walls to protect what they have"

“Now we’re moving into an era where we have to understand what the information is that we’re holding,” he said.

“The key thing is it is about understanding the risks to your information and businesses which do not understand what the risks to there information are will actually not gain the full benefit from the cloud and will open themselves up to excessive risk.

"It’s more than just confidentiality risks, you’ve got things like integrity, availability and even other legislation such as the Patriot Act (if your information is stored in the US) and… the Data Protection Act (which provides) an implicit legal obligation not just to keep that information secure but also to make sure you’ve conducted due diligence on your supplier.

“What a lot of people fail to realise is, the cloud service provider doesn’t sit in the cloud, they provide services in the cloud but they have a firm foothold in the non-cloud environment through all the infrastructure that they have.”

Ward said four topics had already been earmarked for research by teams from his executive board including finding ways to integrate information risk management into corporate governance and looking at smartphone security from a total ecosystem perspective. The CSA will also investigate the possibility of a schools awareness programme to engage parents “in a way that makes sense” and will try to formalise certifications.

“We have to understand what the risks to information are and we need to understand what skills we need to deal with that,” he added.

CSA has a series of meetings planned around the UK and Ireland throughout 2011 to engage with its existing 300-strong membership and to attract more individuals and enterprises interested in cloud security. For more information visit www.cloud-security.org.uk or follow CSA on Twitter, @csaukeire.

Sign up for our free newsletter