Steve Blanche, Chief Technical Officer at Ergo, talks to Jason Walsh of the Sunday Business Post about how security in cloud computing can be one of the platform's greatest assets, rather than something to be concerned about.
“Security is a primary focus,” said Steve Blanche, chief technical officer at Ergo Group. As well it might be. As one of Ireland’s leading cloud and IT managed services providers, Ergo promotes not only the benefits of cloud computing, but also impresses upon clients that security must be taken seriously. In part, this is a way of overcoming the initial resistance to the cloud, but it is also a recognition of today’s always-online business environment.
“Traditionally one of the biggest handicaps for moving, to public cloud anyway, was the notion that it was going to be less secure than internal, private data centres,” said Blanche. This perception isn’t quite accurate, Blanche said. “The big cloud providers, AWS, Microsoft and Google, have a significant focus and investment on security. If you look at things like Office 365 and Azure, well Office 365 is FISMA [Federal Information Security Management Act] compliant, ISO 27001 compliant and so on. There are very few organisations who would have the ability to invest in getting that themselves,” he said.
Clients are more demanding, too, not least because the regulatory environment around security and data integrity is becoming ever more strict. The enforcement of the EU’s general data protection regulation comes into effect in 2018, and there is also Privacy Shield. “The governance is becoming more and more strict, and people have a huge obligation to be compliant,” said Blanche. “That’s where I think we’re seeing the request from companies: how do I realistically manage this and govern it?” They can do it, said Blanche, by partnering with a provider like Ergo that takes security seriously. Ergo looks at the standards that are out there, such as ISO 27001, as well as considering not just technical security like anti-virus, but also procedures and processes.
“The standards like ISO 27001 are basically processes and workflows around how you collect, store and after a time, get rid of data in a compliant way,” he said. Businesses today are responsible for managing customer data in a secure and responsible manner, and that includes improving processes. “We’ve just taken on one customer [with whom we] are just finishing off their ISO 27001 certification and they have a massive amount of PII [personally identifiable information] on their systems. It’s not just a case of the IT staff, it’s at every stage through the organisation. “IT staff typically are dealing with access permissions and so on, so there’s an innate awareness of security. They’re securing systems all the time, managing firewalls and AV, but the rest of the organisation needs to be trained about what is acceptable practice, too,” he said.
Blanche’s colleague, Ergo’s managed services director and group technical director, Jimmy Sheahan, said that the company prepares its clients for audits and is effectively always on standby for when the regulator will come calling. “If we’re doing a security engagement with a company, we would typically have parallel streams and what’s particularly important in terms of GDPR is the audit capability. If that moment comes when you have to prove you’re doing it right, your partner will matter very much. How do you produce the results? The next stage in managed services will be auditing and ensuring there is a full route map for data control and data privacy at the heart of it,” he said.
The reasons are clear enough: not only must businesses be resistant to threats, with the GDPR coming into force, they also need to be ready to prove compliance at any time or else risk the entire business as the penalties for non-compliance, even when there is no breach, are so severe. “It’s a business risk, not an IT risk. If the GDPR regs had been in effect [the recently breached], Tesco Bank would have had fines of £1.5 billion. The fines are not designed to be a slap, they’re designed to take you out of business,” said Blanche.
More and more, we have been hearing about companies who are not yet fully compliant with GDPR. In the latest...Read now
Security architecture refers to a unified security design that addresses requirements and potential risks involved in a certain scenario or...Read now