The cloud-based services requires rethinking of information security within the IT systems of companies. The principles of the generally accepted "best practices" have not changed, but the underlying content of concepts and the regulation has been refined.
The globalization for the customers of the cloud-based services has been realized, therefore we summarized the definitions, rules deemed to be relevant. We determined the concept of business secret. We present that the recourse to cloud services expressly contribute to maintain it.
The idea is not new: the domain name, the web server / hosting, email systems and VPS services are well known and widespread for more than a decade. These services are considered to be forerunners of the today's cloud-based services.
The significant advantage of the cloud-based services are:
- dynamically scalable
- availability exceeds the on-premise infrasructure level
- safety and disaster tolerance is on qualitatively higher level
The new challenge – data security in the cloud
As long as a company has its own IT infrastructure its goal is to store business secrets on this infrastructure and to give access only for those to such an extent and until this is operationally required. In order to give access you must be be able to identify one intends to enter (authentication) and you must say that this one is authorized to access that information (authorization). Therefore, to implement this in a successful manner you need to define appropriate roles.
It isn’t a problem, as long as there is only one such an application. If a company operates applications in island mode, the administration of entitlements is an easy task.
In case of integrated systems, this task is more complicated. There are integrated systems, which as frameworks cover the task of management and logging wedged in between operating system and the application layer.
But its implementations are
- not easy, usually it can not be solved by own efforts, so expensive
- time consuming, it requires the involvement of external resources, therefore it is often cancelled
Even if it is done, resources will not remain to drive and analyze changes. Thus, having done proper implementation, only subsequent detection, expert testing is available in case of incidents.
The promise of the cloud is to solve these issues with advanced tools, in an integrated way where access control becomes the part of the application settings. It also forces the company to maintain a relevant, a consistent and an up to date regulation. In return we can run practically a continuous and automated audit along on the entire infrastructure and we can receive real-time alerts for any abnormal events.
Business secrets - privacy view
Data protection directive on protection of personal data defined by the World Intellectual Property Organization (WIPO), according to which the confidential business information is a business secret, which ensures an advantage, and its usage is an unfair business practice except for the owner. A bit tighter, therefore it is more manageable the Uniform Trade Secrets Act (UTSA) adopted in the United States.
Although the public perception worries about hacker attacks the best, hackers are by no means the main threat to business secrets. It is employees of the company still the biggest hazards having access privileges, processing data professionally. The majority does mistakes due to the lack of knowledge, a lesser extent who knows where and what you can take, and who are entitled to do so well and this one knows how to abuse with it, and does. To manage these risks, the cloud-based service is much more suitable than the own computer center.
Third Party is your friend
All identification is based on the existence of a party who / which (by law or otherwise expressly provided) can be considered credible and it has no other task but to maintain this trust.
The IT identification is based on the existence the so-called trusted party. Such a credible party is able to authenticate in case of the existence of the legal conditions, passing strict standards at regular compliance audits and having sufficient high amount of liability insurance.
The cloud service provider can be considered on a similar manner. The only thing has to be provided is, the undertaken services, but it doesn’t participate in our everyday business otherwise.
Authorization management prevails over a predefined, role-based, approved security policies, and it enters into force automatically on the entry of the employee, which is logged.
The difficulty is that if the enterprise computing is small, these functions (roles) cannot be dissociated properly. If cloud-based service is used, for example, the operation is automatically separated from the development even in such circumstances.
In case of operation of our IT systems our business secrets have to be protected only from our employees. Due to the lack of appropriate separation of responsibilities it is often inherently impossible. In addition, the possibility of compensation claims against our employees are very limited, because of their ability to cover losses. On the contrary, any claim for compensation against a suitably selected service provider can be surely and fully satisfied finally.