Panel: Governance, risk, compliance, and cloud security
Michael O’Neil, principal analyst at InsightaaS set the stage for the SMB Summit governance, risk, compliance, and cloud security panel by noting that governance is not function of the cloud or an IT function, it flows from the board of directors or owner. “It’s important that the security steps you take are aligned with the goals of the business,” he said. In IT, associated functions could include risk tolerance, how data is to be controlled, and what technology issues are need to address these issues. “It all boils down to accountability,” he noted.
Mary Allen, chief content officer for InsightaaS, outlined some essential issues for SMBs in cloud security. Taking a broader perspective, and extending security to the notion of data availability, she said, you first need to have a security framework developed with senior management. You will need to consider data privacy, and how it’s tied to regulatory compliance, data portability (if you want to move data from one cloud to another, or back on prem), cloud reliability, disaster recovery (the most common use for cloud in most organizations), and security metrics (what capabilities does the cloud provider have, what certifications, where does its responsibility begin and end for provider and user organization). In the panel, participants were asked to speak to one or more of these security/compliance issues.
“The starting point, from a legal perspective, is to do a risk assessment,” said Andrew Nunes, partner at Fasken Martineau DuMoulin LLP. “The legislation that governs data in Canada requires you to have appropriate security measures in place. Those security measures have to be organizational, physical, and technological.” They’re based on the volume of the data, its sensitivity, how it’s stored, whether it’s personal information – you need to understand what data you have. From there you can establish your risk tolerance, and that feeds through everything you put in place in governance. If you get that wrong, and there’s a breach, everything you’ve built on that is not going to stand because it was built on the wrong foundation.”
“I’ve sat on 14 boards,” said Mark MacDonald, founder of Canada15Edge Data Centres, “and I think I can count on one hand the number of times the conversation about IT security has come up. That is generally the state of affairs in small businesses. The level of knowledge is a real road bump in terms of putting processes like this in place.” Education is needed, he said, as is the integration of IT strategy with the company’s general operating strategy. Risks could come from anywhere from standard cyber to just missing out on opportunities from adopting new technologies. It comes down to educating the C-suite and the board.
The same discussion about protection of data has been going on for 20 years, noted Jean-Jerome Baudry, senior ICT consultant at TA Networks. “One of the first things an SMB has to understand is what data they’re responsible for, what data they collect, where the data resides in their organization, and they need to have understanding of their legal liability and risk. There are stiff penalties, both financial and legal, for not understanding your responsibilities in terms of protecting customer or stakeholder data.” Before beginning to think about the technical aspects, companies must understand what their obligations are and how they will be using the data.
Sangam Manikkayam, manager, system engineering, at Trustwave Canada, added that most of the time, plans are simply presentations on paper. Nobody goes through and implements them. Yet, he said, the more data companies put in the cloud, the more they have to be prepared for facing risk. Every part of the processes and the risk assessment should be documented.
Process issues need to be addressed as well. “There is a gap between the business owner and the IT owner that has to be bridged,” he said. For example, IT may get an access request from a user, which technically is possible, but IT doesn’t know the business aspects of the request (the user may not be authorized to see the information). In some organizations, it’s not a problem, but in others, business and IT don’t talk to each other. “They have to find a sweet spot,” Manikkayam said. Workflows have to be established so IT and the business each know their responsibilities.
Customers struggle with many areas of the cloud, and often are uninformed. For example, said Nunes, for most industries (the financial sector is an exception) there is no legal requirement for data to remain in Canada.
Added MacDonald, “The biggest challenge with SMBs is lack of education.” Cloud security and data privacy concerns are on what he calls “everyone’s uneducated radar screen.”
One real threat, said Manikkayam, is shadow IT. He said that with the cloud, any individual can run their own IT organization; during a risk assessment with a customer, it found hundreds of applications of which it had not been aware. Another customer found that as fast as IT was rolling out patches, shadow IT was rolling them back because the patches interfered with functionality, putting the company’s security at risk.
Baudry cited misunderstandings about which facets of security are the cloud provider’s responsibility as a concern, pointing out that the provider takes care of the underlying infrastructure while the customer is responsible for securing its workloads and data.
Asked what key issues companies need to address, Nunes began with governance at the highest level, noting that if the board doesn’t attend to that, it has failed to reach a standard of care that it owes to its corporation. As well, he said, there has to be a robust amount of employee training; you can have a policy but if people don’t know about it, it won’t be implemented. A lot of breaches are due to employee actions, he added, and this year, new breach reporting requirements come into effect, with associated fines.
And, said MacDonald, “if you’re sitting on a board, you’re personally liable.” Companies have to figure out how data can be breached, which data they can potentially lose – and, he pointed out, if most small organisations lose their data, they will be out of business.
But, Nunes advised, if you’re using a cloud provider and experience a problem, have a good look at the contract to understand your exposure versus that of the service provider. If there’s a payment system breach, there may be exposure on the financial side, for example. Liability can come from multiple directions, including consumers, shareholders, and other stakeholders. But, he explained, cloud service providers are not insurers. If there’s a problem, you can’t take for granted that they’re going to provide any particular level of security. Their services don’t tend to be customized – they have a set portfolio of offerings.
Be aware, though, said Baudry, that when you’re looking at a cloud strategy, it doesn’t mean that certain things just go away, or that everything starts working and everything is backed up. Costs can go up, depending on data retention strategy and other factors. You have to use new, different tools to adapt them to the cloud. You also have to look at the security of data in transit, and the cost of bandwidth, since users aren’t in the cloud, they’re in offices or at home or on the road. Issues of data mobility and portability still remain.
Panel: Cloud and the IT/business future
The final panel of the day took a look at the future and enumerated some of its benefits for small business.
“The cloud lowers the barrier to entry,” said Nabeel Sherif, product manager at Q9 Networks and lead course developer of the cloud computing certificate program at the University of Toronto’s School of Continuing Studies. “It lets small business have the same level of business analytics power as a large enterprise.” It’s also, he said, about replacing capital expense with operational expense, hopefully at a lower cost, and escaping physical procurement cycles, as well as enabling different business models and cost structures such as on-demand pricing.
Stephen Giles of Dimension Strategies Inc. added: “It comes back to democratization. When we looked at business intelligence (BI) over five years ago, if you had large datasets you needed to buy Cognos or Teradata, with huge upfront capital cost. They were complicated so you had high labour costs. Now, in the cloud, you don’t need capital outlay, you can stand up a Hadoop cluster for a weekend for a few hundred dollars. BI is more accessible to more people.” That’s one of the benefits of cloud elasticity – with on premises installations you have to scale for maximum load, where in the cloud you can scale up and down on demand.
There are two key aspects to cloud that make it important competitively, said Ian Rae, CEO of CloudOps and Cloud.ca. One is around productivity. “You could argue that people who adopt new technologies late in the cycle put themselves at a disadvantage,” he said. “With cloud you can do just in time rightsizing of IT. We’re not just looking at improving productivity, what’s more interesting to me is how we as small businesses can innovate and create new products and markets and become much larger businesses and win in the global digital economy.”
“Canadian businesses in general tend to be slower to adopt new technologies,” noted Sherif. “I think part of it is cultural, and that’s one of our challenges.” Yet Canada, and Ontario in particular, has a highly educated, skilled workforce. “The real fear here is the fear of failure. It’s worse to try something and fail than to never have tried it at all.” In the U.S., on the other hand, the fear is of missing out. The cloud’s rapid scale environment lets people try things.
Paul O’Doherty Principal Architect, national cloud practice, Long View Systems sees the advantage of cloud as a huge data collection platform. But the data is of no use until it’s analysed, and he thinks cloud-based artificial intelligence will help small businesses get value from the data.
Added Baudry, for a small business, being on the cloud lets them be with their peers – other companies that can leverage the same APIs and infrastructure, and get a certain level of service. It gives the flexibility to have data and applications where they need to be. He sees AI and machine learning as the icing on the cake for cloud – with all of the sensor data streaming in, the ability to crunch all of that data lets SMBs make intelligent decisions.
Dutta agreed, and sees the number of new services that cloud providers come out with every week creating new opportunities for small businesses to build new businesses. “That’s where the opportunity lies,” he said.