/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsAndy Mulholland, CTO, Capgemini
In recent posts I have been looking at the change that new technology is creating. From one direction we see how businesses want to use clouds, mobility, big data and social tools to create new capabilities externally to do business in new interactive ways with customers. In the other direction, the challenges this represents to IT departments and in particular to the role of the CIO. Right now the role of IT and the CIO is pretty well-defined, but only in respect to the existing technologies and their role in supporting business procedures internally, or securely, behind the firewall.
This leads to the definitions 'inside-out' to define traditional IT as 'inside' the firewall with any external usage, using both the client server technology and governance models of enterprise IT. And 'outside-in' the use of internet web architecture to deliver 'services' for customers, workers, etc that are 'outside' the firewall in their primary activities with limited web-based connectivity to the enterprise IT. For an example of this, I posted a use case recently or for more details you can download the Capgemini White paper called 'Clouds — Time for Delivery' that provides a full briefing on how an enterprise will need to combine both environments.
When we say 'security' the natural definition that comes to mind around traditional IT is,
“The need to protect the core assets of the enterprise in terms of its commercial information and its ability to do business internally at the right cost and level of efficiency.”
Traditional IT also means 'based on PCs', using client-server architecture in a computer-and-data-centric manner around enterprise applications onsite and under the control of the CIO and IT department. Throw the use of clouds or remote hosting into this and security still applies to the notion of secure inside a firewalled perimeter with the question shifting to ask how this is achieved.
Lots have been written about this and there is some pretty good progress by the Cloud Security Alliance which is worth checking to see both what and how the subject is being approached and the real progress made. But there is a less obvious and growing issue about where your data is being held or used and the legal consequences. This may not be the 'security' issue that first comes to mind but as more enterprises use external data centers, it is certainly a governance issue that your enterprise may well care about. Bruce Schneier has a good blog and discussion on this to bring you up to speed on what the issues are. But it's down to Peter Cartier to offer the best straightforward description of what the US Patriot act is all about and what it covers.
Given many of the big names are American and offer global resources to manage your data then this is an issue to understand, as your data will, quite legitimately, be examined by the US Government if they feel they need to. Clearly something to understand along with the conventional questions as to how secure is the data center and how effective is the operator's governance. Incidentally recently Amazon has added the ability to put a Check Point firewall in place on its EC2 Elastic Cloud Offerings.
For many CIOs the security question is rapidly becoming about people and the range of devices that they use at work, frequently as BYO, Bring Your Own. This isn't necessarily the security issue it might seem if full 'inside-out' access to Traditional IT is not granted, and instead the people and devices are positioned outside the firewall on the 'outside-in' model. If you don't know about this model then I really recommend you find out more from the Capgemini white paper mentioned earlier.
And if you don't think it's for your enterprise then you may be very wrong. A Swedish Bank recently told me that they thought up to 40% of their staff should be moved outside the firewall to an 'outside-in' environment to improve security. By removing them from being able to access the enterprises core systems and data, this will improve their effectiveness in facilitating services for their customers.
Moving people and their devices outside the firewall and denying access to the enterprise applications is a surprisingly effective and easy move, but whereas computers and their data need security, people need privacy. From 12th March, Google will implement a revision of their Privacy Policy and you may have noticed their home screen contains a box stating 'We're changing our privacy policy and terms. This stuff matters'. And it does as an increasing number of court cases prove. It's difficult to get any simple guidance in the form of a free online download for what is obviously a complex subject. The best I can find — and now I guess I should say that this link is not a recommendation or any other legal construction that I am liable for this, it's just my view that I found the content personally useful. So make up your own mind on the topic starting with a site offering practical guidance in the form of a message to be placed on a web site to alert users.
Other places I found useful include: Website Law, which is a guide to UK law on Privacy, and a US site that claims to be able to generate an enterprise-specific privacy policy . Frankly I don't think these are the answer but kjust useful ways to read what and how the topic is addressed. The answer is to do some proper due diligence with your enterprise legal department about what and how Privacy is an issue for your own staff when supporting them online.