Andy Mulholland, CTO, Capgemini
In recent posts I have been looking at the change that new technology is creating. From one direction we see how businesses want to use clouds, mobility, big data and social tools to create new capabilities externally to do business in new interactive ways with customers. In the other direction, the challenges this represents to IT departments and in particular to the role of the CIO. Right now the role of IT and the CIO is pretty well-defined, but only in respect to the existing technologies and their role in supporting business procedures internally, or securely, behind the firewall.
This leads to the definitions 'inside-out' to define traditional IT as 'inside' the firewall with any external usage, using both the client server technology and governance models of enterprise IT. And 'outside-in' the use of internet web architecture to deliver 'services' for customers, workers, etc that are 'outside' the firewall in their primary activities with limited web-based connectivity to the enterprise IT. For an example of this, I posted a use case recently or for more details you can download the Capgemini White paper called 'Clouds – Time for Delivery' that provides a full briefing on how an enterprise will need to combine both environments.
When we say 'security' the natural definition that comes to mind around traditional IT is,
“The need to protect the core assets of the enterprise in terms of its commercial information and its ability to do business internally at the right cost and level of efficiency.”
Traditional IT also means 'based on PCs', using client-server architecture in a computer-and-data-centric manner around enterprise applications onsite and under the control of the CIO and IT department. Throw the use of clouds or remote hosting into this and security still applies to the notion of secure inside a firewalled perimeter with the question shifting to ask how this is achieved.
Lots have been written about this and there is some pretty good progress by the Cloud Security Alliance which is worth checking to see both what and how the subject is being approached and the real progress made. But there is a less obvious and growing issue about where your data is being held or used and the legal consequences. This may not be the 'security' issue that first comes to mind but as more enterprises use external data centers, it is certainly a governance issue that your enterprise may well care about. Bruce Schneier has a good blog and discussion on this to bring you up to speed on what the issues are. But it's down to Peter Cartier to offer the best straightforward description of what the US Patriot act is all about and what it covers.
Given many of the big names are American and offer global resources to manage your data then this is an issue to understand, as your data will, quite legitimately, be examined by the US Government if they feel they need to. Clearly something to understand along with the conventional questions as to how secure is the data center and how effective is the operator's governance. Incidentally recently Amazon has added the ability to put a Check Point firewall in place on its EC2 Elastic Cloud Offerings.
For many CIOs the security question is rapidly becoming about people and the range of devices that they use at work, frequently as BYO, Bring Your Own. This isn't necessarily the security issue it might seem if full 'inside-out' access to Traditional IT is not granted, and instead the people and devices are positioned outside the firewall on the 'outside-in' model. If you don't know about this model then I really recommend you find out more from the Capgemini white paper mentioned earlier.
And if you don't think it's for your enterprise then you may be very wrong. A Swedish Bank recently told me that they thought up to 40% of their staff should be moved outside the firewall to an 'outside-in' environment to improve security. By removing them from being able to access the enterprises core systems and data, this will improve their effectiveness in facilitating services for their customers.