Business Transformation increases Attack Surface

Data security consultancy offers seven steps to a successful transition to Cloud and Mobility environments.

  • 11 years ago Posted in

Auriga Consulting Ltd (Auriga) has cautioned that organisations transitioning to new environments could potentially expose core business processes and data to unnecessary risk. Business transformation has been a top priority in the boardroom over the course of the last year as organisations seek to harness the advantages of cloud or mobility deployments but the business case can often overshadow the potential threats brought about by change. Business transformation differs from other change management projects in that it straddles the corporate/IT divide. Transformation therefore needs to embrace strategic and technical best practice, from assigning responsibility and ensuring stakeholder buy-in to mapping business processes and protecting data and data integrity, confidentiality and availability.


Business transformation involves making radical alterations to the way a business functions in order to embrace and utilise changes in market conditions. Transformation may be motivated by numerous factors, from reducing costs to maximising efficiency and these factors often dictate the pace of change. But in addition to the business case and feasibility, it is also vital that the organisation examine business impact from a corporate and IT perspective and acknowledge the risks posed by the transition. Top threats such as data loss, data breaches, account hijacking, insecure API’s, denial of service and malicious insiders can use the greater attack surface created by transformation to target and exploit the organisation.


A larger threat landscape with limited control over the infrastructure can seem a daunting prospect but aligning organisational requirements and security controls, and taking a business centric approach can help mitigate risk. Before any organisation can consider a cloud or mobile solution it must first understand its current operating model and data landscape. An organisation deploying a Cloud SaaS solution to host business critical data, for example, must take into account the compatibility with existing technologies, governance requirements, geographical locations, mobile platforms and capabilities. Taking these multiple entities as a unified system will allow better understanding of the risks and application of security controls that span the organisation and beyond.


The following seven steps can ensure a strategic and technical transformation that delivers business advantage while mitigating risk:
· Use a business-driven strategy – the business will have the holistic view, and a seamless mobile or cloud strategy must be delivered from a position where the organisation’s business processes are fully understood. As a business strategy and not just an ICT strategy, transformation will need representation from across the organisation; this includes HR, Legal Governance etc.
· Listen to the workforce – to help determine what processes are in place now and what should be put in place for the future assign responsibility – The IT department is an enabler and most importantly will be responsible for articulating what the IT estate looks like today.
· Focus on tangibles and logistics – Define a set of focused, comprehensive clarification questions for potential suppliers. This must include questions about geographic location of technologies and support staff, SLA’s and Intellectual Property Rights
· Map core business processes – Consider the rationale behind the transition.


1. Is the organisation seeking to make business processes more efficient? The cloud offers great flexibility on scalability and it is paramount to map the infrastructure requirement to business efficiency.
2. How do the processes align with the organisational target operating model? The infrastructure should be deployed to allow for organisational growth.
3. Who is responsible for the current processes? Understanding requirements of key members of staff will ensure an efficient system at every business level.
Understand the roles and responsibilities and assess the skill set available.
Do you have the right person in the right role, how can efficiencies be made?
4. What are the timelines involved in current processes? Can this be shortened in the new system?
5. How will these processes be supported in an externally hosted infrastructure? Organisational compatibility is key to choice of Cloud technology.
· Classify data – Seek to categorise and classify data in order of importance to specific processes. Only retain data for defined periods of time before it can be destroyed; this reduces risk and eases infrastructure requirements. It is important to note that back-up procedures may change on a hosted infrastructure and SLA’s should align the clients’ policies to the provider’s services. How are you destroying data?


Have a strategy that is traceable, sustainable and fit for purpose
· Protect data and data assets – As well as protecting data in transit it is also important to consider data in the virtual environment. While virtualisation offers benefits in terms of multi-tenant architectures, better efficiency and utilisation, data centre consolidation means this technology is widely used in cloud computing. However, there are other data security considerations for the business transitioning to the cloud, specifically: Hypervisor Lockdown, Guest Virtual Machines (VM’s), Inter VM Security, Performance, Data Separation and Secure Sanitisation.
· Prize data integrity – The integrity of data should never be compromised. The client organisation must always be in full control of all data ownership. If the provider’s premises are raided due to legal implications from their own activities or due to another tenant, the client needs to make sure that under no circumstances should their data be subject to investigation. Confidentiality, availability and integrity need to be at the forefront of the IT Manager’s mind when embarking on an infrastructure transformation project.

“Business transformation is a radical undertaking which can make or break the business. Methodical planning is required to explore the impact on the organisation, contextual risks, and how best to secure stakeholder buy-in to determine whether a phased, big bang or pilot implementation is appropriate. Post-implementation, the organisation can still be at risk while the new systems and processes bed down, making monitoring processes that measure performance essential to success,” said Louise T. Dunne, Managing Director, Auriga. “Business assets are exposed and vulnerable during the transition period so transformation should never be treated as just another change management project. By observing the above procedures and approaching the transition methodically, it is possible to achieve transformation with strategic and technical merit while avoiding compromise.”
 

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
73% of organizations lack automated patch management, and 62% experienced incidents involving...
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Palo Alto Networks has introduced Prisma® Cloud 3.0, said to be the industry’s first integrated...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...