A consistent theme in the conversation was the issue that not all cloud platforms are built the same and matching customer needs and expectations to the right platform is crucial.
At a recent Microsoft-sponsored event held at the company’s Leopardstown headquarters, Annette Soraine, chief commercial officer at Innovate, chaired a panel discussion on the importance of choosing the right cloud provider and on how to get cloud security right.
“When an organisation is deciding on which platform to go with, it needs to understand the attributes of the platform. What are its features? What scale is it at? Is it private or public? How does it compare to the others in the market?” said Michael Redmond, cloud technical lead for Innovate.
“There are advantages to all kinds of platforms, but there can be huge differences too. A proprietary cloud, located on premise, is a very different thing to the kind of cloud platform offered by Microsoft Azure for example. Likewise, take the example of Office 365 — it increasingly uses artificial intelligence to improve its offering and you just can’t replicate those kinds of features on Exchange on premise. It’s a totally different proposition.”
Cloud security is an issue that was also discussed at the Leopardstown event, with Innovate chief technology officer Enda Cahill suggesting that traditional security and risk management models need to stay in place when any cloud project is embarked upon.
“You still have to have an organisational approach to information security, where you’re looking at the risks from your IT systems and the controls you have put in place to mitigate those risks. As you move to the cloud the risks will change,” he said.
“For example with on premise systems, you have to worry about controlling physical access to your server room. When you move to the cloud, that risk still exists but the responsibility for it is moved to your cloud provider. Understanding the risk you’re responsible for and those risks your provider is responsible for is critical. You need to be able to check that they are doing what they’re meant to.”
Passwords represent an additional aspect of security that changes in a cloud move. With on premise computing, passwords generally only have to be secured in the physical location that log-in terminals are located. But when a business uses cloud infrastructure, there is a possibility for anonymous users to test log-in systems remotely.
“It’s important to adjust password policies and to ask the question are they strong enough. When the risk of attack is higher, you should be introducing two-factor authentication for example. The message is to understand how the risk profile changes with a move to the cloud,” said Cahill.
While security is important to all companies, for Ronan Gahan, managing director of financial services company Conexim, it’s a core aspect of his company’s procedures.
“Cyber security issues are real and prevalent. We had to deal with a straight forward phishing attempt recently which was easy to see off but which was a reminder that we exist in a very interconnected world and it’s easy for such threats to lead to real damage,” said Gahan.
“Dealing with the aftermath of a security breach can be catastrophic for companies in the financial services sector where there are a lot of regulatory issues that need to be kept in mind. You can end up with a lot of reputational damage as a result of a breach.”
Like a lot of companies, Conexim does business with many companies and brokers without ever meeting many of them face to face.
“They might be located in Cork, or Kerry, the IFSC or abroad so we need to have a lot of controls in place to analyse the data that comes into us. We hold a lot of significant personal data so that needs to be minded properly to comply with the GDPR,” said Gahan.
“Even before GDPR, like other financial services companies we were liable for civil penalties in the event of us not managing personal data correctly. We have dual reporting obligation not just to the Data Protection Commissioner but also the Central Bank in the event of a breach.”
These are issues which any company looking to the cloud for competitive advantage needs to be aware of and needs to talk to their potential cloud provider about well in advance. That provider needs to understand the unique needs of that company in that sector and not attempt to provide a one-size-fits-all package.