KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hello again, this is Mike Small. And in this panel, we are talking about ensuring efficient and secure collaboration in the cloud. And I'd like to introduce my fellow panelists, Damir savanovi cloud controls lead at Willis towers and Watson, and also the cloud research fellow at the cloud security Alliance.
Hello, Damier Andal Saka enterprise architecture architect, as part of the global it planning and projects within the international Federation of the red cross and red Cresent societies. So in this, we're going to talk about efficient and secure collaboration in the cloud. So basically, I'm, I'm going to ask you both, perhaps we'll start off with Amal to say, what is your experience are the most important security and compliance issues around cloud? When we go to cloud, we have to consider a lot of things. It's not going to be in your environment.
So when you go and post somewhere else, we have to all first think about the legal aspects, the data hosted the services hosted. Are they compliant with your organizational requirements? GDPR data privacy are most common, but what it fits to your organization, presence of your organization may be in different countries, different regions with different requirements on that, in that country. So that is one thing we should focus on while choosing a right provider. Okay. And so Damir, what, what would you say?
Yeah, thank you for the question. Yeah, it's a very interesting question. And I would first say that security doesn't equal compliance and vice versa. So we really need to make sure we both do operational security and we make sure we are compliant as cloud, as cloud itself means nothing.
We need to understand better what we mean with the cloud as an organization, we really need to understand our landscape, our infrastructure, what we are really dealing with, because basically, basically only based on that, we are able to secure the cloud to be compliant with the regulatory and client requirements and so on. So it really is important to understand what's our new perimeter.
What's, what's basically information system or information systems that we are talking about, understand the risks. And then based on that, we, we can talk about the security and compliance. Okay. Sort of understand your organization and understand the risks. So what was the methodology that you followed when you went to the cloud?
Yeah, so we have, we are international organization working in about 60 plus countries. So we had to first think about the data, data seeker, data privacy from different perspective, because we are, even if we are nonprofit, we are international organization. We are not intended to, to comply with some regulations. In some countries, we are, we have some illegal immunities, et cetera.
But even if we say that we want to stay in the best practice scenario, we prefer to analyze which data is really private to the organization, to the employees, which data can be made public and which data is actually private. But even if it becomes public, there is no big impact on the organizational image outside. Since red cross red is helping beneficiaries when there is a natural adjust or health program. So secrecy of their identity is most important.
So we started by analyzing and classifying the information first, then decided which applications are hosting this data and which applications can go to either private cloud or a public cloud, or even software a service. If we decide to say infrastructure, a service, then can we host them in a European hosted provider or outside host provider. And then we started moving those applications part by part in, in a given timeframe of four or five years. Thank you. Okay. Yes.
So, so start with the data. What's your impression, DIA, what's your advice?
Yeah, so it's really is important. As Amal said, for international organizations, we, we have a global footprint, right?
So we, we are, we are subject to so many different regulations and we really need to think as basically as business, we need to understand where our data is and how we are basically able to understand and protect our data. So, so in that sense, there's no silver bullet. There's no one, one fits for all answer. So we really need to understand, depending on sensitivity of the data, depending on basically the legislation we are operating in that we are properly basically taking care of the data. So many cloud service providers offer us different regions that we can use.
And then obviously depending on what our compliance requirements are, we need to make sure that, you know, data, location requirements and data security requirements are properly met. So for us as a global organization, for instance, you know, we need to be compliant obviously with the GDPR CCPA and many other local or regional regulations all around the world. But I cannot give you a unified answer for each of the region, because it really is a very homo heterogeneous environment that we need to operate In.
Yes, I, I think that this is a, a really significant thing. And I'm going to address this to Amal because clearly you are a worldwide and you have very sensitive information worldwide. So one of the challenges is that systems like email carry this kind of information all over the place and you can't just necessarily localize in order to get assistance in one area, you may need to share it. So how do you deal with those kinds of problems? If I specifically talk about email system, then we rely on the email encryption methodologies.
But if I keep the email and of course in that we have done the data data classification. So as we discussed some time ago that the data was classified, we trust users to use their best instincts, to find what type of data they are exchanging, or they, they sharing with others and use that label for before sending any content to any other person that is about the email. But when we host data, data hosting provider offers some kind of protection, but that is not necessarily sufficient for getting the legal, legal protections against sharing that data with the providers hosting country.
I do not want to say explicitly, but the P attack creates some kind of fear in different people's mind that yes, this data could be shared with us and then could be used for something else. It is important for IFC to protect data because entities cannot be shared at all. So such type of data, we did not host in the public cloud. We moved them into private cloud with European company who is hosting this. So not subject to pet attack specifically now about the technical protections we had to go the other way that we had to start protecting the data in better way.
Having the encryption is always an option, but also adding access control, giving multifactor authentication type of additional difficulties to break into any system. Okay. Okay. So just as a matter of interest, are, are you saying you use S MI as a, a, a standard throughout your email know Yeah.
You say, Yeah. So that's interesting. So perhaps Demir, what would you say about things like email and collaboration tools? Yeah.
So again, every organization deals with it differently from the organization I'm coming from, we are using office 365 tools from Microsoft, and we are making sure that we get all the, let's say the compliance, the compliance requirements that are met by our cloud service provider. We do have vendor management team that makes sure that all the risk and security assessments are performed prior to our journey to the cloud. Let's say office 365 is just one of the vendor.
I mean, we have Microsoft as a vendor, both for the email and collaboration tool without oh 365 and then also for Azure services. And then we also have other, other cloud providers and also other non-cloud vendors as well that go through the same process of basically risk assessment and, you know, supplier, supplier vetting be before we start using the services as such. Yes. Okay. That's interesting.
Now, one of the points that Amal brought up was what you might call as third line defense that you D depend heavily on the people. And so what do you do to enlighten people or to make people think about sensitized them to, to the use of these services? Do they know they're using the cloud?
Do you, you have specific controls? Do you have training?
What, what do you do? Okay, thank you. Yeah. Training is inherent part, and that cannot be avoided specifically when we are in the organization where majority of people are not average technical, aware technology aware. So they use technology for their gen day to day office life.
So to, to perform their duties, they have to use digitalized versions. So we have to keep on training them at repetitive frequency. We have a lot of turnover in terms of manpower because people come, they stay for six months, they have short contract. They come go one to two years is typical average time. So every time somebody's onboarded, we have a specific training for them to highlight what key areas they should be care about, careful about, and how to protect their own identity and what data they produce and share. Okay.
So perhaps another question earlier on Emir, you talked about the difference between security and compliance. Could you sort of expand a little bit on, on that?
Yes, absolutely. Which basically means that being compliant doesn't necessarily mean being secure and also being secure doesn't necessarily mean compliant because we really need to understand, for instance, let, let's say a lot of times the challenges are for organizations in limited budgets, right?
So we have a budget and then let's say our business size, you know, he, hypothetically speaking, they say, we want ISO 27 0 1, we want SOC two report and you know, whatever else there are dozens and dozens of the, let's say compliance frameworks that organizations are looking to, to obtain based either because of the regulatory requirements or the client commitments and things like that. However, compliance doesn't exist just to be a checkbox exercise. We really need to, basically, I always say ISO is not a certificate that you get and have on the wall.
Yes, you do that as well, but you really need to live those processes. You really need to live those controls that, that let's say an external assessor has assessed you against because the next day that the assessor leaves the organization, I still want to behave and perform in that manner.
It's, it's a, basically a, a security poster. It's a security culture that we need to have within the organization. And it's not just let's pass the audit, let's pass the assessment. That's the compliance part, but basically being operationally secure day in and day out, not just twice per year when an auditor comes, that's that for me is really important what organization should look for.
Because for me, the, the lower thing is if I am operating securely and maybe do not have all the certificates in the world, opposed to being certified and assessed again, so many compliance standards, but then not feeling comfortable that I am op optimally securing my environment. And the challenge there is compliance is not for free. We need to invest budget in compliance, but I would always advise people invest in operating your environment securely.
And then when you feel comfortable, you know, go and do the compliance checks, or obviously if you are obliged by the, by the regulators, then obviously you need to do it. But please do not forget about the security just because you know, the, the burden of compliance is there. Okay. Okay.
So we're, we're coming to the end nearly, but I've got one more question for Amal, which kind of follows from that, which is the, which are the certifications that you are looking for in cloud service providers. What do you feel is important? And do you have the same certifications for your internal systems? We started from very immature it organization. If I say we have been improving, but no, we did not have any need to have certification to be passed internally, to be validating our efforts, to maintain the systems.
However, when we go out in the market for search to cloud provider, then we have to definitely look at the audit table of those organizations. So 27,001 or soft compliant vendor, it's already good to have. We don't specifically look at the certifications. They may have, we look, whether we can audit them or they can provide us the certificates, which proves they have been audited and they are compliant with all the requirements. Yeah. So you would like to audit them, but if you can't audit them, If they're not already compliant yeah. If they're not certified for that. Yeah. Okay.
So we've now got a minute left. So perhaps can I ask Damir to give final piece of advice?
Yes, absolutely. Now, so for me, it really is important that the organizations understand that cloud is a different type of beast. So everything that we look at within our let's say traditional on-prem environment might not be the case in the cloud. So whenever we talk about security and compliance, we really need to understand what we are talking about and what type of cloud we are talking about, and basically do proper risk assessment and make sure that when we are going on our cloud journey, we are able to keep our promises to our customers.
We are still going to be compliant and we are not going to get in any security troubles, just because we weren't aware, aware of any new, new risks that cloud is introducing, but we were so satisfied with our on-prem risk assessment. Okay. Thank you. Ann Al Amal, your last word, what would you give as a piece of advice While selecting any cloud provider first look at your business requirements, how the cloud service is fitting to your business requirements. If they're perfectly matching, there is no question.
You can go with software or service post priority, but if for some reason, those fits are not matching, then you can turn down to platform or infrastructure as we go. Because as we know, if we go to software service, you have more free resources to do something else or more or better. If you go platform or infrastructure, you will be having more investment in them. So that is how I, I, we also decided, and that is the advice I can keep to All lovely. Thank you. Thank you very much, indeed. So I think we've now come to the end of the time. So back to you, Annie,
