This morning I participated in an interesting seminar on it-security hosted by Wingmen and with the keynote speech from Cisco. The two companies presented some valuable practical experiences of security threats and relevant mitigation tools and methods.
One of the major trends in it-security is that it-security along with it-applications is gradually moving to the cloud. This offers many major benefits but unfortunately also a couple of drawbacks. Let’s run through the essentials:
1. Availability and affordability: Yes, cloud-based security is
readily available. Some limitations may apply to achieving full security on all
platforms. Check whether all your particular server OS are supported. Whether
they are affordable is a tougher question. The first thing to look for is
whether the security service includes all relevant services or expensive
add-ons are needed. The next is to look for the pricing scheme. Here a per-user
pricing will often be more attractive than a per-device pricing.
2. Contracting platform. Government agencies and
municipalities should check the Danish procurement agency’s new framework
contract 50.07 where cloud-based security solutions have their own category.
Private companies can either procure cloud-based services directly or through
their own framework agreements with their particular vendors.
3. Cloud, on-premise or mixed setup. Being cloud based offers the special
benefit of enabling aggregation and quick availability of threat forensics and
threat mitigations. But don’t remove your firewall anytime soon. You will still
need perimeter protection at your individual sites.
4. Other issues. Being cloud based entails assessing how to keep control over data processing being performed by an outside agency. With GDPR, ISO27001 and other governance issues that could make the transition to cloud-based security cumbersome. Check whether your cloud-based solution is operated within the EU or shares information with entities outside the EU. Your will need to have your vendor sign a data processing agreement and maybe fill out a data export form before you commit.