The cloud, service included – How to shape a cloud-based IT security strategy

The cloud, service included

 

Learn how the Orange Business Professional Services team helped two customers, an international company and an engineering firm, shape their cloud-based IT security strategies. This article is part of our “The cloud, service included” series, which sets out guidelines for getting the best from the cloud.

Implementing a Disaster Recovery Plan (DRP), a component of any cyberdefense strategy, is a complex business for IT departments as they find it increasingly hard to get an overview of their IS set-up. IT departments have reduced risks by taking an inventory of their existing IT portfolios and evaluating the criticality of their applications.

Protecting an IT set-up that is escaping the IT department's control: a substantial challenge

As threats increase, IT departments are being forced to ramp up their IS security. Yet many IT departments lack knowledge about their IT assets. This can be explained by aging teams and IT set-ups, the growing number of remote deployments, and the investments made by business units separately of IT departments.

According to a Forrester study, business units have a say in 65% of IT purchasing decisions. CIOs have no involvement in 29% of decisions.

IS: A growing security risk

Gartner's “2018 CIO Agenda Report” claims that 95% of CIOs fear growing cybersecurity threats and their impact on their organizations. It is also important that they weigh other potential impacts on their IT set-up operations and their brand image, among other things.

So, while IT budgets are finally on the rise, from 2.0 to 5.1%, depending on the region of the world, most of these rises could be swallowed up by the necessary mitigation of risks.

Seek support to reduce the risk: Two concrete examples

We had the opportunity to work with two organizations, both of which led to consulting missions prior to the crafting of an IT security strategy and potentially its migration to the cloud. In both cases, the consulting approach helped to reduce risk.

  • The first organization was an international company operating in the physical security sector. With a presence in France, comprising some ten factories and local branches and an international footprint, it employs 850 people
  • The second business was a general and technical engineering firm operating in the construction sector, with numerous local offices, employing 640 people

The CIOs of both companies faced security issues in relation to their information systems and had been asked to toughen up security. They planned to migrate all or part of their IS to the cloud with a DRP.

Let's look at the standard methodology for these support missions, which we implemented with these two companies.

Inventory and criticality

Before planning such a project, the CIOs of our two companies had to ensure the security of their IT systems, the applications running on them and the stored or processed data. This was no easy task because, as we have seen, knowledge of existing set-ups is often lacking. They therefore asked us to carry out a three-step support mission.

Step 1: Map the IS

The first step in these two missions was an exhaustive audit of the companies’ IT assets. The deliverables of the resulting inventory comprised:

  • Technical and network architecture diagram to update the scope and provide an overview of the infrastructure
  • System architecture diagram in the form of a map of applications and publishers
  • Flows matrix, which deciphers communications

Step 2: Evaluate the criticality of applications

The second step entailed determining the criticality of applications, processes and the infrastructure. Produced in workshops, it involved business units, project and development teams, teams responsible for infrastructure, and the CIO.

We identified five levels of criticality according to the RTO (Recovery Time Objective) and the RPO (Recovery Point Objective, or the maximum acceptable amount of data loss measured in time), along with “acceptable” lead times for the company, which ultimately makes it easier to implement the DRP.

Breakdown of RPOs and RTOs in terms of time
Breakdown of RPOs and RTOs in terms of time

 

The five levels of criticality are as follows:

  • Major: RTO 4 hours – RPO 0 hours
  • High: RTO 24 hours – RPO 24 hours
  • Medium: RTO 48 hours – RPO 48 hours
  • Low: RTO 7 days – RPO 7 days
  • Non-critical: “least effort”
The five levels of application and process criticality according to time
The five levels of application and process criticality according to time

 

Step 3: Recommendations

These IS audits and the appraisal of the criticality of applications and processes allowed the Orange Business experts to make recommendations.

These short, medium and long-term recommendations focus, for example, on DRP platforms, the back-up of technical data with replication in the cloud, and the resilience of telecommunications and communication resources to protect networks and data flows.

In particular, one of the companies had just recruited its CIO, and she was having to deal with IT failures that the General Management said was unacceptable. The IT department was tasked with implementing a DRP with the aim of limiting the financial impacts of these recurring incidents.

The lessons to learn from these missions

When the Orange Business teams reported back on the work they had done and their recommendations, in the short term the companies and their CIOs gained access to crucial information enabling them to protect their IS going forward. In the medium term, this mission enabled them to transform their IS with a view to achieving their digital transformation, for which an ultra-secure cloud is a vital piece of the jigsaw.

Read more

Thierry Hortin
Thierry Hortin

For the last 15 years, I have worked in space science IT, management consultancy in organizations’ digital transformation strategy and information system security and telecommunications. I am now a Senior Consultant in the Cloud Transformation of audit, strategy and security practices at Orange Cloud for Business.