Information Protection and the Cloud – A CIO’s Perspective
Tuesday, March 24, 2015
The CIO challenge - changing landscape for customers and employees…
Most CIOs today are faced with companies that want to understand how to drive transformation in a mobile-first, cloud-first world. In fact, with the advent of Windows 10 and Microsoft’s drive towards the Internet of Things (IoT), the central theme behind its strategy is not about the mobility of any single device, but the mobility of the experiences and access to information across devices.
If we wind back two years, all people cared about when it came to Cloud was cutting the costs of standing up applications and maintaining data centres – people centric IT was still just marketing hype. The Cloud was still experimental in many ways, and the only way to sell it to upper management was to show the cost-saving aspect and that usually simply meant a direct replacement of on-premises hardware with their virtual equivalents in the Cloud.
Today the economy is far better than it was two years ago, and whilst saving money and showing added value is still one of the top ranking KPIs for most CIOs, increasingly business leaders are recognising that Cloud is a maturing technology and businesses are actively seeking and pushing for rapid transformation.
For the CIO, the ability to facilitate the enablement of a flexible and mobile workforce is seen as a key driver of Cloud usage. CxOs are looking to Cloud to help increase employee productivity, drive higher employee satisfaction, transform the way it interacts with its customers suppliers and business partners, improve business performance (growth), improve levels of service automation and reduce costs.
When Windows 10 is released later this year not only will it connect to and consume services directly from Microsoft Azure and Office 365, it will enter a world where there are going to be more devices on the planet than people. That means the mobility of the experience and access to information is what matters, not the mobility of any particular device. This means that increasingly the need to protect information (that is ever more mobile on even more platforms) will become a crucial part of the CIO’s and CSO’s business strategy.
However, the risk area of Cloud is still in many ways unchanged, with data loss and privacy risks still the CIO and CSO’s most significant challenges and the one aspect often overlooked is that of Information Protection.
Protecting your data
Users today share information in many ways, by email, file-sharing sites, social media (such as Yammer and Skype), from Cloud applications such as Office 365 and so on. In fact if someone can think of a way of sharing information the chances are someone is supplying a service to allow them to do so. This is creating a large headache for IT departments who are increasingly challenged with cutting costs whilst introducing new Cloud services and solutions and an ever increasing pace.
When it comes to information protection many organisations simply overlook what this rapid change of pace means when it comes to information protection policies and processes which quickly become outdated and outmoded. With an ever increasing portfolio of applications and services for creating and sharing information, with its employees able to access these services by simply bypassing the IT department altogether, the IT department simply doesn’t know where the most sensitive data resides anymore, never mind how to protect it.
Many companies are simply unaware of the challenges they face when it comes to information protection. Often it is assumed (and expected) that employees will do the ‘right thing’ and that the IT department has this under control and it’s not something they need worry about. The challenges on closer inspection are often quite startling and surprising:
- No single overall strategy for information security (and if something does exist its outdated).
- Minimal (if any) company-wide information security policies and processes.
- Differing expectations and drivers from business groups and teams for information protection.
- A lack of content and document standards and templates.
- Proliferation of devices, services and applications being used without adequate controls.
- A lack of executive sponsorship.
- No appetite for information protection as it’s often seen as a level of bureaucracy and interference with day to day running of the business.
- And so on…
As a result information protection is a secondary consideration, bolted onto a CIOs and IT department’s strategy with IT typically ending up treating all data with the same level of security. This can be both inefficient and lead to over protection and unnecessarily restrict the flow of information, or if under protected risk the loss of important and valuable data.
So what is the answer?
An ‘end to end’ approach
Needless to say there is no single solution and no ‘magic wand’ to be waved. There are many technology offerings in the marketplace and many different approaches to protecting information.
One company that has an increasingly holistic and end to end solution is Microsoft. With its continued drive towards the IoT and the focus on mobile information, Microsoft has spent time and energy, and not inconsiderable investment, in building and promoting its information protection offering.
Microsoft’s Azure RMS and Office 365 IRM will help you protect your organisation’s sensitive information from unauthorised access and to control how this information is used. Microsoft’s Cloud services for information protection provide an integrated, cloud-based solution with versatile management capabilities for data protection at rest and on the move (granular and persistent protection). In addition it also has the ability to integrate with your on-premises information repositories such as Windows File Servers, SharePoint services and Exchange Services as well as extending these Cloud-based solutions to your enterprise information stores as well.
If you already have access to Office 365 and Azure then you may not realise that you already have access to RMS and IRM. Indeed you have access to a whole raft of information management and protection solutions from multi-factor authentication, single sign on, email retention services, group management and device management, and also secure information stores such as OneDrive and SharePoint Online all of which integrate seamlessly with these RMS and IRM services already. If you don’t then there is a simple way of getting access or extending your licensing to access these services and solutions.
Enter Microsoft’s EMS suite. EMS provides a unified identity platform providing users with single sign-on for access to all their information resources, countering the often heard argument that accessing information is often difficult and time consuming and that the introduction of information protection would make this even more so. It provides the necessary elements of device management (alongside Windows Intune), to deliver a consistent device management experience across a variety of platforms (Windows, Windows Phone, iOS, and Android) helping the IT services and security team to create a solution that would also cover the increase in Bring Your Own Device (BYOD) activity and prevent the loss of information from mobile devices. And of course the most relevant element of EMS would be to provide the necessary ability to protect company data by utilising a comprehensive set of access control and data protection capabilities to protect data on devices and in motion via Azure Rights Management Services (AzRMS) and Office 365 (O365) information Rights Management (IRM).
In addition, for those already invested in Microsoft Azure and O365, Azure Active Directory (AAD), Premium provides additional useful services relevant to the wider information protection issues. These include group-based access management and provisioning, multi-factor authentication (for cloud and on-premises applications), and also advanced usage and security reports which is something of particular interest to the CSO and the security team. In particular the ability to mine AzRMS security logs is a real plus as it enables businesses to audit and to clearly show and respond to information management risks.
How do I find out more?
Ballard Chalmers can help in a number of ways. Working with you (and Microsoft) to offer an onsite Information Security workshop (between 1 and 2 days initially) focussed on Microsoft’s core technologies, Azure RMS and Office 365 IRM.
- Working initially with the security team and IT department, we start with an Information Protection workshop to educate and help you understand enterprise mobility and information protection.
- We look at and demonstrate the technologies and discuss strategies, use cases and policies to provide the foundation of a solution.
- If required we can also help to define an audit process to aid you in the analysis of the current state of information protection, information types and templates, existing policies and processes (where they exist) to generate a better understanding of the way information is created, shared and used both inside and outside the company
Essentially the workshop will help you better understand the value of Office 365 and AzRMS for protecting sensitive data whilst explaining how to maximise the value of any existing investment in Microsoft’s Cloud services and licenses that the business may already have.
The output of the workshop is a simple report, providing a series of recommendations and next steps to guide you on how best to enable access to and share information safely on the move from anywhere and on a variety of devices.
The next step beyond this basic workshop is to define and build a small pilot solution that can add immediate value while demonstrating the capabilities to business users and executive sponsors within the company.
Then, following on from a pilot we can discuss how information protection can form part of a broader Cloud and enterprise mobility solution for your company, including areas such as:
- Hybrid Identity solutions – enabling people to access applications and services.
- Device Management – to enable and manage the plethora of devices on your network.
- Better integration and use of Microsoft Azure within your business – the operational changes required to get the most out of Microsoft Azure services.
This could be the start of your approach to protecting and sharing your data assets in the cloud, and a valuable addition to your existing cloud investment.
By Stuart Nielsen-Marsh
Stuart Nielsen-Marsh is an Enterprise Strategy Consultant focussed on Microsoft Cloud. With over 20 years experience in the IT industry, he has worked in various senior roles, including positions at Microsoft and a Microsoft Partner company.