Business Transformation increases Attack Surface

Data security consultancy offers seven steps to a successful transition to Cloud and Mobility environments.

  • Tuesday, 16th July 2013 Posted 11 years ago in by Phil Alsop

Auriga Consulting Ltd (Auriga) has cautioned that organisations transitioning to new environments could potentially expose core business processes and data to unnecessary risk. Business transformation has been a top priority in the boardroom over the course of the last year as organisations seek to harness the advantages of cloud or mobility deployments but the business case can often overshadow the potential threats brought about by change. Business transformation differs from other change management projects in that it straddles the corporate/IT divide. Transformation therefore needs to embrace strategic and technical best practice, from assigning responsibility and ensuring stakeholder buy-in to mapping business processes and protecting data and data integrity, confidentiality and availability.


Business transformation involves making radical alterations to the way a business functions in order to embrace and utilise changes in market conditions. Transformation may be motivated by numerous factors, from reducing costs to maximising efficiency and these factors often dictate the pace of change. But in addition to the business case and feasibility, it is also vital that the organisation examine business impact from a corporate and IT perspective and acknowledge the risks posed by the transition. Top threats such as data loss, data breaches, account hijacking, insecure API’s, denial of service and malicious insiders can use the greater attack surface created by transformation to target and exploit the organisation.


A larger threat landscape with limited control over the infrastructure can seem a daunting prospect but aligning organisational requirements and security controls, and taking a business centric approach can help mitigate risk. Before any organisation can consider a cloud or mobile solution it must first understand its current operating model and data landscape. An organisation deploying a Cloud SaaS solution to host business critical data, for example, must take into account the compatibility with existing technologies, governance requirements, geographical locations, mobile platforms and capabilities. Taking these multiple entities as a unified system will allow better understanding of the risks and application of security controls that span the organisation and beyond.


The following seven steps can ensure a strategic and technical transformation that delivers business advantage while mitigating risk:
· Use a business-driven strategy – the business will have the holistic view, and a seamless mobile or cloud strategy must be delivered from a position where the organisation’s business processes are fully understood. As a business strategy and not just an ICT strategy, transformation will need representation from across the organisation; this includes HR, Legal Governance etc.
· Listen to the workforce – to help determine what processes are in place now and what should be put in place for the future assign responsibility – The IT department is an enabler and most importantly will be responsible for articulating what the IT estate looks like today.
· Focus on tangibles and logistics – Define a set of focused, comprehensive clarification questions for potential suppliers. This must include questions about geographic location of technologies and support staff, SLA’s and Intellectual Property Rights
· Map core business processes – Consider the rationale behind the transition.


1. Is the organisation seeking to make business processes more efficient? The cloud offers great flexibility on scalability and it is paramount to map the infrastructure requirement to business efficiency.
2. How do the processes align with the organisational target operating model? The infrastructure should be deployed to allow for organisational growth.
3. Who is responsible for the current processes? Understanding requirements of key members of staff will ensure an efficient system at every business level.
Understand the roles and responsibilities and assess the skill set available.
Do you have the right person in the right role, how can efficiencies be made?
4. What are the timelines involved in current processes? Can this be shortened in the new system?
5. How will these processes be supported in an externally hosted infrastructure? Organisational compatibility is key to choice of Cloud technology.
· Classify data – Seek to categorise and classify data in order of importance to specific processes. Only retain data for defined periods of time before it can be destroyed; this reduces risk and eases infrastructure requirements. It is important to note that back-up procedures may change on a hosted infrastructure and SLA’s should align the clients’ policies to the provider’s services. How are you destroying data?


Have a strategy that is traceable, sustainable and fit for purpose
· Protect data and data assets – As well as protecting data in transit it is also important to consider data in the virtual environment. While virtualisation offers benefits in terms of multi-tenant architectures, better efficiency and utilisation, data centre consolidation means this technology is widely used in cloud computing. However, there are other data security considerations for the business transitioning to the cloud, specifically: Hypervisor Lockdown, Guest Virtual Machines (VM’s), Inter VM Security, Performance, Data Separation and Secure Sanitisation.
· Prize data integrity – The integrity of data should never be compromised. The client organisation must always be in full control of all data ownership. If the provider’s premises are raided due to legal implications from their own activities or due to another tenant, the client needs to make sure that under no circumstances should their data be subject to investigation. Confidentiality, availability and integrity need to be at the forefront of the IT Manager’s mind when embarking on an infrastructure transformation project.

“Business transformation is a radical undertaking which can make or break the business. Methodical planning is required to explore the impact on the organisation, contextual risks, and how best to secure stakeholder buy-in to determine whether a phased, big bang or pilot implementation is appropriate. Post-implementation, the organisation can still be at risk while the new systems and processes bed down, making monitoring processes that measure performance essential to success,” said Louise T. Dunne, Managing Director, Auriga. “Business assets are exposed and vulnerable during the transition period so transformation should never be treated as just another change management project. By observing the above procedures and approaching the transition methodically, it is possible to achieve transformation with strategic and technical merit while avoiding compromise.”