Security Architecture

Our organization has invested in SaaS solutions in recent years and there is a strong indication the trend will continue. There continues to be growing interest in maturing how we approach security with regard to cloud usage. EAs need to have an awareness of how security affects technology selection. I acquired an article from Gartner through my graduate program that is a bit dated, 2013, but still provides some good insights to structure our thinking. EAs and security professionals need to have such insights to assess the risk aspects of different forms of vendor provisioned IT services.

What I realized from this whitepaper is that our risk increases by the mere fact that it becomes increasingly harder to assess and control risk with our data further and further distributed and shared with partners in the cloud. In order to help define where to begin to assess our risk we need a model to understand where the boundaries of control exist and where risk is greatest. Figure 1 is an excerpt from the Gartner research which can I find a simple yet easy model to help assess where to focus our magnifying lens.

874 post 15 figure 1
Figure 1. Excerpt from Gartner article concerning the distribution of security responsibility.

References

Gartner resource #G00247629: Analyze the Risk Dimensions of Cloud and SaaS Computing

How is the European Safe Harbor ruling affecting your IT strategy, I&O function, and cloud computing / data storage practices? If this is new to you, last year there was quite some fuss over “a court ruling striking down rules for data transfer between the U.S. and Europe [that] will create short-term uncertainty for data center service providers…” (datacenterfrontier.com).

Figure 1. Google search, extremetech.com

According to Forbes, “The court ruled that even if US companies are taking adequate protection measures (and studies show that many are not), the US public authorities are not subject to the Safe Harbor guidelines, thus putting European citizens’ data privacy at risk to US government surveillance” (forbes.com). I have to admit, I didn’t know what Safe Harbor meant when it first came up. As an Enterprise Architect, do we too often overlook security and data privacy matters? Should we pay more attention or leave it to the legal and security guys?

EA Impact?

Where I work, it didn’t take long for functions around Legal, Audit and IT security to respond. There was much more scrutiny on where existing and future data was to be stored. This meant scouring our asset portfolio and service providers to ensure we were on top of the problem. Practically speaking, as an EA working for an international company with a Corporate HQ in France, I’ve not been affected as much as others. Aside from helping to examine which systems might be adversely affected, we mainly kept this security factor in mind during all new vendor and software selection activities. It meant that any cloud hosting provisions by the vendors we were validating had to be anchored in European data centers to ensure the Safe Harbor rules were being followed. How has your organization or EA practice been affected?

Resolution in the Works

As of February 2016, a resolution to the business crisis was reached between EU and US officials, but there’s no obvious time frame for ensuring the agreement is a done deal. Now “the European Commission and US administration must now show total commitment to implementing this agreement and getting trans-Atlantic data flows back onto a secure and stable legal footing” (BBC).

References:
(1) Safe Harbor Ruling. http://datacenterfrontier.com/what-the-european-safe-harbor-ruling-means-for-data-centers/
(2) Safe Harbor Update. source: http://www.bbc.com/news/technology-35471851
(3) http://www.forbes.com/sites/riskmap/2015/10/27/the-eu-safe-harbor-agreement-is-dead-heres-what-to-do-about-it/#40d0bbdb7171