Tuesday, June 12, 2018

MANUFACTURING IN THE CLOUD: PART XV: WHO IS RESPONSIBLE FOR SOFTWARE AND DATA SECURITY AND REGULATORY COMPLIANCE IN THE CLOUD?

This blog is a MESA Member Point of View.

By Goran Novkovic, MESA Member, CQA, CSQE, ITIL, APM, PMP, PEng

This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.

Despite what Cloud Service Providers (CSPs) promise, software and data security and regulatory compliance in the cloud should not be taken for granted. Security in the cloud is often intangible and less visible, which may create anxiety about what data and software applications are actually secured and controlled.

This does not mean that clouds in general are insecure, but that efforts required by manufacturing organizations to ensure that their security and regulatory compliance requirements are met will be comparatively greater than more mature, standardised computing models and approaches. Accordingly, the security challenges related to cloud computing should have a full attention from a number of different aspects.

In the current cloud computing landscape, there are a number of security and regulatory compliance challenges in adopting cloud computing models. Many of these challenges will be already known to manufacturing organisations with traditional outsourcing arrangements, but still likely to cause some fear with the adoption of the cloud computing.

Regulatory compliance, depending on the type of business processes that manufacturing organizations plan to run in the cloud, can be very important. Cloud Service Customers (CSCs) may be under statutory, regulatory or contractual obligations to ensure that data is held, processed and managed in a certain way. Every manufacturing organization wants to ensure that they are compliant with any type of specific laws and regulations.

Cloud Service Providers (CSPs) always promise that cloud computing is secure and many security functions are available in the cloud so that manufacturing organizations can easily satisfy all their security and regulatory compliance goals. However, the idea that risk is outsourced to the CSP is wrong! Once again, where data and software applications are concerned, the responsibility for data security and regulatory compliance firmly resides with the manufacturing organization. These things must be clarified through policies and contracts between CSP and CSC that sets out security obligations and define the responsibilities of all parties involved in the cloud.


EXAMPLE CONTRACTS

A good example of such contract is Service legal Agreement (SLA) that represents a legally binding agreement between the manufacturing organization as Cloud Service Customer (CSC) and Cloud Service Provider (CSP), as well as between the manufacturing organization and Internet Service Provider (ISP). So, we are looking into two different Service Level Agreements (SLAs) and they are both critically important for the manufacturing organization. 

It may be an extraordinary CSP, but if their ISP does not provide reliable Internet connection to the cloud, they might as well be out of business. They may also have a good Internet service provided by ISP, but if there is something wrong with the resources in the cloud provided by the CSP, they could be out of business. 
So, both CSP and ISP are equally important. All terms and conditions should be negotiated and defined in separate SLAs with CSP and ISP. In terms of cloud computing, the real catch here is that all major Cloud Service Providers basically offer only one SLA that Cloud Service Customers have to fit in. This is actually not bad news for manufacturing organizations that are responsible for software and data security and satisfying regulatory compliance requirements in the cloud since CSP provides directions related to specific industry sector that your manufacturing organization is in.


Goran Novkovic, CQA, CSQE, ITIL, APM, PMP, PEng
Goran is Director in Cyber-Kinetic Security practice with PwC. He is Professional Engineer with 17 years of experience in Operational Technology/ Industrial Control Systems Cybersecurity. Goran provides expertise in OT/ICS cybersecurity management and combines it with IT/OT convergence, industrial intelligence and innovative technology solutions (Big Data. AI, ML, IoT/IIoT, Industrial Analytics). Goran is helping manufacturing organizations to define their cybersecurity goals and objectives, to determine where they currently are and where they want to be in terms of organizational cybersecurity and digital transformation. He is working with manufacturing organizations to successfully manage OT/ICS challenges by establishing strong OT Cybersecurity Governance, defining OT Cybersecurity Frameworks and developing OT Cybersecurity Programs from scratch. His approach to OT/ICS Cybersecurity includes addressing safety and security of information, technology, people and facilities. Goran is helping manufacturing organizations to improve cybersecurity culture by developing and delivering cybersecurity training and awareness programs. Goran takes cybersecurity initiatives as opportunities for optimization, improvement and innovation for every manufacturing organization no matter the size or industry sector.
E-mail contact: goran.novkovic@pwc.com
Post a Comment