Skip to main content

Intelligence assured

Subscribe to future blog posts featured in our newsletter

Read more about how we handle personal data

Advenica

In today's digitalised world it is increasingly important to protect information. The more online we are, and with more systems paired, the easier it is for a potential attacker to find doors to critical information.

However, protecting all the information flow in a company today at the same level will either be very costly for information that does not require the highest level of protection or give a too low protection for what is most protectable.

According to a survey by Kaspersky Lab, 57% of IT managers find the development of more complex infrastructures that include clouds and mobility a major challenge, looking from a security perspective. 36% of them say they do not have a budget that allows them to protect themselves from intrusion and crime.

36% are missing a budget to protect themselves from intrusions.

are you protecting the right things

But is it possible to be protected to 100%? Won’t that be extremely expensive?

By making a risk and security analysis of your information, you can identify which information that is most critical, that is worth protecting. Once you know this, you can build an information architecture that puts the sensitive information in a safe zone. By focusing the major security measures on this specific zone, and doing it properly, you can limit costs while ensuring that the critical information is protected without unnecessary restrictions on accessibility.

Want to know how? Read more about our risk and security analysis.

Advenica

“Confidential information must be considered breached”. This is stated by a Swedish Legal Expert Group in a recently published statement on the use of cloud services for confidential information.

This applies to cases where they are handled by a service provider that is subject to jurisdiction that may force the supplier to disclose the data without legal grounds in Swedish law.

One example: A few years ago, the city of Gothenburg procured cloud services to the employees' computers. The idea was to use Office365 for confidential information. Due to security concerns, the issue has been rolled around in various instances since then. The issue was highlighted by CLOUD act, a US law that forces service providers to disclose information to US authorities. This without considering local legislation in which the client exists.

cloud computing

It is satisfying that the question is highlighted from a legal perspective, and that the conclusion is what it is. As in the example above, why should the U.S. authorities have access to confidential information about people in Gothenburg?

Why should the U.S. authorities have access to confidential information about people in Gothenburg?

Before the digitization, we had never accepted that a foreign authority had a key to a backdoor into the journal archive at the hospital - why should we accept it today?

How do you rate the security level for confidential information of a cloud service?

What jurisdictions affect the service provider?

Which legal systems can exert pressure on the service provider? This concerns both ownership and management structure all the way to the operational staff. If these exist in several countries, the risk of disclosure in violation to e.g. Swedish law is higher.

What other customers does the service provider have?

If the operator has many and important customers in one country, the risk that the operator is forced/attracted to unwanted actions is higher.

Where is the information?

It is very important in which countries the actual information is.

clouds

How segmented is the information?

Does the supplier share premises, hardware, locks and alarms, and staff between many customers - or are these resources used exclusively for us?

There are service providers who use cloud service technology completely stand-alone. The information is then in a designated location, locked in non-shared areas, only handled by designated security-cleared personnel, on hardware that is not shared with any other customer.

How is information prevented from being moved from its designated location?

There is a big difference between a contractual barrier that can easily be overruled by a government decision and technical protection which, made in the right way, makes it impossible for unauthorized access to the information. With the right segmentation, even the service provider's own staff cannot access the information.