ISACA Journal
Volume 3, 2,018 


Information Security Matters: Security in the Migration to a Multi-Modal Environment 

Steven J. Ross, CISA, CISSP, MBCP 

I have been a data center rat my whole career, starting as a systems engineer for a hardware vendor and, today, as a consultant. I love seeing (not touching) the machines, the computer room air conditioning (CRAC) units, the power distribution units (PDUs), the cabling, the uninterruptible power supply (UPS), the quiet hum of work being done somewhere just outside the doors or far away. Heck, I even love writing all the acronyms. And now it is all disappearing into the cloud and to remote commercial data centers (which is really the same thing).

Back when jet planes were doing to ocean liners what the cloud is doing to data centers today, the Cunard line ran ads that said, “Getting There is Half the Fun!”1 For information security professionals, the trip from a proprietary data center to a combination of cloud computing, Software as a Service (SaaS), colocation (colo) facilities and managed services is not half the fun. But it does not have to be an agonizing journey either.

The Importance of Planning

The most important factor in any successful voyage is knowing where you are going. In the migration to a multi-modal environment, this implies detailed and well-documented planning. The documentation is especially important, because the journey will likely be a long and arduous one; there will be some who leave it and others who join in the middle. It is all well and good to know where you are going, but a good road map is always helpful. And it is on the basis of this plan and its documentation that (information) security along the route will be determined.

A common mistake I have observed with some information security professionals is to stomp their feet, hold their breath and cry, “I’m not going” and, by implication, neither are you. It is not an original observation, but change is difficult. The current environment may be familiar and there may have been considerable investment in securing both the physical and logical infrastructure, but the combination of financial, technical and environmental pressures is making this transition inevitable. Standing in the way only demeans information security; it is seen as a roadblock and it does nothing to improve the eventual quality of security.

Information Security and IT Operations

It is far more valuable for the information security function to be a part of the planning process, in close alignment with IT operations. Information security makes policy, and operations implements it. With the move to multi-modalism, both are facing significant transformation in their job functions. They are both moving from doing things to making sure that third parties do those things. In effect, both security and IT operations are transitioning to vendor management functions. They have a shared stake at this point in the migration to ensure that the vendors make things go right. (And so, not really by the way, does IT audit.)

Of course, this is not a new experience; organizations have been choosing to use SaaS for decades, even if they did not call it SaaS.2 The difference is that the applications moving out of the data center are increasingly at the core of the mission of the organization. For just one example, SAP is, for many organizations, their most critical application. The company is committed to supporting in-house versions of its widely adopted software until 2025,3 but not thereafter. SAP users are confronting the move to the cloud in their strategic planning today. It is time now to consider how critical applications and data will be protected once they are running on someone else’s computers in someone else’s data center.4 Attention must also be given to how they will be protected while this move is occurring.

Security En Route

It is almost impossible to move all of an organization’s applications at once. For one thing, they will not all be going to the same places the same way. For example, some may be transferred to the cloud, but remain essentially unchanged otherwise. Others may be replaced by superior vendor-derived applications. Some may be “lifted and shifted” to a colo facility, and possibly into the cloud thereafter. Assuring that only authorized users access only the applications and data they are authorized to use—and that unauthorized people and systems do not—is challenging enough in a relatively stable environment. It is well-nigh impossible when the hardware, software, network and physical locations of the applications and data in question change from day to day.

The solution is to focus on the process. If security professionals think of the gestalt of the information, the applications that manipulate it and the infrastructure that supports it, rather than its constituent parts (admittedly, a difficult task), securing the migration to multi-modalism becomes comprehensible, if not easy. Nobody ever thought it would be easy, but this era of information technology may offer a once-in-a-generation opportunity to rethink the architecture of security.

Trust No One

One thing that can be said for proprietary data centers and the hardware and software in them: We knew who had the ability to enter and touch the physical manifestations of information technology. We had a basis for establishing trust in those people. In multi-modal environments we do not know who or what can go where, so trust no one. Every person and the systems they use—their domains—must be discretely tied to the applications and data they are allowed to use. Each individual must present those credentials before using the resources. The credentials themselves must be protected with public key cryptosystems. Movement from domain to domain must require a return to a checkpoint for credentials to be revalidated.

All of this security must be built into the environment. The last time there was a shift of this magnitude in the way information technology was organized occurred when we moved from massive centralization—mainframes—to distributed processing.5 Candidly, we security professionals did not manage that one well. In fairness, there was not the perception of the need for security on the part of the vendors that there is today. A security architecture something like the one I described above needs to be a part of the selection criteria for multi-modal services.

It took a decade or more to get back to the level of security that centralization offered. The advent of viruses, distributed denial-of-service (DDoS) attacks and data leakage has underscored that failure. It remains to be seen whether we will do better this time.

Author’s Note

I very much enjoy hearing from readers of this column, either with criticism (which makes me better) or praise (which makes me smile). Some choose to email me, which is great, and others use the Comments section of the online ISACA Journal, which is also great. If you do write a Comment online, I urge you to check back later. I always read your comments and I always reply.


1 Edwards, J.; “Getting There Is Half the Fun!” Ocean Liners Magazine, 10 October 2014,
2 Applications running on cloud technology are SaaS, but not all SaaS applications are in the cloud. Some are simply accessed over the Internet, without the multi-center concurrency of true cloud technology.
3 SAP, “SAP Maintenance and SAP Enterprise Support—Prolonged Commitments Until 2025,”
4 I gave some of my thoughts about that in Ross, S.; “Information Security in the Multi-Modal Era,” ISACA Journal, vol. 5, 2017,
5 Some may say that the era of portable devices is an equally great transformation. From the individual’s standpoint, that is so. But for the management of organizations and governments, I do not see it that way. No organization I know is running general ledger on a smartphone.

Steven J. Ross, CISA, CISSP, MBCP
Is executive principal of Risk Masters International LLC. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.