What’s it like being in charge of the protection of the second most cyber-attacked organisation on earth? We ask Microsoft Asia’s information security guru

Pierre Noel (pictured) is a man with his head in the clouds. And that’s just where the cranium of Microsoft Asia’s chief security officer and adviser needs to be because, as he puts it, “a lot of organisations and governments are looking at cloud computing as a way to reduce costs and they want to make sure it does not generate IT or security risks”.

Talking to StrategicRISK following his most recent trip to Bangkok, Noel explained that his presence in Thailand was required to assist with such a project. “It’s nothing related to what’s happening [the social unrest] at the very moment,” he told SR. “I was in discussion with the major ISDs and the government of Thailand for a long-term project.

“In fact, what I was doing in Thailand is very similar to what I’m doing in the rest of Asia. I am helping the governments of Thailand, Vietnam, Myanmar and others to build the cyber-security frameworks for their nations – so it’s helping these nations to have a proper vision and all the necessary elements to address cyber security in a meaningful way.”

This work is part of Noel’s remit as head of a team of security advisers. “A Microsoft security adviser is a very strange beast,” he said. “We do the work that some consultant would do for a lot of money, but we don’t charge any money at all; we just do it to make sure our customers at government level as well as private sector level have the right security and are properly enabled and educated to address any type of security incident that they might face.”

Furthermore, Noel’s work as Microsoft Asia’s chief security officer means he must “make sure that everything is done the right way inside Microsoft, from South Korea and New Zealand to India”.

“That role is no different to any chief security officer, with the caveat that Microsoft is second most attacked organisation on the face of the planet – the first one being the Pentagon – and the fact that also overall on a worldwide basis, we’ve got around one million servers facing the internet, which is a pretty big number,” he said.

Cloud risks?

It’s no secret that advancements in technology have spawned a host of sophisticated threats such as hacking, cyber espionage, phishing and malware. It’s also a commonly held belief that using cloud computing is a good way to exacerbate such threats. However, Noel explained, the latter assumption is largely false.

“Many organisations in Asia have very weak systems with the data centres in terms of resiliency and also in terms of security, and very often moving to a cloud solution gives them more security and certainly more resilience that they currently have,” he said.

“With the exceptions of a few organisations and governments, I can safely say that a cloud offering is more secure and resilient that what people have today in their data centres.”

Noel cites as an example his work with a national government in Asia that has about 150 bureaux and departments. “Up until recently, every bureau and department was running its own IT and security, so the government decided to solidify everything into private cloud that is owned and run by that government,” Noel said.

“The risk as far as the government was concerned is certainly not bigger than what is was; in fact, it is much better that it was.”

Risk assessment

A Belgian citizen who has lived in Asia for more than 20 years, Noel has a great deal of experience in both the information security and enterprise risk management fields with organisations such as IBM, KPMG and Arial Group International. He points out that all too often organisations perform analyses on the risks associated with moving to cloud without looking at the current risk landscape.

However, any entity working on its cloud strategy needs to fully understand the risks associated with its existing arrangement. “Then look at the risks associated with moving to a private cloud or public cloud, and you will be better positioned to decide where the risks really are and whether you have a true increase of risk,” he said.

One thing that Noel is quite certain about is that “cloud is here to stay”, whether it be private, public, or a combination of both. “It’s not a question of should I move to cloud, it much more a question of when am I going to move to cloud,” he said.

“However, you have to factor perception into then whole discussion process because organisations don’t understand the whole dynamic of cloud. This is the reality that we are facing right now.”

Noel accepts that no organisation should put any critical or personal identification information on a public cloud. “But private cloud is perfectly OK considering that most of the time the private cloud is run by the organisation itself,” he said.

“We still have big reluctance from regulators, especially finance regulators – and they are absolutely right at this stage – to allow any regulated organisation to move personal information or any information that can be deemed critical onto a cloud.

“It’s not from a technical angle, it’s more from a perception angle, but it’s a barrier and limit that we should not break at the moment.”