With major restrictions and inherent limitations in most IT environments, it’s become an attractive option for businesses. Concerns such as spending restrictions; immature capacity management; uncertain demand forecasting; duplication of capability; slow delivery of infrastructure and slow business application delivery all lead businesses to look wistfully at cloud computing.
Look around, every traditional IT services provider and emerging cloud pure player is offering cloud services which claim to optimise and improve your organisation’s resource utilisation. The value proposition is touted to increase service response times, allow faster provisioning of components across the IT stack, reduce lead times for software implementation, and improve service capability – all through using a pay-per-use model. On the face of it, it’s a really compelling case, it’s easy to understand why executives get excited.
Cloud services are maturing rapidly, they now include the traditional IT stack—datacentre, hosting hardware, storage, databases, middleware platforms, monitoring, and business software as a turnkey service.
As security professionals we can either put forward arguments against a move to the cloud, or we can assist our organisations by putting together a risk-based decision framework that will assist in making an informed decision when embracing the cloud.
The risks, loss or leakage of data, compromised cloud systems, data security, privacy, legal and regulatory obligations, compliance practices and established security standards all need consideration, so a risk-based framework will guide the organisation through this.
In my experience this four pillar framework, supported by a 25 point controls plan (which I dub CloudAdopt25, will provide a sound basis for ensuring informed decision are made. (More on CloudAopt25 next month.)
Pillar 1 – Identify
The Identify Pillar deals with the organisation identifying projects, programs or services that have high establishment costs, low utilisation, or are expensive to run and operate, as candidates for the Cloud. Consideration should be given to services that require rapid turnaround, are seasonal, or have a short usage timeframe but require long lead times for IT support infrastructure to be established, as services that will be able to use cloud services with minimal disruptions and risk to the wider business.
Pillar 2 –Assess
The Assess Pillar refers to the organisation assessing its obligations and controls relevant to information security, authorisation to operate, security event monitoring, logging and reporting. A summarised list of 10 security obligations were discussed in a recent article 'To Cloud or Not To Cloud', addressing a number of obligations covering statutory compliance, privacy, confidentiality and access controls relating to the physicality and location of the cloud.
In addition to security, privacy and compliance, a very important element of this pillar is the service characteristics that the cloud provides—including reliability, scalability, portability vendor stability and the backward architectural compatibility that the cloud service provides with the organisation. (See Adapted from Federal Cloud Computing Strategy, February 08 2011 PDF).
Another important element of cloud readiness is to ensure that your organisation’s network infrastructure is capable of the extra network load and bandwidth requirements that cloud usage will add to the environment.
During this phase, ensure that you capture your organisation’s technology and asset refresh lifecycle. Unknown dependencies or gaps in support capabilities (such as legacy contracts, network restrictions or desktop SOE limitations) can cause disruptions to business services.
Pillar 3 – Establish
The Establishment phase is where an organisation puts processes into place for the use and consumption of cloud services. The focus of this pillar is to document any service fulfilment requirements that are required by the organisation. It is important to be precise when determining operating processes; they will need to integrate with your processes, especially around change, problem, incident, capacity and availability.
It is during this phase of the cloud decision framework that your organisation will establish service level agreements (SLAs) and rules of engagement that will assist in managing the performance of cloud service. All obligations and controls regarding information security, authorisation to operate, security event monitoring, logging, reporting, cloud service reliability, scalability, portability vendor stability and backward architectural compatibility are required to be discussed and documented to ensure true value can be derived when embracing cloud services.
Pillar 4 – Govern
The Govern Pillar is the last and most important pillar. It will ensure the continued success of the services that have been cloud–sourced, and will provide the required checks and balances to ensure the integrity of your organisation’s data assets within the cloud. This was raised in an earlier article 'Auditing Cloud Service', but they’re summarised below.
- Establish governance structures to provide continuous real-time reporting for services being consumed.
- Ensure control obligations are met via established regular reporting cycles.
- Report against the cloud services provider’s compliance requirements.
- Implement independent verification of detective and preventative technology controls to ensure confidentiality, integrity and the availability of data and information assets that are cloud sourced.
- Introduce contracts that outline SLAs and service provider obligations and organisational responsibilities.
- Clearly document roles and responsibilities assisting service establishment and closure.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
______________________________________________________________________________________
CSO Announcement
Register Today. Hear from Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution, Trends, Solutions and the Future of Cloud Security, limited seats register today through CSO.
______________________________________________________________________________________