BY JOHN WALKER
Economics dictates that the CEO, and CFO have a balancing act delivering security, and quality operational services, whilst at the same time, attempting to reduce the organisational and operational costs of delivering the business’ mission.
One opportunity in focus is that of ‘CloudSourcing’, where, depending on the size and type of business, they may be considering engaging in a contract in which part, or all, of their operations are placed into the hands of a Cloud Provider, be this SaaS, PaaS, IaaS or any other such ‘Anything-as-a-Service’ that may accommodate the operational model.
As was also the case with the precursor to Cloud – outsourcing. Here, with a well thought-through obligated contact, and set of operational services, not only were cost reductions to be achieved, but also, when empowered correctly, this delivers operational benefits and overall enhancements to the delivery chain of service and the business mission.
However, there is always an element that springs the question of, what-if? And here the question is ‘what if such an engagement exposes the organisation?’ – Security, the big question.
There is no doubt that the security question is the one which poses the most anguish. However, as with any operational engagement, set up correctly with a best-fit partner, underpinned with contracted obligations, Service Level Agreements (SLAs) and Service Reviews, it is possible to promote such an engagement into the world of secure operational efficiency, but just how can one achieve this?
First of all, let us consider that of the internal operations, which have not always what they should. Organisation have lost significant amounts of data to theft, compromise, or just slack practice. Organisation suffered breaches the like of which would make any CISO turn grey overnight if it happened to them.
We have seen Governments lose enormous amounts of data relating to individuals, patients and tax payers, to name but just a few.
And in the US, the SB1386 Data Loss notification has, at times, become such a common communication, it gets mixed up with the general mail that falls into the letter box. It is all very well scaremongering about Cloud, but one, nevertheless, has to consider the losses to date in order to understand the concerns. Internal hosting has proven, at times, to also be insecure.
One other obvious area which raised some real concern over internal operations came out of an InfoSec survey conducted in February 2011. A question was posed to the attending delegates of a webinar as to their understanding of Cloud and Virtualisation. The response was a resounding 84% did not feel they fully understood it. It was even more worrying when 0% reported that they did not understand Cloud and Virtualisation.
So, let us consider a possible way forward.
The first important aspect to consider a quality CloudSourcing Provider who will have state-of-the-art premises, highly-trained staff and current equipment tuned to deliver. A further advantage of the Cloud Provider is, they are in business to deliver operational solutions, whilst the engaging business partner is in business to deliver product, or service, and here such well-planned partnerships can work extremely well.
The difficult part is selecting a partner that meets the business’ exacting needs. It is here where engaging an offering like that of the Common Assurance Maturity Model (CAMM) can pay dividends. CAMM is an organisation seeking to Audit, Measure, and Qualify the Operational, and Security Profile of a Cloud Provider. CAMM will report on the benefits, and of the profile of the organisation represented by a clear menu-driven dashboard, thus enabling the business to make a decision based on quality information rather that sales hype or singular-focused research.
The other benefits of CAMM are that it will continue to assess and assure the offering still exists against the original assessment, by conducting periodic assessments and audits, and thus in this way, the level of assurance can be significantly increased over the lifetime of a contract.
Can Cloud be secure? Yes, can Cloud be insecure? Yes. Just like any delivery of security, done well, with a well-selected partner, it can be efficient, meet security expectations and provide excellent services. Done badly, as with any internal operation, it could present opportunities for data leakage, insecurity and operational impact. But as we have seen, this equally applies to the inter-organisation delivery of security.
Cloud, engaged with independent assessment, a well engaged partnership with a Cloud provider who meets the organisational expectation, plugged into clear SLAs, contracts and service reviews can work very well and, above all, be secure. Plugged into the Business Security Policy extracts, Incident Reporting, and other such security touch-points, one should expect the security profile to match, if not exceed, anything that may be found in-house with most organisations.
John Walker is head of Security Bastion Ltd.