InfoSec

The Game of Clouds – How Do You Procure And Stay Secure?

Finding the right cloud solution is a huge challenge and you can kiss goodbye to hoped for savings if you sign on the dotted line THEN focus on required functionality and security.

The great Thrones inspired map from Cloud Endure’s Blog, includes the 54 best software offerings in the Amazon Web Services (AWS) marketplace.  It’s not exhaustive, (there are many other providers, platforms and cloud models to investigate), but it’s an unusually consolidated view of key types* of cloud software.  A refreshing change from drowning in very specific “top ten” or “best cloud” guides.

So where do you start when the board are champing at the bit to play the game of clouds, itching to beat their competitors and desperate to realize advertised savings. How do you sift through the rafts of security advice and what are the better solutions in the land beyond the wall?

AWS-marketplace-game-of-clouds-map

*01/06/2014 Cloud Endure assessed 2291 AWS hosted products in three main categories – Business Software, Developer Tools, and Software Infrastructure. Focusing on companies with at least two reviews of 3 stars or higher.

The sheer scale and complexity of the cloud market is daunting and piecemeal advice can hobble your attempts to find your prize.  The solution that’s functionally and financially fit for purpose, but also secure.

Brl6Z2IIQAAHPMuYes, security is still part of many cloud related headlines.  The Cloud Security Alliance wouldn’t have 57,000 LinkedIn followers if everyone was comfy firing sensitive data into the ether, or happily dependent on cloud services to underpin critical high availability processes. But there’s less risk than many would have you believe and potential savings are impossible to ignore.

For anyone still working out how to leverage cloud IT profitably and securely, I have put together a list of some key considerations. A survival guide for the search and selection journey, referring out to sources of more in-depth advice.  It focuses most on how to integrate security into your procurement activities, but gives more than a nod to more general challenges.

Sorry to disappoint, but there won’t be more Game of Thrones analogies. I was tempted, but I’m too scared of retribution from the real fire and ice crew – the pictured newlyweds for instance.

Get a cloud policy in place if you haven’t already

You need a well-known plan for different options and circumstances, something that all stakeholders understand and sign up to. A document that is explicit about what is and isn’t a tolerable risk and the related oversight and controls to be in place. Shadow IT isn’t just media hype. If you don’t write and share your cloud usage policy soon, your staff, seduced by the scent of cheap, quick and easy, will decide their own. They may make good choices, but you will have no oversight.

For more on Shadow IT, check out this Tech Republik article “How to manage shadow IT without driving it underground”

Guidance on cloud policy creation (new references welcome), is very variable and mostly high level.  The US ICO produced this guide, which has some good internationally transferable content and there are one or two templates about (for example this one from IT Manager Daily).  However, be cautious. Never adopt a template before checking it’s in line with best practice and entirely relevant to your business.

Scott Hazdra also shares valuable advice in this Network World article.

If you decide to go down the consultancy route, I recommend being circumspect. There’s a shallow pool of relevant expertise and experience globally.  Confirm consultants have enough specific past experience and perhaps ask to see real anonymised policies, created for other clients, before signing contracts.

Put some effort into researching the best solution for you

The web is flooded with vendor produced articles and white papers about cloud solutions.  Even when looking at the mainstream IT press, there’s often vendor sponsorship or influence hidden behind apparently agnostic material. So how do you bypass hype and bias?

  • Gartner – A good place to start.  Look at their free cloud related information and seriously consider investing in access to their premium content (but bear in mind it may not include all good solutions – inclusion criteria are sometimes questioned).  In particular their regular magic quadrant reports, where they drive out key value metrics for different types of solution and assess market leading products against those benchmarks.
  • The CSA STAR Program – To improve transparency about cloud vendor security, the CSA launched their STAR (Security Trust & Assurance Registry) program in 2011.  Suppliers voluntarily publicise information about their security controls and practices, so more and less risk averse firms can locate a provider matching their regulatory and local control requirements.
  • FedRAMP – If considering a US based company it’s worth checking if they’re FedRAMP authorised. FedRAMP is a government run security assessment and accreditation program, based on NIST security benchmarks (currently NIST SP 800-53 Rev 4 – the link downloads a word version of the standard). FedRAMP authorisation permits cloud suppliers to bid for federal contracts.  It is seems to be developing into a de-facto standard for cloud security across the US and compliant suppliers are reporting a significant competitive advantage. There’s also advice on their site about more general supplier selection and governance. Worth a browse.
  • G-Cloud – The UK government’s equivalent to FedRAMP, using ISO27001 as the basis for security requirements and accreditation.  Suppliers are also asked to complete an ICO DPA checklist.  It has been slow to take off and businesses have been frustrated by a lack of clarity. Not least because the security requirements for suppliers are linked (rationally) to government data classifications and those classifications are changing. G-Cloud has just hit a meaty, but in terms of market size, modest milestone for spend on solutions through the framework (£200 million by the end of July). However the framework has a long way to go to bed-in and the security industry have doubts about one move. Accreditation will no longer be required from suppliers who don’t need access to the government’s Public Services Network. There’s more on all that in this diginomica article.
  • ISO27001/22301 Certification – Certification against ISO standards is a good indicator that suppliers have a mature approach to security management. However, it’s no guarantee that security controls are working.  They may diligently and cyclically assess controls, find many are broken, but get all the right security management documents and processes in place to make the certification grade. By the same token, their ISMS scope might just cover a showcase site, or only include physical security controls. Always ask for evidence of control effectiveness and check that services you plan to use and controls you want to rely on, are in scope. If not, it can come as a nasty post-audit surprise.
  • User and SME Reviews – Alternatively there are resources like the CloudEndure AWS app review, or reviews in the IT press by users or specialists. For smaller cloud offerings, user ratings might be the only source of information about how good or bad they are. When researching, the usual caveats about potentially biased reviews apply.

If a supplier looks right for you, functionality, service and cost-wise, don’t assume their security is also up to scratch based purely on a certificate or accreditation. Get your security SMEs to talk to theirs and if in any doubt, do your own pre-contract assessment as part of the selection process.

Damp down excitement about savings when choosing what to host cloud-side

Not everything is suitable to locate in the cloud.  Data sensitivity related protection requirements (nationally and across borders), service availability requirements and how things need to interact with other IT systems, all need significant thought.

Try out this July article Steve Ranger wrote for ZDNet for another take on that “Can you really do it all in the cloud? No way, say tech chiefs”.

For a UK perspective on formal data protection requirements, the Information Commissioner’s Office has a downloadable PDF focused on data handling in the cloud.

There’s also “Cleavage and Clouds” published by The Analogies Project.  My slightly left field take on the risks associated with storing data in the cloud.

Follow the old advice: Don’t outsource problems

If a service is tough to maintain, or hard to manage in-house, transferring it into the cloud isn’t a fix.  It will also add an extra layer of uncertainty, with arms length governance of security, performance, solution development and cost (among other typical supplier management challenges).  Don’t underestimate that additional overhead and put things in order before offloading functionality. Commentary on this has been done to death so just one reference for you;

This is not a cloud computing or security related article, it’s an old piece about outsourcing logistics services. Don’t sniff, there’s deep experience of working with 3rd parties in that field and it really nails the potential pitfalls of going to the cloud thinking it’s a strategic solution in and of itself.  It’s a means to a business end and to quote the article;

“If users don’t know the solution to the problem themselves, it’s unrealistic for them to expect the provider to find a solution in the short term,” says Leslie, warning that a relationship built on such a shaky foundation “is doomed to failure.”

Cloud orchestration: Keep solutions in tune

This is related to my last point.  It’s a buzzy term for the art of mapping and linking diverse IT and process components of services, then making it all work, no matter where it’s hosted, as seamlessly as possible.

Expect to see this term around more in future.  Interest in hybrid (part on, part off-site) cloud solutions is ramping up, as discussed in this Tech Pro Research article by Teena Hammond.

This article in the Wall Street Journal, looks at pre-deployment orchestration and a developing trend towards pre-integrated and orchestrated cloud offerings.   Don’t expect to benefit from the latter, if you don’t understand how people, process and technology elements of the cloud-bound service fit together.  You need get that view then weed out inefficiencies and disconnects.

Select and govern vendors responsibly

DO DUE DILIGENCE.  Can’t stress that enough. All solutions, by their nature, are black-box to one extent or another. You can’t expect to poke round under the hood, then demand security or functionality is changed to suit you after agreements are signed.

Get your requirements right, poke around before you buy and be realistic about vendors’ capabilities to meet your security, performance and functional needs. When putting contracts together, embed rock solid security benchmarks, performance expectations, governance responsibilities and incident management requirements. Places you can go for more detailed guidance;

  • The ISF (Information Security Forum) – A well respected independent source of security advice. Their Supplier Security Evaluation Tool is available to all security professionals on request. It’s high level, so you need to shape it to suit your specific needs, but it provides a robust starting point to look at supplier security capabilities, relationship specific requirements and contract exit considerations.

Don’t expect to change the service to suit you

With a cloud service, your savings come from their economies of scale.  If you find out after contracts are signed that the service needs to be changed to meet your functional or security needs, your cost advantage goes down the tubes, one tweak at a time.

In general, if you’re not a cloud security expert, it’s well worth reviewing the CSA’s own advice and links as they act as a hub for industry-wide cloud security related information

The information provided here is by no means complete.  You are welcome to comment or contact me to point out other good references, but I hope, overall, it helps you securely gain the undeniable commercial and strategic benefits to be found in the cloud.

1 reply »

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s