Finding the right cloud solution is a huge challenge and you can kiss goodbye to hoped for savings if you sign on the dotted line…THEN focus on required functionality and security.
The great Thrones inspired map from Cloud Endure’s Blog, includes the 54 best software offerings in the Amazon Web Services (AWS) marketplace. It’s not exhaustive, (there are many other providers, platforms and cloud models to investigate), but it’s an unusually consolidated view of key types* of cloud software. A refreshing change from drowning in very specific “top ten” or “best cloud” guides.
So where do you start when the board are champing at the bit to play the game of clouds, itching to beat their competitors and desperate to realise advertised savings. How do you sift through the rafts of security advice and what are the better solutions in the land beyond the wall?
The sheer scale and complexity of the cloud market is daunting and piecemeal advice can hobble your attempts to find your prize. The solution that’s functionally and financially fit for purpose, but also secure.
Yes, security is still part of many cloud related headlines. The Cloud Security Alliance wouldn’t have 57,000 LinkedIn followers if everyone was comfy firing sensitive data into the ether, or happily dependent on cloud services to underpin critical high availability processes. But there’s less risk than many would have you believe and potential savings are impossible to ignore.
For anyone still working out how to leverage cloud IT profitably and securely, I have put together a list of some key considerations. A survival guide for the search and selection journey, referring out to sources of more in-depth advice. It focuses most on how to integrate security into your procurement activities, but gives more than a nod to more general challenges.
Sorry to disappoint, but there won’t be more Game of Thrones analogies. I was tempted, but I’m too scared of retribution from the real fire and ice crew – the pictured newlyweds for instance.
Get a cloud policy in place if you haven’t already
You need a well-known plan for different options and circumstances, something that all stakeholders understand and sign up to. A document that is explicit about what is and isn’t a tolerable risk and the related oversight and controls to be in place. Shadow IT isn’t just media hype. If you don’t write and share your cloud usage policy soon, your staff, seduced by the scent of cheap, quick and easy, will decide their own. They may make good choices, but you will have no oversight.
Guidance on cloud policy creation (new references welcome), is very variable and mostly high level. The US ICO produced this guide, which has some good internationally transferable content and there are one or two templates about (for example this one from IT Manager Daily). However, be cautious. Never adopt a template before checking it’s in line with best practice and entirely relevant to your business.
Scott Hazdra also shares valuable advice in this Network World article. If you decide to go down the consultancy route, I recommend being circumspect. There’s a shallow pool of relevant expertise and experience globally. Confirm consultants have enough specific past experience and perhaps ask to see real anonymised policies, created for other clients, before signing contracts.
Put some effort into researching the best solution for you
The web is flooded with vendor produced articles and white papers about cloud solutions. Even when looking at the mainstream IT press, there’s often vendor sponsorship or influence hidden behind apparently agnostic material. So how do you bypass hype and bias?
- FedRAMP – FedRAMP is the US government run security assessment and accreditation program for cloud vendors, based on NIST security benchmarks
- NIST Special Publications 800-37 (the Risk Management Framework). The RMF is familiar to most US cybersecurity pros. It is a risk management wrapper to compliment the control sets and various standards for cybersecurity assessment and governance gathered together under the government FISMA implementation project here.
- The CSA STAR Program – To improve transparency about cloud vendor security, the CSA launched their STAR (Security Trust & Assurance Registry) program in 2011. Suppliers voluntarily publicise information about their security controls and practices, so more and less risk averse firms can locate a provider matching their regulatory and local control requirements.
- ISO27001/22301 Certification – Certification against ISO standards is a good indicator that suppliers have a mature approach to security risk management. However, it’s no guarantee that security controls are working. They may diligently and cyclically assess controls, find many are broken, but get all the right security management documents and processes in place to make the certification grade. By the same token, their ISMS scope might just cover a showcase site, or only include physical security controls. Always ask for evidence of control effectiveness and check that services you plan to use and controls you want to rely on, are in scope. If not, it can come as a nasty post-audit surprise.
Follow the old advice: Don’t outsource problems
If a service is tough to maintain, or hard to manage in-house, transferring it into the cloud isn’t a fix. It will also add an extra layer of uncertainty, with arms length governance of security, performance, solution development and cost (among other typical supplier management challenges). Don’t underestimate that additional overhead and put things in order before offloading functionality. Commentary on this has been done to death so just one reference for you;
This is not a cloud computing or security related article, it’s an old piece about outsourcing logistics services. Don’t sniff, there’s deep experience of working with 3rd parties in that field and it really nails the potential pitfalls of going to the cloud thinking it’s a strategic solution in and of itself. It’s a means to a business end and to quote the article;
“If users don’t know the solution to the problem themselves, it’s unrealistic for them to expect the provider to find a solution in the short term,” says Leslie, warning that a relationship built on such a shaky foundation “is doomed to failure.”
Cloud orchestration: Keep solutions in tune
This is related to my last point. It’s a buzzy term for the art of mapping and linking diverse IT and process components of services, then making it all work, no matter where it’s hosted, as seamlessly as possible.
Expect to see this term around more in future. Interest in hybrid (part on, part off-site) cloud solutions is ramping up, as discussed in this Tech Pro Research article by Teena Hammond.
This article in the Wall Street Journal, looks at pre-deployment orchestration and a developing trend towards pre-integrated and orchestrated cloud offerings. Don’t expect to benefit from the latter, if you don’t understand how people, process and technology elements of the cloud-bound service fit together. You need get that view then weed out inefficiencies and disconnects.
Select and govern vendors responsibly
DO DUE DILIGENCE. Can’t stress that enough. All solutions, by their nature, are black-box to one extent or another. You can’t expect to poke round under the hood, then demand security or functionality is changed to suit you after agreements are signed.
Get your requirements right, poke around before you buy and be realistic about vendors’ capabilities to meet your security, performance and functional needs. When putting contracts together, embed rock solid security benchmarks, performance expectations, governance responsibilities and incident management requirements. Places you can go for more detailed guidance;
- Forrester Research – Good for general supplier governance advice. A significant amount of material is free and available on request. For example their ‘playbooks’, like this one – Strategic Software Sourcing Playbook.
- The ISF (Information Security Forum) – A well respected independent source of security advice. Their Supplier Security Evaluation Tool is available to all security professionals on request. It’s high level, so you need to shape it to suit your specific needs, but it provides a robust starting point to look at supplier security capabilities, relationship specific requirements and contract exit considerations.
- The CSA – Their Cloud Controls Matrix is another good template for assessing vendor security.
- International Security Standards & Practitioner Insights – Dejan Kosutic (@Dejan_Kosutic) provides both perspectives in this excellent blog post “6-step process for handling supplier security according to ISO 27001“. He includes coverage of the business continuity standard ISO22301 and links to standards documents and other relevant material. I’ve also shared some advice about supplier security governance on this blog, informed by setting up and running an assurance service for a FTSE100 company.
Don’t expect to change the service to suit you
With a cloud service, your savings come from their economies of scale. If you find out after contracts are signed that the service needs to be changed to meet your functional or security needs, your cost advantage goes down the tubes, one tweak at a time.
In general, if you’re not a cloud security expert, it’s well worth reviewing the CSA’s own advice and links as they act as a hub for industry-wide cloud security related information
The information provided here is by no means complete. You are welcome to comment or contact me to point out other good references, but I hope, overall, it helps you securely gain the undeniable commercial and strategic benefits to be found in the cloud.