Home  |  Sarah  |  Services  |  Blog  Contact

Sunday, 03 Aug , 2014

The Game of Clouds – How Do You Procure And Stay Secure?

Share this article

Finding the right cloud solution is a huge challenge and you can kiss goodbye to hoped for savings if you sign on the dotted line…THEN focus on required functionality and security. The great Thrones inspired map from Cloud Endure’s Blog, includes the 54 best software offerings in the Amazon Web Services (AWS) marketplace.  It’s not exhaustive, (there are […]

Finding the right cloud solution is a huge challenge and you can kiss goodbye to hoped for savings if you sign on the dotted line…THEN focus on required functionality and security.

The great Thrones inspired map from Cloud Endure’s Blog, includes the 54 best software offerings in the Amazon Web Services (AWS) marketplace.  It’s not exhaustive, (there are many other providers, platforms and cloud models to investigate), but it’s an unusually consolidated view of key types* of cloud software.  A refreshing change from drowning in very specific “top ten” or “best cloud” guides.

So where do you start when the board are champing at the bit to play the game of clouds, itching to beat their competitors and desperate to realise advertised savings. How do you sift through the rafts of security advice and what are the better solutions in the land beyond the wall?


*01/06/2014 Cloud Endure assessed 2291 AWS hosted products in three main categories – Business Software, Developer Tools, and Software Infrastructure. Focusing on companies with at least two reviews of 3 stars or higher.

The sheer scale and complexity of the cloud market is daunting and piecemeal advice can hobble your attempts to find your prize.  The solution that’s functionally and financially fit for purpose, but also secure.

Brl6Z2IIQAAHPMuYes, security is still part of many cloud related headlines.  The Cloud Security Alliance wouldn’t have 57,000 LinkedIn followers if everyone was comfy firing sensitive data into the ether, or happily dependent on cloud services to underpin critical high availability processes. But there’s less risk than many would have you believe and potential savings are impossible to ignore.

For anyone still working out how to leverage cloud IT profitably and securely, I have put together a list of some key considerations. A survival guide for the search and selection journey, referring out to sources of more in-depth advice.  It focuses most on how to integrate security into your procurement activities, but gives more than a nod to more general challenges.

Sorry to disappoint, but there won’t be more Game of Thrones analogies. I was tempted, but I’m too scared of retribution from the real fire and ice crew – the pictured newlyweds for instance.

Get a cloud policy in place if you haven’t already

You need a well-known plan for different options and circumstances, something that all stakeholders understand and sign up to. A document that is explicit about what is and isn’t a tolerable risk and the related oversight and controls to be in place. Shadow IT isn’t just media hype. If you don’t write and share your cloud usage policy soon, your staff, seduced by the scent of cheap, quick and easy, will decide their own. They may make good choices, but you will have no oversight.

Guidance on cloud policy creation (new references welcome), is very variable and mostly high level.  The US ICO produced this guide, which has some good internationally transferable content and there are one or two templates about (for example this one from IT Manager Daily). However, be cautious. Never adopt a template before checking it’s in line with best practice and entirely relevant to your business.

Scott Hazdra also shares valuable advice in this Network World article. If you decide to go down the consultancy route, I recommend being circumspect. There’s a shallow pool of relevant expertise and experience globally.  Confirm consultants have enough specific past experience and perhaps ask to see real anonymised policies, created for other clients, before signing contracts.

Put some effort into researching the best solution for you

The web is flooded with vendor produced articles and white papers about cloud solutions.  Even when looking at the mainstream IT press, there’s often vendor sponsorship or influence hidden behind apparently agnostic material. So how do you bypass hype and bias?

  • FedRAMP – FedRAMP is the US government run security assessment and accreditation program for cloud vendors, based on NIST security benchmarks
  • NIST Special Publications 800-37 (the Risk Management Framework). The RMF is familiar to most US cybersecurity pros. It is a risk management wrapper to compliment the control sets and various standards for cybersecurity assessment and governance gathered together under the government FISMA implementation project here.
  • The CSA STAR Program – To improve transparency about cloud vendor security, the CSA launched their STAR (Security Trust & Assurance Registry) program in 2011.  Suppliers voluntarily publicise information about their security controls and practices, so more and less risk averse firms can locate a provider matching their regulatory and local control requirements.
  • ISO27001/22301 Certification – Certification against ISO standards is a good indicator that suppliers have a mature approach to security risk management. However, it’s no guarantee that security controls are working.  They may diligently and cyclically assess controls, find many are broken, but get all the right security management documents and processes in place to make the certification grade. By the same token, their ISMS scope might just cover a showcase site, or only include physical security controls. Always ask for evidence of control effectiveness and check that services you plan to use and controls you want to rely on, are in scope. If not, it can come as a nasty post-audit surprise.

Follow the old advice: Don’t outsource problems

If a service is tough to maintain, or hard to manage in-house, transferring it into the cloud isn’t a fix.  It will also add an extra layer of uncertainty, with arms length governance of security, performance, solution development and cost (among other typical supplier management challenges).  Don’t underestimate that additional overhead and put things in order before offloading functionality. Commentary on this has been done to death so just one reference for you;

This is not a cloud computing or security related article, it’s an old piece about outsourcing logistics services. Don’t sniff, there’s deep experience of working with 3rd parties in that field and it really nails the potential pitfalls of going to the cloud thinking it’s a strategic solution in and of itself.  It’s a means to a business end and to quote the article;

“If users don’t know the solution to the problem themselves, it’s unrealistic for them to expect the provider to find a solution in the short term,” says Leslie, warning that a relationship built on such a shaky foundation “is doomed to failure.”

Cloud orchestration: Keep solutions in tune

This is related to my last point.  It’s a buzzy term for the art of mapping and linking diverse IT and process components of services, then making it all work, no matter where it’s hosted, as seamlessly as possible.

Expect to see this term around more in future.  Interest in hybrid (part on, part off-site) cloud solutions is ramping up, as discussed in this Tech Pro Research article by Teena Hammond.
This article in the Wall Street Journal, looks at pre-deployment orchestration and a developing trend towards pre-integrated and orchestrated cloud offerings.   Don’t expect to benefit from the latter, if you don’t understand how people, process and technology elements of the cloud-bound service fit together.  You need get that view then weed out inefficiencies and disconnects.

Select and govern vendors responsibly

DO DUE DILIGENCE.  Can’t stress that enough. All solutions, by their nature, are black-box to one extent or another. You can’t expect to poke round under the hood, then demand security or functionality is changed to suit you after agreements are signed.

Get your requirements right, poke around before you buy and be realistic about vendors’ capabilities to meet your security, performance and functional needs. When putting contracts together, embed rock solid security benchmarks, performance expectations, governance responsibilities and incident management requirements. Places you can go for more detailed guidance;

  • The ISF (Information Security Forum) – A well respected independent source of security advice. Their Supplier Security Evaluation Tool is available to all security professionals on request. It’s high level, so you need to shape it to suit your specific needs, but it provides a robust starting point to look at supplier security capabilities, relationship specific requirements and contract exit considerations.

Don’t expect to change the service to suit you

With a cloud service, your savings come from their economies of scale.  If you find out after contracts are signed that the service needs to be changed to meet your functional or security needs, your cost advantage goes down the tubes, one tweak at a time.

In general, if you’re not a cloud security expert, it’s well worth reviewing the CSA’s own advice and links as they act as a hub for industry-wide cloud security related information
The information provided here is by no means complete.  You are welcome to comment or contact me to point out other good references, but I hope, overall, it helps you securely gain the undeniable commercial and strategic benefits to be found in the cloud.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...