Could my Cloud Burst?

2010 was the year we ‘thought’ about cloud. 2011 was the era we realised it could be an option which could support improvements in operational efficiencies, whilst at the same time reducing running costs. 2012 'will' be the year when we will see the take up start to evolve and surge. The question is, is it, or can cloud be made a secure option? And if we are to leverage this new model of Outsourcing Mk2, what should we as professionals be doing to drive the surrounding elements of security?

Within the last decade, I have conducted security reviews and audits of cloud, and outsourcing service providers, ranging from Argentina, the UK, through the EU, and out as far as India, and I have found one constant on my travels. That is, each provider is different!

When considering the enablement of cloud into the business, notwithstanding the rationale to engage, say Software-as-a-Service (SaaS), or Platform-as-a-Service (PaaS) we, as the incumbent security professionals need to evidence as far as is practicable, that the solution meets the demands of the engaging client organisation. For example, if we have set expectations in-house of what our security policy should underpin, then it follows that the very same security policy should be extended out into the remote world of service provision – so to get the requirement slotted into the obligated contract is an absolute must do. However, the real challenge arrives when the organisation decides to conduct an on-site security review, inspection, or audit.

So having decided there is a requirement to run some form of on-site governance activity, the arising questions may be:

a) Who will run it?

b) Will the incumbent person have the required skill set?

c) How long will it take?

d) What should the security activity be based on?

e) What will it cost, and

f) what will be the required output upon which the final decision will be made?

And then there are the rest of the questions ranging from g) though to z). And this is not even considering, having commissioned time, resource, and effort to run on on-site provider inspection, what if the findings are adverse – do we simply kill it off, loose the investment and start again?

The big challenge is of course assuring, as far as is practical that is, that any engagement with the selected cloud provider is evidenced to be a robust as possible, and to assure that any data to be entrusted into the cloud will be accommodated with the commensurate level of anticipated security. At this juncture, it is also worth a mental note that, if you get the T&C’s and security of the engagement wrong, the relationship may be more than a tad tardy.

But alas, it does not stop there, for there are some companies who have actually set a policy, 'not' to migrate 'any' of their data assets to the cloud, yet, because of sloppy practices, a lower than acceptable level of security skill, linked to poor project engagement, organisations have found themselves to be at this unacceptable place, with corporate sensitive, and even PCI-DSS data sitting out on some unencrypted device – unbelievable! So what we have here is an inference that, in 'some' cases, maybe the in-house team are not the most effective or trusted route to accommodate a robust and trusted level of security reviews.

One option that may be considered is one that would provide the expectant cloud user with a transparent view of the proposed provider, documenting their capabilities, ranging from Physical Security, right up to the profile of the Cloud Business Continuity capabilities. An option which will provide on-going independent security reviews and assessments, to assure the deployments security profile at day one, has remained extant against the original findings – an sort of MOT. Imagine a service that has qualified, trained expertise on tap to allow the wanting business to move over into Cloud space in an informed position.

It is anticipated that 2012 will see such a service start to spring some green shoots under the banner of the ‘Third Party Assurance Centre’, or TPAC for short. If all goes to plan, we will hopefully see the creation of TPAC, which will take the leg work out of satisfying what secure Cloud looks like for the individual business. We will see a service that enables cost reduction, whilst at the same time assisting with smooth secure migration of business objects and services into the new world of cloud. Let’s hope that TPAC will come of age in our year of the Cloud, 2012, it may just answer a few problems, and act as the aspirin to relive that cloud invoked headache.
 

Comment on this blog