Yesterday, looking at my RSS-Feed I saw the post in here called Cloud Security Considerations – and immediately wanted to read it as we (a friend of mine and me) wrote a paper with exactly the same title. I was so thrilled that somebody else takes this to blog about – however I was disappointed. Not by the content of the post per se – just it was not what I expected.
Let me give you a different view to the cloud. When I talk to our customers, the cloud is not necessarily a technical problem for them, it is completely an emotional problem. The purchasing decision, however, should be driven by risks, risk assessment and risk appetite of the company. Another point is that customers are often still looking at it as an “all or nothing”-approach. I am more than ever convinced that the cloud for most customers will be a hybrid approach. Some data/business processes will remain on premise, others might move to an externally hosted private cloud and again others will move to the public cloud.
This therefore led us to the point where we decided to structure the discussion in a different way and try to give it a framework. We decided that there are five areas to be considered, when you plan to move to the cloud helping to decide what to move where:
- Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
- Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.
- Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.
- Endpoint Integrity: As cloud-based services originate--and are then consumed--on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
- Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.
We can debate the order but our discussions with customers, where we used this model are showing that it is very much on point. If you are interested in getting more (the paper is only 8 pages J), you can download it here: Cloud Computing Security Considerations.
From a Microsoft perspective we did some additional work where we tried to apply the model then to a partner hosted private cloud and to Office 365. The private cloud paper is fairly product agnostic (not completely) and even the Office 365 can give you some good insight into how to think about it when you look into the private cloud.
The interesting thing to me is, that there are a lot of different levels to look at the cloud and this keeps the debate interesting (and confusing for the customers) J
Roger