If Your Head’s In The Cloud, Keep Your Feet On The Ground

When Sarbanes-Oxley first hit in 2002, almost overnight every security company became a compliance company. Fast-forward to 2010, and every security company is now a Cloud company, or has a “Cloud Strategy”. Whether or not it makes sense for an organisation to move IT assets to the Cloud depends on a host of factors, with security and compliance being two of the most important. One way IT managers can assess the risk of moving into the Cloud is to look at more mature outsourcing models (some of which are actually ‘flavours’ of Cloud Computing) to see what’s working, what is not, and decide how those lessons can be leveraged by their organisations.

So what exactly do we mean by “The Cloud”? According to NIST, there are four main cloud types: public, private, hybrid and community. The Cloud Security Alliance divides private clouds into two types – internal, on-premises and external, which consists of dedicated or shared infrastructure. According to the Cloud Security Alliance, the key characteristics that make a Cloud a Cloud are the top two layers of the diagram below:

In short, services in the Cloud are provisioned without having to talk to a person, can be scaled up and down on-demand, are drawn from a bigger pool that other customers can also access in the same way, can be easily monitored via laptop, Smartphone, etc, and are billed in a transparent, per unit manner.

Cloud is not the Holy Grail

According to Forrester Research, only 5 percent of large enterprises globally are capable of running an internal cloud – the easiest model to execute from a security perspective, since it resides inside the firewall. Other surveys, including one from Information Week, which sampled more than 500 organisations, all reveal the same thing – that despite all the hype, the Cloud is not the Holy Grail… yet.

While some of the technical underpinnings that make up the Cloud’s ‘secret sauce’, are relatively recent innovations, the business case for managing critical IT functions as services – inside or outside the firewall – is not a new concept. Currently, moving security to the Cloud (via your friendly neighborhood MSSP) seems to be easier than managing the security of the Cloud. According to Gartner, Inc. in its 2009 MSSP Magic Quadrant, 60 percent of Fortune 500 enterprises had engaged in some level of use of an MSSP, representing about 25 percent of enterprise firewalls under remote monitoring or management. If the business world is already comfortable outsourcing critical business functions, then the Cloud, in all its diversity and complexity, is an impending reality.

At the end of the day, the Cloud is just another way to outsource IT functions, and the same fundamental concerns and business challenges that exist with more mature outsourcing offerings need to be addressed (think hosting and managed services). Most importantly, how does an organisation manage its security and compliance posture when critical systems and data are hosted or managed by a third party?

Maintaining visibility

Most compliance requirements mandate documenting and auditing how companies access, store, manage and secure certain types of critical data. That can be difficult enough when you control the assets – how do you do that when the assets are not under your control? Do you simply trust that the service provider is doing it right? How do you deal with audits? With auditors? How do you ensure chain of custody, separation of duties, and accountability?

Ultimately, the security and compliance posture of critical data and assets resides with the organisation and not the outsourcing or Cloud partner. To date, Service Level Agreements (SLAs) have been the primary tool used by organisations to hold their outsourcing partner accountable for any potential compliance violations or security breaches. However, the reality is that SLAs can easily lose their teeth if there is no way to enforce them. Given the complexity of today’s corporate computing environments, creating and maintaining that level of visibility can be a challenge.