I was privileged to address a distinguished audience of leading Indian CIOs at the IDC Cloud 2.0 Asia Summit in Mumbai last week to present my thoughts on how companies could adopt a strategic approach to using third-party hybrid or private clouds from a security perspective. I have summarized my opinion in this narrative.
India is the land of outsourcing and we all have seen the rise of several large IT service providers. When enterprises outsourced to IT service providers, they offshored maintenance, development of their legacy platforms or new platforms which they bought. Instances of shared services were few. When organizations look towards CloudSourcing, their key goal is to share. Share an application or infrastructure. Sharing brings greater efficiencies, agility at lower costs and therefore the move to cloud is inevitable
The progress towards a cloud computing is a mixed bag. There are questions and fears but the drive and money is real. Technology and investments will make it a reality. None of us can say that this is a hype, which will go away and hence we should do nothing about it. Most companies are planning a cloud strategy or at least a POC.
When we go to the cloud, the security requirements of our business remain the same. They are enshrined in these three tenets – Reputation Protection, Asset Protection and Compliance. But like we trust in God, we now need to trust in the cloud service provider.
There are teething issues like cloud outages which can interrupt and therefore hurt your business. More will surely come down the line. But the bottom line is that maturity takes time. When such issues hit you at home it may not hurt as much when it hits you visibly, out there on the Internet.
In the IT outsourcing model, the customer was able to trust the IT service provider with his data and business process mainly because of his ability to establish security norms and audit them. There was the added benefit of owning or controlling the IT environment and business oversight in terms of financial viability, experience, corporate governance and so on.
In case of the cloud service provider, we see parentage and the business model. Sufficient data is not available for us to take decisions. How many cloud service providers will survive is a matter of grave doubt. On top of it, we are unable to control or get environment details let alone audit.
In the cloud, risk vectors go up manifold. Cyber criminals want to target this large pot, bang goes the fact that you are one among the thousands. There are issues with technology and shared infrastructure. Doubts about how companies can actually meet your compliance requirements and uncertainty about your risk profile and the vendor does not share much information with you.
The top four risk groups are:
• Cyber criminals, cyber terrorists, cyber espionage and cyber warfare all of which are more likely to target a shared cloud service infrastructure that company infrastructure
• Technology refresh, multi tenancy, scale and multi-cloud which are more likely to increase the set of vulnerabilities in cloud infrastructure
• Compliance, data protection and law enforcement due the lack of understanding on how these requirements would be met by cloud service providers in a global, multi-cloud environment
• Lack of security visibility where CISOs cannot be assured of the security of their company data
The two main levers in outsourcing contracts that you must control are contractual and audit. The degree of control that you exert on this may positively impact the balance of power in the cloud. At the moment, this lies in the hands of the cloud service providers and you will find great difficulty in both these area. As you go through your cloud adoption process, your ability to create and enforce standards in this area will greatly shape your ability to manage risks.
Contractual Clauses Sections you should carefully read include:
• Choice of law jurisdiction and dispute resolution
• Variation to terms
• Privacy laws and trans-border data flows
• Service level agreements
• Transition out arrangements
• Warranties and liability limitations, and
• Multiple parties in the cloud stack
Audit Clauses Limitations
• No defined clause set for security and backup
• Inability to set the terms of reference
• Inability to audit/ no audit standards
• No certainty on data flows
• No certainty on the importance of security to the cloud provider
• Ownership and legal implication with the company and not cloud provider
Typically your decision to cloud source comes back to the fundamental tolerance of risk that you would like to accept. In simple words, the impact on your data and business process should things go wrong. Since IT assets anyway do not belong to you, I have taken this out of the equation.
Early adopters are taking safe bets on the type of cloud service to choose. There are many— including Kaspersky’s Email and Web filtering service, to name one— that offer more that you can do in your organization at low risk.
In order to help you make this choice, last year I had published the top eight questions CIO’s should ask in the SC Magazine, US edition. They still are valid and I have added a ninth one too.
1 Am I using a trusted vendor?
2 Have I considered the value and risk to the information that I am outsourcing to the cloud provider?
3 What business continuity and disaster recovery measures are in place in the cloud infrastructure? Does the cloud provider have a backup in place?
4 Have I considered the potential implication of employees wanting to sabotage a successful cloud migration strategy?
5 Have I considered how knowledge of the business process would be retained and versioned, should I wish to switch cloud providers at a future date?
6 Do I have a detailed list of security controls based on security, operational and business risks to determine how the cloud vendor complies with them?
7 Does your cloud provider meet the regulatory or compliance requirements needed by your organization?
8 How do I audit or evaluate security controls placed on the cloud-based infrastructure?
9 Is the contractual agreement in my favor or am I able to influence it?
I must end by encouraging all of you to take part and rely on the body of knowledge being built by the Cloud Security Alliance (http://www.cloudsecurityalliance.org), which is one of the most substantive programs on cloud security. It is nonprofit and free.
Also please become part of the Mumbai Chapter by signing up on our Linked In Group Cloud Security Alliance, Mumbai Chapter, for which I am a founder director.