Last week, when I was in South Africa, a partner of us pointed me to a very interesting paper by KPMG called Cloud computing: Australian lessons and experiences. What I like is, that a lot of the items I was recently raising, where actually reflected in quotes by customers of Cloud providers as well as by the general findings of the study.
I know that this is a very long post. If you do not want to read the whole post, please read at least one of the last quotes I have in here – which is by far the longest one.
Let’s start at the beginning. When I talk about the big trends having an impact on security, these are the five items I am currently raising:
- Flexibility: The users are asking for more and more flexibility, where they work, when they work, how they work. They see IT as a tool to do their jobs – and they are right so!
- Security as an enabler: If we as a security community continue the ride along the lines “you cannot do it because of security” we will become even more irrelevant in some organizations than we are today. If you think that this is harsh, than look at this study and tell me again what you think: RSA Europe: Are you ready for security and privacy? - especially at the picture showing collaboration. Security’s job is to help IT to help the business to achieve the goals in a secure and safe way. In other words to help to manage IT-related risks. If we are smart, this becomes an asset rather than a nuisance.
- Cybercrime from cool to cash: That’s obvious – the criminals are, where the money is.
- The Cloud: The Cloud (and this is what the whole post is about) is a reality. You say no – not for you? Think again and read the rest of the post…
- Consumerization of IT: More and more, consumer devices have to be integrated into our IT infrastructure. Show me the company who consciously decided to integrate the iPhone into their infrastructure. I do not know of any but it is in there because the users love it. Get accommodated to the fact, that your users started to take IT strategy decisions, whether you like it or not. Your cheese has moved.
When it comes to the Cloud and the security approach, Doug Cavit and me wrote a paper called Cloud Security Considerations, which I think is worth reading. It is fairly short and covers the key aspects of the Cloud in these five areas:
- Compliance and Risk Management: Make sure that you approach the Cloud from a risk-based view. Try to understand the new risks and the risks, which will go away or at least which will be heavily reduced. However, compliance and risk management are still your core responsibility.
- Identity and Access Management: You will still want to manage your identities and make sure you can federate from on-premise to the Cloud. You do not want to get new identities, just because you consume a new Cloud service. Make sure, you have the right processes and technologies in place to deal with identity management in the Cloud as well.
- Service Integrity: Understand how the service is engineered and run to the extent needed for the service you consume and the data you put into the Cloud.
- Endpoint Integrity: Cloud security starts with the endpoint. You cannot protect the information in the Cloud without protecting your endpoint, where your security architecture starts.
- Information Protection: This is why we do it – yes? So, have a data classification scheme in place and implemented. That’s the only way to understand, which data to move to the Cloud and what you want to keep on-premise. Finally, think about how you get your data into the Cloud and back.
It is my firm believe that – if you do it right – you can increase your overall security by moving to the Cloud. At least in a lot of scenarios and with a lot of data. But it is not only about moving to the Cloud it is about how to get back as well.
So, that’s my believe and “my theory”. What about the reality? This is, what the study is all about. During my read, I copied quite some quotes from the study, which I thought are very interesting and important to all of us.
First of all, when I talk to customers, they are often reluctant thinking about the Cloud and if they do – well – they do not want start with too critical processes first as the Cloud is not seen to be ready for prime time yet. The study shows, that this is not true:
there were many instances of strategic and sensitive applications being accessed from the cloud.
Interesting. Is there more to the Cloud than just a “let’s sit and wait” approach? Could there be real benefit to it? I am convinced - but there might be a another side to your strategy as well:
This was a small enterprise that had adopted the cloud aggressively, with good outcomes, as a deliberate strategy to support rapid scalability. As the organisation grew and became more established, however, the unique industrial needs of this organisation meant that on-the-premises control would become mandatory, and a transfer back to an on-the-premises model was planned.
I once learned that in some cultures (not in the Western European one), if you write a strategy and decide upon it, you always look into ways to get out of the strategy as well if things change – if your cheese moved. A concept we should look into more often as well. What are the signals to get out and how do you do it? Think about plan B before you start plan A.
If you map this to your Cloud strategy: Think about getting to the Cloud and back. All the vendors will help you to get onto their services but how many help you to get back on premises? How do you have to convert the data and load your data back? Remember the time of document formats, where you lost most of the formatting, once you had to convert them?
Look at our stack briefly: It is actually the same technology on-premises as in the Cloud. If you use Exchange, SharePoint, OCS, whatever on-premise and the Cloud – the same. If you develop an application for Azure and want to move to your own Cloud or back on prem – this is what Windows Azure, SQL Azure, AppFabric are all about.
This scenario has to be feasible and supported.
What about the big advantage of the Cloud: the savings? Here is a customer quote from the study:
The quicker [installation] time was a cost saving. It was one of those projects that almost went under the radar; it was so smooth and so low cost.
Think about this statement for a second. If you are an IT shop, if you are a CIO, this is what you compete with! So, if your business gets this service and you as the IT organization are still running your infrastructure the way you used to do it 10 years ago, what will the user do? See my Consumerization of IT above… The user starts to take strategic IT decisions by moving to the Cloud without asking! So, do not feel too safe, just because you have a policy. And it goes further:
We can let [customers] provision themselves over the Web eventually, so they can choose our offerings, pick the one they want, get billed on a recurring basis...
This is the view of a fairly advanced IT. You have to get there to compete.
If you look at my flexibility item above. I want to be able to work where I want, when I want and how to balance my private and business life. This is where the Cloud can help. Again, a customer:
Anywhere around the world they’ve got live, useful information. That for me is the most important aspect of [cloud computing].
But security is always a concern if you plan the Cloud. The people who are still reluctant, often use security as their main area of concern:
The use of a cloud provider was seen to introduce a potential risk if the provider was unable to provide adequate protection of commercially sensitive information, especially customer information. There would also be serious consequences if cloud providers failed to maintain adequate service levels or experienced service outages.
This is definitely true. But you should look at it from a risk-based approach. You will get additional risks as you introduce a new provider. But what do you gain? What risks will be reduced or will even disappear? That’s the balance which is important. So, there is a lot of work to do as the study finds:
Security concerns were also at the forefront of conversations with managers in organisations with an unknown adoption status. These managers almost all thought that the benefits of cloud computing were, at least for the time being, more than offset by the introduction of new threats, dependencies and exposures for their organisations. Such concerns were top of mind and clearly a significant barrier to adoption.
Respondents generally reported that they had worked through the issues and arrived at accommodations or compromises they could live with. Nonadopters frequently cited regulatory
issues as a barrier to using cloud computing.
Here, the Chief Security Advisors can help with. If we are talking about our technology and platform, involve us – that’s what we are here for.
Now – to me – the highlight of the report:
After evaluating the security capabilities of providers, however, the management in adopting organisations had come to different conclusions. They typically articulated the security issue in relative terms. On the one hand there was a consistent message that on-the-premises computing was not always as secure as people believed. As one respondent put it: People are under the illusion that because it’s sitting behind the company firewall its safe. On the other hand, they believed the key cloud service providers they were using had invested heavily in the infrastructure, skills and practices to maximise resilience to attack, and therefore were offering more security than they could build themselves. The same risks, in other words, existed in both scenarios, but they saw the risks as lower, on balance, under their cloud arrangements. Comments like this, from two different respondents, were common:
We actually think our security has been improved as a result of [cloud computing].
I’m fairly certain that we’re getting a better service level through an on-demand platform like [vendor] than we would on an internally hosted application.
Of particular interest here was that three organisations had gone further, with management employing cloud computing as part of a deliberate strategy to increase organisational security and resilience. They saw advantages in shifting computing away from homegrown facilities, which they considered an obvious target today, to in-the-cloud facilities that could be located anywhere, making it difficult, if not impossible, for attackers to identify.
Moving to the Cloud to strategically increase security? Wow! But you can only judge, if you are ready to handle it (see the Risk Management section in our paper).
All the positive experiences in security, service, integration and customisation described in the preceding sections were associated with cloud services that has been adopted and were still in use by the respective organisations. By definition, management had concluded that they were sufficiently developed, and backed by sufficiently trusted providers, for enterprise use.
The Cloud Providers, if selected carefully, have the capability and knowledge to run your Cloud on a higher security level. This leads back to the Service Integrity above.
For this specific vendor I do [have enough confidence]…they publish information about their storage and their security model and they also publish uptime statistics, so things like that give me a certain level of confidence. But I wouldn’t have that confidence with any random vendor.
So, when we address all the technological, procedural, legal requirements, we should not forget about the people. Loss of control is probably the number 1 real concern a lot of people have. They are so used to “owning” the data and the servers that it is incredibly hard to let go.
Management attitudes were also important within the IT department. Respondents frequently had to overcome emotional hurdles associated with letting go of control. Despite being enthusiastic about the potential benefits, cloud computing still represented a significant change: they would no longer have the comfort of knowing that their computers were locked in their own buildings, could be checked at any time and were not accessed by others.
This is the first time, I read a good comprehensive paper about the reality, knowing that this is “just” a sample and “just” Australia but quite some points I am thinking about regularly were addressed and seem to be consistent with my view of the world. At least it re-enforced my firm believe that a lot of customers who are telling me that they will not move to the Cloud because of security might have to re-think their strategy and start thinking about the Cloud because of security. Otherwise they risk losing the competition between internal IT and the external Cloud provider.
If you do not drive this adoption, the adoption will drive you.