itb-nz logo
Story image

TIME TO MIGRATE?

01 Aug 2010

In the long run, the hype will prove to be well deserved. Cloud computing is likely to be the foundation of tomorrow’s computing. In a period of highly disruptive cloud technology and business models, Chief Information Security Officers (CISOs) have to be quick in developing a strategy to gain maximum benefit from a trusted cloud. There are different models of cloud computing that have emerged. There is the pure Softwareas- a-Service (SaaS) model, which is a complete business application delivered as a service, the Platform-as-a-Service (PaaS) play, which enables rapid application development in the cloud, and Infrastructure-as-a-Service (IaaS), which is simple operating system and storage capabilities delivered as a service. Sooner or later, cloud computing will become a norm. But CISOs need to question when it is the right time to migrate to the cloud, particularly for extremely sensitive information and mission-critical processes. Internal and external factors can drive the speed of adoption, but there is no doubt that at some point, software companies will recommend the cloud to their customers. New, innovative applications will exist only in the cloud. For these reasons, CISOs should strive to understand important issues, and their relevance, to business. Difficulties will arise through a lack of careful planning and rigorous management of a number of key issues. It is not sufficient to merely wait for the cloud to mature. In more sophisticated IT markets, many CISOs are already educating cloud providers on enterprise-class requirements, such as Service Level Agreements (SLAs), compliance issues, and location-specific regulatory issues. It is a lot easier for cloud providers to build enterprise capabilities now, rather than changing their offerings after enterprises have made the switch. Here are some of the key issues that enterprises, and CISOs, must take into account when examining their cloud strategy:

  • Compliance – Affirmation that the cloud provider’s services enable the customer to be compliant with regulations and standards, such as PCI DSS, ISO 27001/27002, and breach notification laws, among others.
  • Data Governance – Assuring that customer data has appropriate technical safeguards, is legally protected, and can be accessed and returned to the customer on demand.
  • Portability and Interoperability – Assuring that the customer’s investment in any given cloud, including private clouds, can be ported to, and interoperable, with any other cloud to the greatest degree possible. This protects investments and assures availability of critical services.
  • Identity and Access Management – Allowing the customer to leverage mature identity access management infrastructure within SaaS providers and other cloud services, in order to maintain wide-ranging system and application controls while maintaining compliance.
Independent certification of cloud providers is necessary to demonstrate compliance with a variety of security requirements. Organisations will always need to adopt standards of due care and engage in robust vendor management of cloud providers. However, it is not feasible to perform extremely detailed audits at an appropriate frequency to mitigate all risks, nor will the provider be able to accommodate all customer auditors.When an organisation does need to perform an audit, it will be a more efficient, streamlined process when applied to a certified provider, as the scope of the audit will typically be reduced. Many CISOs are becoming more involved in the standards bodies that will form the basis of these certifications, as some see the groups as being too vendor-centric at this point. Cloud providers and SaaS vendors need to ensure their offerings meet the strict security and compliance standards required by global businesses. Corporations need to be able to automatically retrieve and apply security policies from existing enterprise authentication systems, with no further intervention required from internal IT departments. CISOs must be able to deploy cloud applications, confident that their corporate security policies and regulations will be enforced. Today, CISOs have an opportunity to shape the types of standards and certifications that will be applied towards cloud providers, in addition to assuring that the features meet a business’s requirements. Whether they are building private clouds, piloting the use of public clouds, or even using public clouds for production applications, CISOs will never again see the same level of opportunity to communicate their needs and build security into the cloud.