Embracing the Cloud – A Decision Framework

Cloud computing (or Cloud Services) has emerged as the fastest growing IT services sector in the last 3 to 5 years.

With major restrictions and inherent limitations in most IT environments, it’s become an attractive option for businesses. Concerns such as spending restrictions; immature capacity management; uncertain demand forecasting; duplication of capability; slow delivery of infrastructure and slow business application delivery all lead businesses to look wistfully at cloud computing.

Look around, every traditional IT services provider and emerging cloud pure player is offering cloud services which claim to optimise and improve your organisation’s resource utilisation. The value proposition is touted to increase service response times, allow faster provisioning of components across the IT stack, reduce lead times for software implementation, and improve service capability – all through using a pay-per-use model. On the face of it, it’s a really compelling case, it’s easy to understand why executives get excited.

Cloud services are maturing rapidly, they now include the traditional IT stack—datacentre, hosting hardware, storage, databases, middleware platforms, monitoring, and business software as a turnkey service.

As security professionals we can either put forward arguments against a move to the cloud, or we can assist our organisations by putting together a risk-based decision framework that will assist in making an informed decision when embracing the cloud.

The risks, loss or leakage of data, compromised cloud systems, data security, privacy, legal and regulatory obligations, compliance practices and established security standards all need consideration, so a risk-based framework will guide the organisation through this.

In my experience this four pillar framework, supported by a 25 point controls plan (which I dub CloudAdopt25, will provide a sound basis for ensuring informed decision are made. (More on CloudAopt25 next month.)

Pillar 1 – Identify

The Identify Pillar deals with the organisation identifying projects, programs or services that have high establishment costs, low utilisation, or are expensive to run and operate, as candidates for the Cloud. Consideration should be given to services that require rapid turnaround, are seasonal, or have a short usage timeframe but require long lead times for IT support infrastructure to be established, as services that will be able to use cloud services with minimal disruptions and risk to the wider business.

Pillar 2 –Assess

The Assess Pillar refers to the organisation assessing its obligations and controls relevant to information security, authorisation to operate, security event monitoring, logging and reporting. A summarised list of 10 security obligations were discussed in a recent article 'To Cloud or Not To Cloud', addressing a number of obligations covering statutory compliance, privacy, confidentiality and access controls relating to the physicality and location of the cloud.

In addition to security, privacy and compliance, a very important element of this pillar is the service characteristics that the cloud provides—including reliability, scalability, portability vendor stability and the backward architectural compatibility that the cloud service provides with the organisation. (See Adapted from Federal Cloud Computing Strategy, February 08 2011 PDF).

Another important element of cloud readiness is to ensure that your organisation’s network infrastructure is capable of the extra network load and bandwidth requirements that cloud usage will add to the environment.

During this phase, ensure that you capture your organisation’s technology and asset refresh lifecycle. Unknown dependencies or gaps in support capabilities (such as legacy contracts, network restrictions or desktop SOE limitations) can cause disruptions to business services.

Pillar 3 – Establish

The Establishment phase is where an organisation puts processes into place for the use and consumption of cloud services. The focus of this pillar is to document any service fulfilment requirements that are required by the organisation. It is important to be precise when determining operating processes; they will need to integrate with your processes, especially around change, problem, incident, capacity and availability.

It is during this phase of the cloud decision framework that your organisation will establish service level agreements (SLAs) and rules of engagement that will assist in managing the performance of cloud service. All obligations and controls regarding information security, authorisation to operate, security event monitoring, logging, reporting, cloud service reliability, scalability, portability vendor stability and backward architectural compatibility are required to be discussed and documented to ensure true value can be derived when embracing cloud services.

Pillar 4 – Govern

The Govern Pillar is the last and most important pillar. It will ensure the continued success of the services that have been cloud–sourced, and will provide the required checks and balances to ensure the integrity of your organisation’s data assets within the cloud. This was raised in an earlier article 'Auditing Cloud Service', but they’re summarised below.

  1. Establish governance structures to provide continuous real-time reporting for services being consumed.
  2. Ensure control obligations are met via established regular reporting cycles.
  3. Report against the cloud services provider’s compliance requirements.
  4. Implement independent verification of detective and preventative technology controls to ensure confidentiality, integrity and the availability of data and information assets that are cloud sourced.
  5. Introduce contracts that outline SLAs and service provider obligations and organisational responsibilities.
  6. Clearly document roles and responsibilities assisting service establishment and closure.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.


CSO Announcement

Register Today. Hear from Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution, Trends, Solutions and the Future of Cloud Security, limited seats register today through CSO.


Join the CSO newsletter!

Error: Please check your email address.

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place