Establishing a Cloud Broker Model – Part 1

Information Security, IT Security, Technology Security, IT Risk and Security and IT Risk Services are all names that organisations use to define a functional unit within their enterprise that is responsible for the security, integrity and operational assurance of their information assets and operating environment.

With the rise of cyber-attacks, high profile and targeted penetrations, unsubstantiated rumours of state sponsored cyber terrorism as discussed in Mandiant’s cyber security research report and most recently, Julia Gillard our Prime Minister announced the unveiling of a new national security strategy where protecting sensitive computer networks in government and the private sector would be a top priority.

In the US, amongst multiple cyber security initiatives, the one that is not much talked about but of interest is the secret US cyber security program to protect the power grid—being spearheaded by the National Security Agency dubbed Perfect Citizen. It is a program that is looking to develop technology that protects the power grid from cyber attacks. Publicly available information talks about the program primarily being a vulnerabilities assessment and associated protection capabilities development program. In essence, isn’t that what security is all about, knowing your weaknesses and addressing them before others find out. When Australia’s Defense Signals Directorate (DSD) published their Top 35 cyber security mitigation strategies focus was on vulnerabilities assessment and proactive management of emerging threats.

All research currently being published about trends for security in 2013 focuses on the following 5 issues:

1. Rise of cyber attacks and state sponsored challenges
2. Attacks aimed at critical infrastructure
3. Rise of BYOD; Bring Your Own (Device, Disaster, Downfall)
4. Data breaches across the enterprise for data assets hosted internally and at cloud providers
5. Adoption of cloud services without adequate internal control measures.

So you must be wondering what does all of this have to do with maturing security services and establishing a “Cloud Broker Model”?

My view is that investment in security (and its various services to the business) will always continue, sometimes more sometimes less, depending on the economy and the tendency of the organisation to spend on maintaining or developing the capability. This is, in turn, dependent on multiple factors external to the organisation, and as such, will also depend on the capability of various teams to respond to the businesses demand—and the turnaround time in which these services might be required to be developed and implemented.

Requirements to do more, relatively quickly will only increase. Appropriate responses and management of business demand for security services is the key to success.

With the rise of cloud-based services and the maturity of Security Software as a Service (SSaaS), if management believes that it can save money by out/off-or-cloud sourcing a particular capability they will. This is especially true in the security tools and technology spectrum where vendors like HP, IBM, Symantec, McAfee, Cisco and many more now have services (with varying degrees of maturity) that profess to do it better, faster and cheaper than an onsite, insourced setup.

Whilst not all of this is true, there are more than enough case studies out there to suggest otherwise. Like all IT services, security is not immune to being “aaS’ed”, cloud or otherwise—it is only a matter of time. As professionals and security leaders, what we can do is be ready for when it happens—to support it and have a strategy in place to make it a success.

With that as my rather long-winded introduction, I am ultimately trying to say that you should have a security services strategy. Set it up like a services broker where you are the one stop shop for all capability insourced, outsourced or cloud sourced.

Be a true business partner who looks for the most optimum solution for the business, and has progressed its thoughts from “everything is required to be in-house”, to “source right to manage risk and reputation”.

Cloud Services Brokers (CSBs) or Cloud Service Brokerage (CSB) is (in my view) the next phase of maturity that is required by IT service functions in the area of infrastructure and information security technology implementations.

A “Cloud Brokerage or a Cloud Broker”, by definition, is a function that links customers/end users to cloud service providers. They assist with ascertaining business demand, business requirements, recommending the appropriate platform or combination of platform and applications sourced through multiple cloud providers to best address demand.

Now some would say that is what Enterprise Architects or Architects do. What I argue is that it is time the whole of IT—and especially the security functions—start to think and operate like that. A recent Gartner report outlined three categories of cloud brokers, which they believe will enhance adoption of cloud services, they are:

1. Cloud Service Intermediation: An intermediation broker provides value added services on top of existing cloud platforms, such as identity or access management capabilities.
2. Aggregation: An aggregation broker provides the “glue” to bring together multiple services and ensure the interoperability and security of data between systems.
3. Cloud Service Arbitrage: A cloud service arbitrage provides flexibility and “opportunistic choices” by offering multiple similar services to select from.

Cloud Services Brokers will broker relationships between an end user/consumer and a cloud service provider. I believe the IT services function—and more so the information security function—within an organisation, should look to pilot these roles because the information security function is optimally placed to articulate compliance requirements, risk profile and has an end to understand the business process and information flows. This provides them with a unique advantage to assist the business in the role of a “Cloud Broker” whilst ensuring the environment is secure with an adequate amount of internal and cloud controls in place.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoCitizen Watches AustraliaDefense Signals DirectorateGartnerHPIBM AustraliaIT SecurityMcAfee AustraliaNational Security AgencySymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place