The Ins and Outs of Cloud and Outsourcing

The speed at which IT is developing and the general nature of modern business means that many enterprises rely on specialists to manage our systems and applications. Economic and competitive pressures have made it imperative for organisations of all sizes to focus on their core competencies and turn to third-parties to assume responsibility for key corporate functions. The most common form of outsourcing is the cloud. The cloud simplifies many aspects of IT and the business services world.

Outsourcing is by no means a new or revolutionary concept and to date, it continues to deliver consistent financial benefits. By engaging a cloud service, a small organisation can have access to leading technology without large investments, while global enterprises can ensure that business sectors are managed effectively and efficiently.

Aside from obvious financial benefits, the list of incentives continues to grow: service quality, access to innovation, the removal of non-core functions, access to leading IT skills and resources, and forecast future IT spending all contribute.

For any enterprise, the benefits of outsourcing to the cloud are only guaranteed if certain guidelines and precautions are put in place, and in order to do this, you must understand the challenges:
• Potential loss of control over certain business functions
• Rigidity and a general lack of flexibility in the services received
• Time and effort involved in managing the service provider

The key is to select a provider whose cloud portfolio is as flexible and varied as the workloads it may handle—today and into the future. For many enterprises, the cloud is no longer a curiosity, but an opportunity to transform IT. As they think beyond one or two isolated workloads, their criteria in selecting a cloud provider become more stringent. To meet business goals for efficiency, cost-reduction, and simplification of processes, enterprises must look for a cloud provider that offers a range of services that meet today’s needs and can grow with the business.

Understanding the organisation you are outsourcing to is pivotal in addressing potential security problems, so below are some basic guidelines:

Understand the current security model

It sounds obvious, but often it is taken for granted. Evaluating the security controls currently in place in your organisation and what risks they should be eliminating, is important in knowing what you need to ask for when you seek a cloud service. This process also helps identify what is working and what isn’t, and provides you with the ability to request the same security standards in your cloud service provider (CSP). If this assessment uncovers gaping holes, you have the opportunity to rectify this with your new CSP, or if your security is up to scratch, then you have a benchmark by which to measure. Ensuring that internal security measures and your new CSP security credentials matchup is critical in delivering the safest environment possible for your organisation.

The variety of cloud solutions available – from infrastructure through to network – your cloud choice may need to integrate with existing security standards. In such cases, firewalls and other traditional security measures can be adapted to integrate with new security policies. In theory, this is the case; however a full assessment and understanding of these traditional measures may uncover non-compatibility with current systems. Understanding the full scope of your business, your requirements and your current security measures will direct you to what you need from your CSP.

Keep in mind: Change can be difficult, and risky. Have a safety net in place. Your security systems are going to change in your organisation, and to make sure it is for the better means you need to understand the security bottom line.

Don’t be afraid to: Take this security investigation as an opportunity to give your security system an overhaul.

Ask tough questions and assess the risks

Managing your outsourcers’ security levels should not be overlooked. The CSP’s internal security policies, regulations and laws (if you are looking offshore) need to be understood and evaluated. They will help develop a picture of what the security spectrum of your business will look like in an outsourced environment and most importantly identify any current gaps.

A cloud has different avenues for attack than would otherwise be available in a traditional data centre. The increased surface of a cloud increases its vulnerabilities which puts your organisation at higher risk. Things such as virtual switches, the item connecting virtual machines with virtual networks by directing communication and data packets, and software programs that allow machines to communicate with each other, are characteristics that previously your organisation may not have been exposed to, so it is critical to understand the potential impact of this new environment.

Transferring part or all of your organisations IT footprint to the cloud is a big change with sometimes unpreventable mishaps. If a problem arises based on an unexpected incident, who is to blame? The organisation or the provider? Allocating the right responsibility needs to be determined in the initial phase to avoid any confusions in the long run. Responsibility here is in relation to your organisation and the outsourcer. Be upfront when embarking on this new relationship and opening the doors between your current IT staff and your future provider to ensure that expectations and responsibilities are measured and tracked.

Keep in mind: What you expect your outsourcer to deliver may not always be clear. Define and determine responsibilities. Ensure that your CSP offers the levels of customer service you are accustomed to, with access to expert technicians (either on-staff or through a certified partner network). For additional levels of support, find a provider that offers a range of managed and professional services to help you develop a cloud strategy, migrate to the cloud, and maintain optimal cloud performance.

Don’t be afraid to: Look up specific international security standards and be informed and aggressive when dealing with your future (or current) CSP.

Investigate the environment

Knowing what needs to be outsourced is very different from knowing what the ripple effect will be when that segment of your organisation is actually outsourced and placed on the cloud.

Your cloud provider is now the first line of defence in your external incident management process. They must be able to detect, evaluate and report any incident in a suitable timeframe and in the process already expected by your company. Consider, too, the legal and operational impacts. By outsourcing, you are in a way, joining with another organisation, so be sure of the overall compatibility.

Consider this, too: Multi tenacity. You could be one of numerous companies that the CSP is providing service to. There is no physical separation. Investigate whether you are entering into a multi-tenant environment, and what exactly this means for your organisation and its information.

The outsourcer will be retaining a lot of information about your internal organisation workings, too. If any internal incidents occur, accessibility around records must be agreed upon and understood. Identifying individuals within the outsourcing organisation will help increase transparency and reaction around any issues.

Keep in mind: Your information is now housed inside other organisations (metaphorical) walls. This is an integrated service, designed to know the ins and outs of your organisation. Don’t be afraid to: Look for evidence that shows whether each service provider has experienced serving enterprises like yours. These include sample customer lists, reputation, track record, and existing customer base. Service providers with experience in your company’s industry or have similar customers are likely to understand your business and technology needs.

Join the CSO newsletter!

Error: Please check your email address.

Tags outsourcingCloudsecurity

More about CSP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gordon Makryllos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place