Establishing a Cloud Broker Model – Part 2

In 1973 Peter Drucker in his book “Management Tasks and Responsibilities” defined strategic planning as:

“The continuous process of making present entrepreneurial (risk-taking) decisions systematically and with the greatest knowledge of their futurity; organising systematically the efforts needed to carry out these decisions; and measuring the results of these decisions against the expectations through organized, systematic feedback."

Drucker’s view on strategy was that it is primarily a collection of decisions made in the present regards the future that is inherently uncertain. He recognised that strategy cannot eliminate risks because there is no crystal ball that we can look into and predict the future. Risks are required to be taken. The purpose of strategy is therefore not to remove risk, but in Drucker's words, to take the "right risks." Innovation is at its core, an act of discovery, in which we must embrace the uncertainty of the environment, exploring it for opportunities. Well that was 1973, if we fast forward to 2013, almost 40 years the words “embrace the uncertainty of the environment, exploring it for opportunities” could not be truer with the rapid growth and development of the Cloud computing environment—its adoption across the enterprise, the inhibitions that surround it, and the risk universe that Cloud services operate in. In Part 1 of Establishing a Cloud Broker Model we explored the possibility of how IT services functions within organisations, and more specifically, the information security function within an enterprise, should look to pilot these cloud broker roles. This is because the information security function is optimally placed to articulate compliance requirements and risk profiles—it has the position for understanding of the business process and information flow whilst also ensuring the environment is secured with adequate internal and external cloud controls.

We further talked about the three categories of cloud brokerage being Service Intermediation, Service Aggregation and Service Arbitrage, but none of these can be successfully implemented in the absence of a “Services Strategy”.

I believe at this point you would think, “here we go—another strategy discussion,” but you should seriously think about it. A strategy does not have to be a complex pie-in-the-sky document from Gartner, Bain, McKinsey or Booz. It could simply be how your technology or security function within information services or information technology division will assist in the achievement of business outcomes by best utilising the capabilities and resources available. To appropriately deliver the required service and act as service brokers, internal IT functions are required to change their approach and establish definitions of services which will lead to the development of a portfolio of services which the IT function can successfully deliver. Where they cannot, it will describe a position on how best will they service business demand that exceeds their delivery capability. To achieve this and appropriately establish a successful “Internal Cloud Service Broker Model” the service strategy is required to articulate how business demand for its portfolio of services will be met and how will the required business objectives will be achieved.

In my opinion a service strategy for enabling cloud brokering should be undertaken following this 10-point process.

1. Cloud Service Intermediation is undertaken by the internal IS/IT functions with value added services such as identity or access management capabilities being provided to appropriately provision the use of cloud services. This ensures that:
a) All services are appropriately secured with identity and access credentials being serviced and secured following organisational policy and procedures.
b) All services utilise a common access validation and security model.

2. Cloud Service Aggregation where the internal IS/IT function provides the glue to bring together multiple services and warrants the interoperability and security of data between systems. This ensures that:
a) All services have the ability to be integrated and utilised at strategic and tactical levels. This ensures services can be consumed for operational enhancements, transition and transformation projects.
b) All services are agile such that changes to internal and external environments are promptly identified and adjustments made accordingly. This provides service owners the ability to continuously assess and address identified gaps.
c) All services have a service model that defines its structure and details, which in turn influence service utility and warranty. This ensures the services are fit for purpose and fit for use.
d) All services have constraints identified that impede the ability to meet the required business outcomes. This provides the business an understanding of the inherent risks associated with the consumption of the service.

3. Cloud Service Arbitrage provides flexibility and “opportunistic choices” by offering multiple similar services to select from. This ensures that:
a) All services are analysed to ascertain service demand, and associated capacity to deliver, through internal resources, outsourced or cloud sourced.
b) All services are defined as service packages where services are broken down into core services, enabling services and enhancing services such that the business can appropriately choose the type of service required in-line with its objectives. This provides the business with a sense of control.
c) All services are appropriately managed and governed such that required service improvement across people, process and technology are appropriately captured and undertaken.
d) All services within the services portfolio are defined with a clear purpose and delivery methodology. This removes ambiguity, aligns the business unit service strategy with the broader organisational services strategy.

Cloud service brokerage by no means is an established field with ready examples that demonstrate success, however, with the rise of cloud services and cloud first now being the default position of most executives, it is an opportune time for internal IS/IT departments to begin moving towards being business enablers by having a service strategy.

Tags cloud security

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Audit Management Solutions

Manage the complete audit lifecycle from audit universe identification and risk assessment to management/board reporting and quality assurance.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.