Establishing a Cloud Broker Model – Part 2

In 1973 Peter Drucker in his book “Management Tasks and Responsibilities” defined strategic planning as:

“The continuous process of making present entrepreneurial (risk-taking) decisions systematically and with the greatest knowledge of their futurity; organising systematically the efforts needed to carry out these decisions; and measuring the results of these decisions against the expectations through organized, systematic feedback."

Drucker’s view on strategy was that it is primarily a collection of decisions made in the present regards the future that is inherently uncertain. He recognised that strategy cannot eliminate risks because there is no crystal ball that we can look into and predict the future. Risks are required to be taken. The purpose of strategy is therefore not to remove risk, but in Drucker's words, to take the "right risks." Innovation is at its core, an act of discovery, in which we must embrace the uncertainty of the environment, exploring it for opportunities.

Well that was 1973, if we fast forward to 2013, almost 40 years the words “embrace the uncertainty of the environment, exploring it for opportunities” could not be truer with the rapid growth and development of the Cloud computing environment—its adoption across the enterprise, the inhibitions that surround it, and the risk universe that Cloud services operate in.

In Part 1 of Establishing a Cloud Broker Model we explored the possibility of how IT services functions within organisations, and more specifically, the information security function within an enterprise, should look to pilot these cloud broker roles. This is because the information security function is optimally placed to articulate compliance requirements and risk profiles—it has the position for understanding of the business process and information flow whilst also ensuring the environment is secured with adequate internal and external cloud controls.

We further talked about the three categories of cloud brokerage being Service Intermediation, Service Aggregation and Service Arbitrage, but none of these can be successfully implemented in the absence of a “Services Strategy”.

I believe at this point you would think, “here we go—another strategy discussion,” but you should seriously think about it. A strategy does not have to be a complex pie-in-the-sky document from Gartner, Bain, McKinsey or Booz. It could simply be how your technology or security function within information services or information technology division will assist in the achievement of business outcomes by best utilising the capabilities and resources available.

To appropriately deliver the required service and act as service brokers, internal IT functions are required to change their approach and establish definitions of services which will lead to the development of a portfolio of services which the IT function can successfully deliver. Where they cannot, it will describe a position on how best will they service business demand that exceeds their delivery capability. To achieve this and appropriately establish a successful “Internal Cloud Service Broker Model” the service strategy is required to articulate how business demand for its portfolio of services will be met and how will the required business objectives will be achieved.

In my opinion a service strategy for enabling cloud brokering should be undertaken following this 10-point process.

1. Cloud Service Intermediation is undertaken by the internal IS/IT functions with value added services such as identity or access management capabilities being provided to appropriately provision the use of cloud services. This ensures that:
a) All services are appropriately secured with identity and access credentials being serviced and secured following organisational policy and procedures.
b) All services utilise a common access validation and security model.

2. Cloud Service Aggregation where the internal IS/IT function provides the glue to bring together multiple services and warrants the interoperability and security of data between systems. This ensures that:
a) All services have the ability to be integrated and utilised at strategic and tactical levels. This ensures services can be consumed for operational enhancements, transition and transformation projects.
b) All services are agile such that changes to internal and external environments are promptly identified and adjustments made accordingly. This provides service owners the ability to continuously assess and address identified gaps.
c) All services have a service model that defines its structure and details, which in turn influence service utility and warranty. This ensures the services are fit for purpose and fit for use.
d) All services have constraints identified that impede the ability to meet the required business outcomes. This provides the business an understanding of the inherent risks associated with the consumption of the service.

3. Cloud Service Arbitrage provides flexibility and “opportunistic choices” by offering multiple similar services to select from. This ensures that:
a) All services are analysed to ascertain service demand, and associated capacity to deliver, through internal resources, outsourced or cloud sourced.
b) All services are defined as service packages where services are broken down into core services, enabling services and enhancing services such that the business can appropriately choose the type of service required in-line with its objectives. This provides the business with a sense of control.
c) All services are appropriately managed and governed such that required service improvement across people, process and technology are appropriately captured and undertaken.
d) All services within the services portfolio are defined with a clear purpose and delivery methodology. This removes ambiguity, aligns the business unit service strategy with the broader organisational services strategy.

Cloud service brokerage by no means is an established field with ready examples that demonstrate success, however, with the rise of cloud services and cloud first now being the default position of most executives, it is an opportune time for internal IS/IT departments to begin moving towards being business enablers by having a service strategy.

Join the CSO newsletter!

Error: Please check your email address.

Tags cloud security

More about GartnerStrategy&

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts