Well-established cloud customers may have a reasonably good understanding of the risks and procedures necessary to make the most of the model, but new entrants will face a steep learning curve that requires ongoing involvement with the business organisation to resolve, the University of Melbourne's IT security and risk management head has warned.
Speaking at the recent CSO Perspectives Roadshow, IT security and risk manager Wayne Tufek said when some business groups within the university first approached him a year ago about moving some core services to the cloud, he had to move quickly to evaluate the full spectrum of the risk it presented – and to enlist the support of business owners to make it happen smoothly.
“Understand the business, and exactly what the business is trying to do and why,” he said. “Consider the business value of the process versus the importance of the information. If the value of the information is high, and the value of the business process is high, you should give serious consideration to the risk.”
A critical part of the cloud migration, he said, was building up a team of contacts across the organisation. Crucial was to first clarify the person who owns the data: “if you don't have the concept of the data owner in your organisation, now's the time to start putting that into action,” he explained. “The data owner is someone who's not in IT – but often these people, if they're too busy or not interested, they delegate someone so they can get rid of their accountability.
Other key cloud-migration team members included the IT department; a project team; the legal department, who have an important role to play in negotiating contracts; the organisation's vendor management team; and the cloud service provider (CSP) for the services involved.
Clarity in scope and purpose helped drive the planning of the migration, particularly in terms of the data to be migrated. Data owners need to outline the data to be moved down to the field level, with Tufek using a spreadsheet to outline exactly what information was to be moved.
Accuracy is critical at this stage, since data definitions inform the contract process. When the data owner decided at the last minute to add another data field to the definition, he said, “it did put a bit of a spanner in the works. We had to go back and do the whole thing again.”
Other important risk-management questions may not come immediately to mind. These include assessing the CSP's business continuity plans; compatibility in their interfaces to ensure smooth flow of data; clarification of their maintenance processes; plans for managing development and test environments; and even whether the proposed business process needs to change.
It had been a learning process throughout the migration, Tufek said, with compromise important all around.
“I've had to come up with a bit of a process,” Tufek said. “It's through trial and error, and occasionally I've made mistakes along the way. But the process actually works by building a little bit more of the understanding of the risk, then making a decision and coming back to it. Evaluate the CSP, and assess the risk. Negotiate the contract, assess the risk – and then continually monitor and assess the risk once the contract is in place.”
By identifying the desired outcomes from the cloud migration early on, deviations from those outcomes could be quickly identified and dealt with.
“There was one instance of moving to the cloud where the vendor didn't have the right controls in place,” he said. “However, we were able to modify the business process and still use their system, whilst keeping the data in our data centre. We wouldn't have been able to provide that, which the business was happy with, without understanding the business processes and what the steps of the process were.”
Compliance with information-security guidelines – for example, the evolving ISO 27017 and ISO 27018 cloud-security standards and the SSAE-16 Service Organization Control-2 (SOC-2) reporting standard – is also important in evaluating the risk of a CSP and their compliance with data-protection and privacy guidelines.
“You want to assess the CSP, go talk to them, ask questions, review the documentation onsite, talk to people, and so on,” Tufek advised. “You can always list controls and processes, and include them as an addendum to the contract. Include regular and formal third-party assessments, access to the particular documents that accompany assessments and reviews, and even options such as regular vulnerability testing.”
Business-continuity objectives were also critical to clarify up front, with contractually-defined recovery time objective (RTO) and recovery point objective (RPO) targets necessary to ensure rapid response in the event of failure. Ditto a long enough termination period – 30 days is not long enough, Tufek warned – as well as addressing liability limits, defining when downtime calculations begin, and how issues such as the secure deletion of data and the customer's right to audit such.
Ultimately, despite the technological advancements that the CSO can bring to bear in cloud engagements, the business managers will play a critical role in maintaining the management of cloud services to business objectives. Yet despite the diversity of often conflicting IT interests within as varied a community as a large university, Tufek said that building a culture of engagement had allowed for productive and meaningful engagement with the business people.
“Some of the university faculties or business units have their own budget and IT groups, and basically do whatever they like,” he said. “There are some governance issues there in terms of making sure everyone is moving in the right direction – but where the central IT department does find out, we go speak with the data owner about the different types of risks.”
“It's pretty easy when you're working with astute people who will work with you to mitigate those risks,” he continued. “They'll help you to work with them so you can make the risk management decisions. It's more about education, and making them aware of what those risks are in the first place.”