While some of the technical underpinnings that make up the cloud’s “secret sauce’, are relatively recent innovations, the business case for managing critical IT functions as services – inside or outside the firewall – is not a new concept. At the end of the day, the cloud is just another way to outsource IT functions, and the same fundamental concerns that exist with more mature outsourcing offerings need to be addressed – such as, how does an organization manage its security and compliance posture when critical systems and data are hosted or managed by a third party?
When Sarbanes-Oxley first hit in 2002, almost overnight every security company became a compliance company. Fast-forward to 2010, and every security company is now a cloud company, or has a cloud strategy. Whether or not it makes sense for an organization to move IT assets to the cloud depends on a host of factors, with security and compliance being two of the most important. One way IT managers can assess the risk of moving into the cloud is to look at more mature outsourcing models (some of which are actually “flavors’ of cloud computing) to see what’s working, what’s not, and decide how those lessons can be leveraged by their organizations.
What exactly do we mean by “The Cloud?” According to NIST, there are four main cloud types: public, private, hybrid and community. The Cloud Security Alliance divides private clouds into two types – internal, on-premises and external, which consists of dedicated or shared infrastructure.
Services in the cloud are provisioned without having to talk to a person, can be scaled up and down on-demand, are drawn from a bigger pool that other customers can also access in the same way, can be easily monitored via laptop, smartphone, etc., and are billed in a transparent, per unit manner.
According to Forrester Research, only 5% of large enterprises globally are capable of running an internal cloud – the easiest model to execute from a security perspective, since it resides inside the firewall. Other surveys, including one from Information Week, which sampled more than 500 organizations, all reveal the same thing – that despite all the hype, the cloud is not the Holy Grail… yet.
While some of the technical underpinnings that make up the cloud’s “secret sauce, are relatively recent innovations, the business case for managing critical IT functions as services – inside or outside the firewall – is not a new concept. Currently, moving security to the cloud (via your friendly neighborhood MSSP) seems to be easier than managing the security of the cloud. According to Gartner, Inc. in its 2009 MSSP Magic Quadrant, 60% of Fortune 500 enterprises had engaged in some level of use of an MSSP, representing about 25% of enterprise firewalls under remote monitoring or management. If the business world is already comfortable outsourcing critical business functions, then the cloud, in all its diversity and complexity, is an impending reality.
At the end of the day, the cloud is just another way to outsource IT functions, and the same fundamental concerns and business challenges that exist with more mature outsourcing offerings need to be addressed (think hosting and managed services). Most importantly, how does an organization manage its security and compliance posture when critical systems and data are hosted or managed by a third party?
Most compliance requirements mandate documenting and auditing how companies access, store, manage and secure certain types of critical data. That can be difficult enough when you control the assets – how do you do that when the assets are not under your control? Do you simply trust that the service provider is doing it right? How do you deal with audits? With auditors? How do you ensure chain of custody, separation of duties, and accountability?
Ultimately, the security and compliance posture of critical data and assets resides with the organization and not the outsourcing or cloud partner. To date, Service Level Agreements (SLAs) have been the primary tool used by organizations to hold their outsourcing partner accountable for any potential compliance violations or security breaches. However, the reality is that SLAs can easily lose their teeth if there is no way to enforce them. Given the complexity of today’s corporate computing environments, creating and maintaining that level of visibility can be a challenge.
The one key difference between traditional outsourcing models and the cloud is that the elastic and on-demand nature of the cloud creates a scenario where the physical location of a company’s data or infrastructure is not fixed. On top of that, to protect their own security, cloud providers may not be inclined to provide significant visibility into their own IT operations. If you thought that “re-perimeterizing” your electronic assets was difficult with other outsourcing models, the amorphous nature of the cloud further blurs the lines.
Fortunately, tools and methodologies are available today that can enable cloud providers to deliver the security and compliance levels that organizations need. Most security technology vendors have responded to the risk management and compliance needs of their customers by providing significant enhancements to their management, monitoring and auditing capabilities. The result is that stakeholders have much better visibility into the state of key systems and assets at any given point in time, regardless of where they physically reside.
Whether it is via a common interface, an automated management tool, or a custom process, there are a host of methods that enable both cloud owners and cloud users to manage the confidentiality, integrity and availability of assets. Automated monitoring tools can also be used to ensure service levels are being met and can act as a common management interface for both cloud customers and providers. This provides both parties with a way to share responsibility for managing security and compliance without the cloud customer having to own the granular, day-to-day management of the infrastructure.
Furthermore, this kind of technology-driven accountability provides cloud customers the ability to quickly take back or transfer IT management, knowing that the security and compliance history of the asset being managed can be understood with a few mouse clicks. If for some reason the relationship with the cloud provider unexpectedly terminates or the company decides to take it back in house, the internal team has the benefit of the shared knowledge base.
Leveraging technology to create transparency and shared accountability is a model that has already caught on in Managed Services, especially within the MSSP space. In its Q3 2010 Forrester Wave: Managed Security Services, Forrester estimates that the global size of the managed security services market is about $4.5 billion, and predicts a 15% growth rate for at least the next three years. That number includes outsourced and software-as-a-service (SaaS) security services (a typical cloud scenario) as well as other annualized security operations. Traditionally, MSSPs p either host the entire security infrastructure or the management of systems that reside within the customers’ firewall. In cloud-speak, this scenario would be described as a hybrid cloud.
While the widespread use of virtualization technology has added a new set of management challenges, innovations in the ability to manage the security and integrity of highly complex and dynamic virtual environments are advancing at a rapid pace. Enhancements in network security technologies that cater to managing security in multi-tenant environments are also evolving quickly. For example, advancements in firewall management technologies have enabled firewalls to be used much more effectively and strategically for internal network segmentation without risk of downtime or outages. This is just one example of many areas where automating network management can have a positive ripple effect
If you are thinking of moving your security to the cloud, there is a wealth of information available that outlines how to approach everything from assessing the risk of specific IT assets as they pertain to specific models, to areas of focus for an SLA or to best practices across various disciplines of logical, virtual, and physical security.
One of the most comprehensive and credible sources for securing cloud environments is the 76-page “Security Guidance of Critical Areas of Focus for cloud computing.” The brainchild of the Cloud Security Alliance (CSA), the Guidance, which can be downloaded for free off the CSA’s website, is one of the largest and most impressive security community efforts to date. It should be required reading for anyone interested in or involved with approaching, managing, and maintaining security and compliance in the cloud.
The maturity of certain segments of the current IT outsourcing market reflects that the technology is, for the most part, available to manage these kinds of relationships. But as we all know technology is only one leg of a three-legged stool. The other two legs – people and process components, are critical to the success of any IT initiative. Ã‚Â That’s what makes the industry commitment to developing a holistic approach to cloud security so refreshing – it shows that for as far as we might have to go, as an industry, we’ve come a long way in a relatively short time.