Often, organizations are under the impression that if they go to a cloud service provider, they provide all the security services for on-premise services, PaaS, SaaS and IaaS. Nothing could be farther from the truth. In the below picture, moving progressively from the left, you can see how the customer's responsibility shifts and how the service provider accepts responsibility until you go into SaaS, where everything is offered as a subscription.
And yet, even in this model, which is not easy to achieve uniformly across the organization, the organization's data set is your own responsibility. And the regulatory perspective, contracting perspective or public perspective, can kill shareholder value rapidly when bad news is covered by the media.
This picture can help you navigate the responsibility matrix between an organization and a service provider.
As an IT practitioner preparing for a journey to the cloud, it is important to get your heads around these issues. The journey itself is so rapid, it tends to take us by surprise. You won't have enough time to consider all the aspects that could lead to litigation, a breach or public outcry, and ultimately, lead to loss of shareholder value.
In addition, the expectation from your business partners is often that the required services can be put into production by tomorrow morning. Your organization must have a solid matrix of safe guards, and preferably, a reliable partner to walk you through it so that you aren't caught unaware when something goes wrong.
The honeycomb structure above helps me think clearly about a cloud security strategy, comprehensively. Documenting it is not the easiest thing to do and believing that it will remain stable is wishful thinking. The issue then is to keep the strategy document living and to ensure that there is healthy debate between the core IT unit, the CSO and the compliance unit to make sure there’s agreement on what is documented and verify that it's being implemented carefully.
IT professionals used to have ownership of each piece of the server because they had an asset tag on it. That meant that IT kept careful inventory and had a good catalog. That benefit is simply gone. Now, the CFO is only looking at a scalable, OPEX number month after month and keeping track of the run rate. Visibility of your assets is lost.
Yet to keep compliant with the regulations, you must keep track of the instances with your name attached, so when it comes to a dispute further down the line, you know what the snapshot was on the day of the dispute. You need to develop a parallel mechanism independent of the original asset tagging mechanism to do this.
When it comes to business owners, compliance practitioners, the chief risk officer, or standing up in front of the regulator to be scrutinized on how you've handled client data, nothing is more embarrassing than to find out that you haven't been careful enough. And it does make a difference if it is cloud-hosted because oftentimes, assumptions are made that the data is protected by someone other than us. Data classification, policies on backup and retention, ownership as well as the principles of encryption must be addressed. And don't forget data de-classification and destruction.
User identity and access
This is a less risky consideration, as there are always plenty of options from your trusted partner to implement the right identity and access management tool on cloud, and continually monitor it and keep yourself safe. It’s important, but easily implemented.
Regardless of the size of your service provider, the infrastructure inclusions are easy to negotiate. They've already made the investments and have the technology and the framework to help you. But you have to make sure the inclusions sit in your contract. You need to have that discussion and be proactive, so you're well-protected.
Platform as a service
Platform as a service is an area that I consider relatively safe. As long as you maintain the industry standard and keep a tight benchmark, comparing your matrices with that of the market, you will be fine.
The difficulty is when inevitably you have to mix your cloud legacy applications with those you buy as a platform as a service. Implementing a uniform contract with the service provider is a challenge and can result in a dispute or an incident.
Inevitably with an organization that spans geographies and pressure points, you will choose more than one cloud service provider. The trick is to plan this carefully enough to presume that you will have an outage with one provider and not with the other. Negotiate well enough to be able to absorb the entire capacity on the other provider with minimal disruption. While you're doing that, also remember that you need strong interfaces between service providers—integration points.
Especially with the hybrid model, there are performance software that help you measure the capacity without applying actual load. I strongly recommend that you work those into your contract and try them out at scale before you offer the cloud service to even internal business users.
Overall, understanding the inherent risk impact of cloud security is critical to your journey to cloud, as it is essential to building business resilience and brand trust.