8/8/2019 ATC Cloud Security

1/16

Having Confidence inCloud ComputingAddressing Enterprise Security Concerns

8/8/2019 ATC Cloud Security

2/16

8/8/2019 ATC Cloud Security

3/16

3

Although there is growing

recognition of cloud com-

putings benefitsand an

ever stronger business

case for achieving high

performance by moving

deeper into the cloud

progress is snagged on

concerns about IT security.Enterprise IT leaders now

must find the right bal-

ance between the risks

and rewards of computing

in the cloud. They can

benefit by revisiting

well-established IT secu-

rity and enterprise riskmanagement practices.

8/8/2019 ATC Cloud Security

4/16

4

It is fair to say that cloud computing

has arrived. Not long ago, Citigroup

purchased 30,000 seats of Salesforces

customer-facing software-as-a-service

(SaaS) applications for its financial

advisors worldwide.1 NASDAQ relies

on Amazon Web Services S3 to store

historical data on stocks and funds and

uses a lightweight rich Internet appli-

cation to generate new revenues.2 And

contract manufacturer Flextronics says

it will use human capital management

solutions from SaaS provider Workdayto service its 200,000-plus employees

around the globe.3

These days, IT professionals can very

quickly help their organizations move

toward high performance by using

increasingly available compute cycles

not only to run applications off-premise

but also to test and develop software

applications in the cloud. Today, plat-

form providers such as Force.com and

Amazon Web Services give developers

access to real-time workflow, program-

mable user interfaces, real-time mobile

deployment, and real-time analytics

without the capital expenditures

associated with maintaining data

centers to enable these activities.

However, more than a few IT profes-

sionals, alarmed by news stories about

Internet security breaches and facing

a daunting array of complex regulations,

are taking a go-slow approach to cloud

computing. Even if they favor a faster

move into the cloud, they know they

face resistance from business execu-tives who have legitimate concerns

about how cloud computing could

heighten the risks for the overall

organization.

The trouble is, IT leaders caution may

be limiting their organizations ability to

significantly reduce IT operating costs.

Of course, prudence is warranted with

any move to relinquish or share control

of key data assets, but fear and mis-

trust are not. Accenture believes it

is incumbent on IT professionals to

help lead the way here. They are best

positioned to present the increasingly

powerful business case for cloud

computing and balance it with a dis-

passionate analysis of the real threats

their organizations may be exposed

to and how these will be mitigated,

managed and measured over time.

In this paper, Accenture suggests waysin which IT managers, chief operating

officers, chief information security

officers and enterprise risk manage-

ment professionals might plan to

establish the most appropriate balance,

applying a clear, straightforward and

practical approach that is rooted in

longstanding IT security principles.

8/8/2019 ATC Cloud Security

5/16

5

Facing the key security concernsFour major security concerns worry

IT leaders. First, they struggle to trust

relatively new and unfamiliar cloud

providers as part of their extended

enterprises. Can they be sure that

these providers will treat their data as

they do? Where exactly is their data

being stored, and how, if it is frag-

mented among many data centers,

is it re-integrated?

Second, IT professionals questionwhether cloud providers have the

levels of infrastructure security to

be able to ward off cyber-attacks.

Third, do providers have the mechanisms

in place to be able to manage, measure

and report on industry regulations?

And can they be accountable if they

fail to comply?

The last concern is about availability. IT

managers are right to look for service-

level guarantees. But in the case of

the cloud, response times cannot be

guaranteed since data travels through

the Internet. (This challenge is even

greater for the infrastructure cloud,

since it supports the software code.)

They also need reassurance about

business continuity in the event of a

problem. IT professionals have to be

sure that their third-party providers

have the right recovery strategies inplace.

The fundamental response to these con-

cerns is that good security practices

are good everywhere. If a customers

cloud providers follow the same secu-

rity procedures and policies that it does,

adhering to the same regulations and

following the same data privacy laws,

then the customers risk posture should

be unchanged. If the providers fall

short of those practices, then the cus-

tomers risks will have increased, which

can result in fines or even legal action.

But ifas is increasingly the casethe

providers security practices are more

rigorous than the customers, then the

customer will not only have cut IT

operating costs, but it will have reduced

its overall IT security risks.

8/8/2019 ATC Cloud Security

6/16

6

Tracking the clouds rapid riseCloud computing adoption is increasing

as more and more senior managers rec-

ognize its potential for achieving high

performance; 30 percent of IT decision

makers polled in late 2008 by CIO

magazine said they were already using

or implementing the cloud in some form,

and another 17 percent were actively

planning or researching.4 Cloud services

will make up a significant part of the

increase in IT spending growth by

2012, according to research firm IDC.Interestingly, it is one of the very few

technology sectors where industry

analysts have revised their forecasts

to account for stronger growth than

originally anticipated.

The economics of the cloud are com-

pelling for large enterprises as well as

small- to mid-sized organizations. At

Dell, for instance, the cloud is credited

with providing the computer maker with

a 10 percent lift in sales productivity

and a unified global CRM approach.5

In the case of one large UK-based

insurer, going to the cloud for develop-

ment and implementation of the firms

new corporate intranet produced 50

percent savings, reduced operational

costs and deferred capital expenditure.

The intranet initiative came online in

half the time it would have taken for

an on-premise solution.

A key selling point of the cloud is

substantially reduced or no capital

spending for a given application in

favor of flexible on-demand computingthat is accounted for as operating

expenses. In one project under devel-

opment, a US government agency was

looking at how to manage predictable

peak load demand for a nonsensitive

application. The on-premise solution

would have cost about $4 million for

equipment, $1 million for the software

licenses and $70,000 per year in

energy costs. A comparable cloud

solution cost $131,000 a year for

round-the-clock service, with no

additional power costs.

IT leaders are becoming familiar with

different opportunities to use cloud

computing, extending their horizon

beyond the concepts of running or

storing applications off-premise.

(See Figure 1.) More and more com-

panies are actively exploring cloud

services as potential software test

beds; some are looking to the cloud

to help resolve peak-load challenges

or to help support IT infrastructure

needs. Accenture believes that it is

unrealistic to expect that the cloud willbecome a proxy for enterprise IT oper-

ations in the foreseeable future, given

the dependence of the typical large

enterprise on quirky legacy systems. It

will, though, become a permanent and

increasingly important aspect of any

CIOs IT landscape and toolkit.

Figure 1. Identifying cloud opportunities

Easy

HardHigh ValueValue to the Enterprise

Ease of

Implementation

Business Continuity

(Storage)

Extensive storage Backup and recovery Batch and Data Intensive Applications

One-off applications that do not rely on real-time response

Data and high-performance intensive applications (financial risk

modeling, simulation, data compression, graphics rendering...)

New back-office applications

Legacy

Specific existing infrastructure

Complex legacy systems

Software Development and Testing

Software development and testing environment

Performance testing

Nonproduction projects

R&D activities

Reduced time to market

Desktop Productivity

Web 2.0 applications

Workgroup applications

Office suites

E-mail and calendaring

Sensitivity

Mission critical applications

Regulation-protected data (HIPAA,

SOX, PCI...)

Peak Load Demands

New business activities

Applications with peak-loads

Seasonal websites

Applications with scalability needs

8/8/2019 ATC Cloud Security

7/16

7

The drivers of the clouds uptake are

plain to see. Consumption-based on

demand compute cycles are inherently

low-cost. Capital expenditure is hardly

an issue since cloud computing is, de

facto, an exercise in outsourcing. On

top of that, the cloud offers agility

achieving value more quicklyas well

as unprecedented scalability. Each is

a sweet spot for companies that prize

rapid business change and speedy

introductions of products and services.

In fact, scalability on demand andflexibility for the business were the

primary rationales for going to the

cloud among the IT managers surveyed

by CIO.6

Over the last decade, the core technolo-

gies have converged to make the cloud

a reality: virtualization, grid computing,

Web services, and massively parallel

computation frameworks are maturing

rapidly. In tandem, a cadre of capable,

credible vendors has emergednames

such as Salesforce.com, Workday, Ama-

zon Web Services, Google, ServerVault,

Microsoft BPOS, Microsoft Azure, and

AppNexus among them. In their wake

has come a growing roster of cloud

success stories. We see the layers ofthe cloud along the following lines.

8/8/2019 ATC Cloud Security

8/16

8/8/2019 ATC Cloud Security

9/16

8/8/2019 ATC Cloud Security

10/16

10

Taking action tomorrowSo what actions make sense for IT

leaders right now? Accentures empir-

ical IT security work over many years

with a wide range of organizations

shows that the following fundamentals

apply to cloud computing initiatives:

Carry out a detailed cloud riskassessmentWith the collaboration of the relevant

business colleagues, IT leaders must

weigh the criticality of applications and

data and decide what is cloud appro-

priate. They must gauge what risks

they are willing to takefor example,

whether to move new product data or

customer data to the cloudin context

of the benefits of doing so and theregulations that apply to where the

data must reside.

Get to know key cloudprovidersAs with any outsourcing arrangement,

it is essential to carry out detailed due

diligence on providers performance

including their financial performance.

Cloud computing providers vary in

market position and approach; differ-

ent vendors have different levels of IT

security and data management. It is

also necessary to help confirm that

they meet key standardsfor example,

regulations, standards, guidelines and

codes of practice such as ISO 27001.

Also important: reviews of a providers

previous audits and compliance reports,

looking for gaps in service compared

to your on-premise solution.

Contracts should be clearIt is vital to put in writing the standards

to which you require adherence.

Analyze the data flowThis calls for charting the lifecycle of

the relevant data assets, from develop-

ment to their destruction. IT managers

must know where data is at all times

so they can help confirm that it is being

stored and shared in compliance with

local laws and industry regulations at

appropriate levels of IT security.

Build a cloud security strategyLeveraging well-proven IT security

principles, IT leaders must define the

key security elements, knowing where

encryption is needed, for example, and

understanding which transport layers

are important. Accentures High Per-

formance Business research initiative

also underscores the need to under-stand how such a strategy relates to

implementation of the technology as

well as to its ongoing effectiveness.

Manage complianceThe regulatory complexities are enor-

mous when doing business in multiple

nations: some governments regulate the

physical locations of the servers where

organizations keep their data. Well-

known mandates include the European

Unions Data Privacy Directive, the

U.S. Health Insurance Portability and

Accountability Act (HIPAA) and the

U.S. Sarbanes-Oxley Act. The financial

services sector is the target of a host

of emerging regulations, and many

new rules are in development that will

affect critical infrastructure. IT leaders

cannot expect their cloud providers

to be compliant for them. But they

must expect them to provide what is

needed to help achieve compliance.

Help strengthen continuityWhat happens if something breaks

while in the cloud? How is the data

owner notified, and how quickly? How

is the data recovered? These are the

basics of best practices in business

continuity, and they apply just as much

to cloud computing as to any IT out-

sourcing arrangement. They must,

of course, align with regulatory man-

datesparticularly in tightly regulated

industries such as financial services.

Educate, communicate

It is the IT leaders responsibilityto educate employees on IT security

policies and procedures and to be

very clear about how those policies

and procedures relate to the cloud.

For example, employees must adhere

to corporate IT security policies when

exploring cloud services for any work-

related activities, such as testing a new

IT service or storing data on the cloud.

8/8/2019 ATC Cloud Security

11/16

11

The conversation about cloudsecurity and the associatedpolicies are matters for discus-sion at the highest levels of the

organization. There must beparticular emphasis on thequestions of data privacy andgovernance, on service-levelagreements and on the ins andouts of contracting with cloudproviders. Here is a samplingof the kinds of questions thatshould be on the table:

Who is accountable for the

security of our data and towhom do they report? Whoare the stewards of our dataand how do they ensure thatthe data is tracked and securedappropriately?

Do we have a defined andexplicit stance on the risks andrewards of cloud computingone that has been or is beingshared with all relevant IT staffand business users?

Might the provider lose ourdatathrough misuse, or theftor fraud, for example? If so,what recovery plans do wehave? And how are weprotected contractually?

What are our obligationsregarding data protectionversus those of a cloudservices provider?

Do we know how some ofour intellectual property mightbecome visible when reassem-bled in collaboration clouds?

What is our policy for whichstaff are authorized to depositand store data with a cloudprovider?

What do our e-discoverypolicies and processes looklike and how do they compareto those of a cloud provider?

Do we know how a cloudservice provider might changeits terms of service?

What formal standardsinternational or regional orindustry-basedare used inthe development and operationof the cloud service?

What are we obligated todisclose to our customersregarding where and howtheir data is being stored?

How do we stay up-to-datewith where our cloud providersdata centers are locatedandwith what local laws governtheir activities and securityprotocols?

How do cloud providers assistcustomers with their compliancerequirements?

What round-the-clock incidentresponse can cloud providersoffer? What about intrusionprotection? What about sepa-rating noise from relevantdata?

What kinds of physical segre-gation of virtual machines areavailable for customers?

Top questions to ask about cloud security

8/8/2019 ATC Cloud Security

12/16

12

A community of support oncloud securityIT leaders are not alone when it

comes to determining the appropriate

approach to secure cloud computing.

Accenture has deep experience and

combined decades of specialization in

addressing the complex challenges of

IT security and enterprise risk man-

agement. And cross-industry groups

are actively working to identify and

promote best practices.

In May 2009, two of the leading

cross-industry groups joined forces

to promote industry-leading practices

for secure collaboration in the cloud.

The Jericho Forum, an independent IT

security expert group, and the Cloud

Security Alliance (CSA), a not-for-

profit group of information security

and cloud computing security leaders,

share the goals of encouraging common

and secure cloud practices and helping

businesses understand the opportunity

posed by cloud computing.

Jericho Forum is an international IT

security thought-leadership associa-

tion dedicated to advancing secure

business in a global open-network

environment. Members include IT

security officers from Fortune500

multinationals as well as from entre-

preneurial companies, major security

vendors, government and academia. The

Forum has been working to develop

and demonstrate secure collaborative

architectures. Last year it published a

Collaboration Oriented Architecturesframework presenting a set of design

principles that will allow businesses to

protect themselves against the secu-

rity challenges posed by increased

collaboration and the business poten-

tial offered by Web 2.0. Its most

recent position paper describes a

cloud cube model in some detail.10

The mission of the CSA is not dissimilar:

It is to promote the use of best prac-

tices for providing security assurance

within cloud computing, and to pro-

vide education on the uses of cloud

computing to help secure all other

forms of computing.11 The CSA has

engaged specialists in crucial areas

such as governance, law, network

security, audit, application security,

storage, cryptography, virtualization

and risk management to provide author-

itative guidance on how to adopt cloud

computing solutions securely.

The CSA has recently published a

useful set of guidelines for business

and IT leaders.12 The guidelines empha-size the fundamentals of IT security:

While we do see cloud computing as

being a major change coming to every

business, as information security prac-

titioners, we recognize that there are

verities which must not change: good

governance, managing risks and com-

mon sense, says Dave Cullinane, chief

information security officer and vice

president at eBay, in the reports

foreword.

8/8/2019 ATC Cloud Security

13/16

13

At the same time, leading vendors

are going to some lengths to persuade

the IT community and business users

that they are not wide open to attack.

The majorsAmazon Web Services,

Microsoft, IBM, Salesforce.com and

Googlepoint out that they apply at

least the same level of rigor to defend-

ing their cloud offerings as they do

their own computing environments.

Indeed, some say that their IT security

execution levels are far higher than

those found at many of the companiesthat are questioning their security.

Arguably, the big cloud providers are

now setting the standards for IT security.

The Amazons and Googles have the

scale and the resources to be able

to invest in the most sophisticated

monitoring and data security tools

and processesand to hire and train

top IT security talent. Observers agree

that Microsoft is one of the most

attacked organizations, but that its

high levels of redundancy ensure robust

protection. Vendors also point out that

they adhere to well-known guidelines

at the data center levelguidelines that

look at logical and physical security

along with the processes and overall

organization and which conform to

standards such as AICPA SAS 70

Type II and ISO 27001 and 27002.

The CEO of one prominent cloud

services provider noted that while

most companies undergo quarterly

or biannual security audits by a fewauditing firms, his organization goes

through such scrutiny at least weekly

as current and potential customers

examine the companys IT security

systems. What weve learned is that

there is no finish line when it comes

to security, and things are getting

more intense than ever before, he

said. Providers like this also have well-

honed systems for reporting on their

security status.

Further, there are growing bodies of

knowledge about enterprise security

risk that map to COBIT guidelines; others

align with the draft risk-management

guidelines outlined in the ISO 31100

standards. A growing number of

industry-specific regulationsHIPAA

and Payment Card Industry mandates

among themare also coming to the

attention of CIOs and senior informa-

tion security managers.

8/8/2019 ATC Cloud Security

14/16

14

For IT leaders everywhere, it is not a

matter of whether cloud resources

will be used, but how and when. As

more and more senior executives

understand what it takes to become

a high-performance business, cloud

computing becomes one more tool

they can use. But the cloud must not

be treated as an unknown to be wary

of. Implemented and managed prop-

erly, it should not add risk; ideally, it

should reduce data security risks.

The fundamental question is one of

balanceweighing, as accurately and

in as much detail as possible, the risks

of a data security breach against the

power of the cloud to directly address

many of todays most pressing busi-

ness issuesand to help achieve high

performance.

Accenture contends that it is vital to

have dispassionate discussions with

cloud providers about the four key IT

security concerns. The sooner those

security questions are tackled, the

sooner the IT group can add signifi-

cantly more value for the business as

a whole.

8/8/2019 ATC Cloud Security

15/16

15

Sources1 Citigroup signs 30,000 seat deal

with Salesforce.com, Computer-

worldUK, November 16, 2007.

2 Early experiments in cloud com-

puting, InfoWorld, April 7, 2008.

3 Workday: The Next Software Power?

BusinessWeek, August 19, 2008.

4 Cloud Computing Survey: IT Leaders

See Big Promise, Have Big SecurityQuestions, CIO, October 21, 2008,

www.cio.com/article/455832/Cloud_

Computing_Survey_IT_Leaders_See_

Big_Promise_Have_Big_Security_

Questions.

5 Welcome to the Real-time Cloud,

presentation by Marc Benioff, chair-

man and CEO of Salesforce.com.

6 Cloud Computing Survey: IT Leaders

See Big Promise, Have Big Security

Questions, CIO, October 21, 2008,

www.cio.com/article/455832/Cloud_

Computing_Survey_IT_Leaders_See_

Big_Promise_Have_Big_Security_

Questions.

7 Ibid.

8 Microsoft exec: Internet still not

safe enough, CNET News, April 21,

2009, http://news.cnet.com/8301-13860_3-10224542-56.html?tag=

mncol;txt.

9 Data security services under a

cloud, Financial Times, August 3,

2009.

10 Cloud Cube Model: Selecting Cloud

Formations for Secure Collaboration,

Jericho Forum, April 2009, www.

opengroup.org/jericho/cloud_cube_

model_v1.0.pdf.

11 Industry Leaders Form Cloud Secu-

rity Alliance; Will Unveil Inaugural

Findings at RSA Conference 2009,

Cloud Security Alliance press release,

www.cloudsecurityalliance.org/

pr20090331.html.

12 Security Guidance for Critical Areas

of Focus in Cloud Computing, Cloud

Security Alliance, April 2009,

www.cloudsecurityalliance.org/

guidance/csaguide.pdf.

8/8/2019 ATC Cloud Security

16/16

B d Pl t

Copyright 2009 Accenture

All rights reserved.

Accenture, its logo, and

High Performance Delivered

are trademarks of Accenture.

For more information, please contact:

Alastair MacWillson

alastair.macwillson@accenture.com

+44 20 7844 6131

Joe Tobolski

joseph.f.tobolski@accenture.com

+1 312 693 6481

Walid Negm

walid.negm@accenture.com

+1 408 817 2778

About AccentureAccenture is a global management

consulting, technology services and

outsourcing company. Combining

unparalleled experience, comprehensive

capabilities across all industries and busi-

ness functions, and extensive research

on the world's most successful compa-

nies, Accenture collaborates with clients

to help them become high-performance

businesses and governments. With

approximately 177,000 people serving

clients in more than 120 countries, the

company generated net revenues of

US $21.58 billion for the fiscal year

ended August 31, 2009. Its home page

is www.accenture.com.

About AccentureTechnology LabsAccenture Technology Labs, the

dedicated technology research and

development (R&D) organization within

Accenture, has been turning technology

innovation into business results for more

than 20 years. The Labs create the

Accenture Technology Vision, a view of

how technology will shape the future

and invent the next wave of cutting-

edge business solutions. Working closely

with Accentures global network of

specialists, Accenture Technology Labs

helps clients innovate to achieve high

performance. The Labs are located in

Chicago, Illinois; San Jose, California;

Sophia Antipolis, France; and Bangalore,

India. For more information, please visitour website at www.accenture.com/

Global/Services/Accenture_Technology_

Labs.