+ All Categories
Home > Documents > ATC Cloud Security

ATC Cloud Security

Date post: 10-Apr-2018
Category:
Upload: buul4434
View: 216 times
Download: 0 times
Share this document with a friend

of 16

Transcript
  • 8/8/2019 ATC Cloud Security

    1/16

    Having Confidence inCloud ComputingAddressing Enterprise Security Concerns

  • 8/8/2019 ATC Cloud Security

    2/16

  • 8/8/2019 ATC Cloud Security

    3/16

    3

    Although there is growing

    recognition of cloud com-

    putings benefitsand an

    ever stronger business

    case for achieving high

    performance by moving

    deeper into the cloud

    progress is snagged on

    concerns about IT security.Enterprise IT leaders now

    must find the right bal-

    ance between the risks

    and rewards of computing

    in the cloud. They can

    benefit by revisiting

    well-established IT secu-

    rity and enterprise riskmanagement practices.

  • 8/8/2019 ATC Cloud Security

    4/16

    4

    It is fair to say that cloud computing

    has arrived. Not long ago, Citigroup

    purchased 30,000 seats of Salesforces

    customer-facing software-as-a-service

    (SaaS) applications for its financial

    advisors worldwide.1 NASDAQ relies

    on Amazon Web Services S3 to store

    historical data on stocks and funds and

    uses a lightweight rich Internet appli-

    cation to generate new revenues.2 And

    contract manufacturer Flextronics says

    it will use human capital management

    solutions from SaaS provider Workdayto service its 200,000-plus employees

    around the globe.3

    These days, IT professionals can very

    quickly help their organizations move

    toward high performance by using

    increasingly available compute cycles

    not only to run applications off-premise

    but also to test and develop software

    applications in the cloud. Today, plat-

    form providers such as Force.com and

    Amazon Web Services give developers

    access to real-time workflow, program-

    mable user interfaces, real-time mobile

    deployment, and real-time analytics

    without the capital expenditures

    associated with maintaining data

    centers to enable these activities.

    However, more than a few IT profes-

    sionals, alarmed by news stories about

    Internet security breaches and facing

    a daunting array of complex regulations,

    are taking a go-slow approach to cloud

    computing. Even if they favor a faster

    move into the cloud, they know they

    face resistance from business execu-tives who have legitimate concerns

    about how cloud computing could

    heighten the risks for the overall

    organization.

    The trouble is, IT leaders caution may

    be limiting their organizations ability to

    significantly reduce IT operating costs.

    Of course, prudence is warranted with

    any move to relinquish or share control

    of key data assets, but fear and mis-

    trust are not. Accenture believes it

    is incumbent on IT professionals to

    help lead the way here. They are best

    positioned to present the increasingly

    powerful business case for cloud

    computing and balance it with a dis-

    passionate analysis of the real threats

    their organizations may be exposed

    to and how these will be mitigated,

    managed and measured over time.

    In this paper, Accenture suggests waysin which IT managers, chief operating

    officers, chief information security

    officers and enterprise risk manage-

    ment professionals might plan to

    establish the most appropriate balance,

    applying a clear, straightforward and

    practical approach that is rooted in

    longstanding IT security principles.

  • 8/8/2019 ATC Cloud Security

    5/16

    5

    Facing the key security concernsFour major security concerns worry

    IT leaders. First, they struggle to trust

    relatively new and unfamiliar cloud

    providers as part of their extended

    enterprises. Can they be sure that

    these providers will treat their data as

    they do? Where exactly is their data

    being stored, and how, if it is frag-

    mented among many data centers,

    is it re-integrated?

    Second, IT professionals questionwhether cloud providers have the

    levels of infrastructure security to

    be able to ward off cyber-attacks.

    Third, do providers have the mechanisms

    in place to be able to manage, measure

    and report on industry regulations?

    And can they be accountable if they

    fail to comply?

    The last concern is about availability. IT

    managers are right to look for service-

    level guarantees. But in the case of

    the cloud, response times cannot be

    guaranteed since data travels through

    the Internet. (This challenge is even

    greater for the infrastructure cloud,

    since it supports the software code.)

    They also need reassurance about

    business continuity in the event of a

    problem. IT professionals have to be

    sure that their third-party providers

    have the right recovery strategies inplace.

    The fundamental response to these con-

    cerns is that good security practices

    are good everywhere. If a customers

    cloud providers follow the same secu-

    rity procedures and policies that it does,

    adhering to the same regulations and

    following the same data privacy laws,

    then the customers risk posture should

    be unchanged. If the providers fall

    short of those practices, then the cus-

    tomers risks will have increased, which

    can result in fines or even legal action.

    But ifas is increasingly the casethe

    providers security practices are more

    rigorous than the customers, then the

    customer will not only have cut IT

    operating costs, but it will have reduced

    its overall IT security risks.

  • 8/8/2019 ATC Cloud Security

    6/16

    6

    Tracking the clouds rapid riseCloud computing adoption is increasing

    as more and more senior managers rec-

    ognize its potential for achieving high

    performance; 30 percent of IT decision

    makers polled in late 2008 by CIO

    magazine said they were already using

    or implementing the cloud in some form,

    and another 17 percent were actively

    planning or researching.4 Cloud services

    will make up a significant part of the

    increase in IT spending growth by

    2012, according to research firm IDC.Interestingly, it is one of the very few

    technology sectors where industry

    analysts have revised their forecasts

    to account for stronger growth than

    originally anticipated.

    The economics of the cloud are com-

    pelling for large enterprises as well as

    small- to mid-sized organizations. At

    Dell, for instance, the cloud is credited

    with providing the computer maker with

    a 10 percent lift in sales productivity

    and a unified global CRM approach.5

    In the case of one large UK-based

    insurer, going to the cloud for develop-

    ment and implementation of the firms

    new corporate intranet produced 50

    percent savings, reduced operational

    costs and deferred capital expenditure.

    The intranet initiative came online in

    half the time it would have taken for

    an on-premise solution.

    A key selling point of the cloud is

    substantially reduced or no capital

    spending for a given application in

    favor of flexible on-demand computingthat is accounted for as operating

    expenses. In one project under devel-

    opment, a US government agency was

    looking at how to manage predictable

    peak load demand for a nonsensitive

    application. The on-premise solution

    would have cost about $4 million for

    equipment, $1 million for the software

    licenses and $70,000 per year in

    energy costs. A comparable cloud

    solution cost $131,000 a year for

    round-the-clock service, with no

    additional power costs.

    IT leaders are becoming familiar with

    different opportunities to use cloud

    computing, extending their horizon

    beyond the concepts of running or

    storing applications off-premise.

    (See Figure 1.) More and more com-

    panies are actively exploring cloud

    services as potential software test

    beds; some are looking to the cloud

    to help resolve peak-load challenges

    or to help support IT infrastructure

    needs. Accenture believes that it is

    unrealistic to expect that the cloud willbecome a proxy for enterprise IT oper-

    ations in the foreseeable future, given

    the dependence of the typical large

    enterprise on quirky legacy systems. It

    will, though, become a permanent and

    increasingly important aspect of any

    CIOs IT landscape and toolkit.

    Figure 1. Identifying cloud opportunities

    Easy

    HardHigh ValueValue to the Enterprise

    Ease of

    Implementation

    Business Continuity

    (Storage)

    Extensive storage Backup and recovery Batch and Data Intensive Applications

    One-off applications that do not rely on real-time response

    Data and high-performance intensive applications (financial risk

    modeling, simulation, data compression, graphics rendering...)

    New back-office applications

    Legacy

    Specific existing infrastructure

    Complex legacy systems

    Software Development and Testing

    Software development and testing environment

    Performance testing

    Nonproduction projects

    R&D activities

    Reduced time to market

    Desktop Productivity

    Web 2.0 applications

    Workgroup applications

    Office suites

    E-mail and calendaring

    Sensitivity

    Mission critical applications

    Regulation-protected data (HIPAA,

    SOX, PCI...)

    Peak Load Demands

    New business activities

    Applications with peak-loads

    Seasonal websites

    Applications with scalability needs

  • 8/8/2019 ATC Cloud Security

    7/16

    7

    The drivers of the clouds uptake are

    plain to see. Consumption-based on

    demand compute cycles are inherently

    low-cost. Capital expenditure is hardly

    an issue since cloud computing is, de

    facto, an exercise in outsourcing. On

    top of that, the cloud offers agility

    achieving value more quicklyas well

    as unprecedented scalability. Each is

    a sweet spot for companies that prize

    rapid business change and speedy

    introductions of products and services.

    In fact, scalability on demand andflexibility for the business were the

    primary rationales for going to the

    cloud among the IT managers surveyed

    by CIO.6

    Over the last decade, the core technolo-

    gies have converged to make the cloud

    a reality: virtualization, grid computing,

    Web services, and massively parallel

    computation frameworks are maturing

    rapidly. In tandem, a cadre of capable,

    credible vendors has emergednames

    such as Salesforce.com, Workday, Ama-

    zon Web Services, Google, ServerVault,

    Microsoft BPOS, Microsoft Azure, and

    AppNexus among them. In their wake

    has come a growing roster of cloud

    success stories. We see the layers ofthe cloud along the following lines.

  • 8/8/2019 ATC Cloud Security

    8/16

  • 8/8/2019 ATC Cloud Security

    9/16

  • 8/8/2019 ATC Cloud Security

    10/16

    10

    Taking action tomorrowSo what actions make sense for IT

    leaders right now? Accentures empir-

    ical IT security work over many years

    with a wide range of organizations

    shows that the following fundamentals

    apply to cloud computing initiatives:

    Carry out a detailed cloud riskassessmentWith the collaboration of the relevant

    business colleagues, IT leaders must

    weigh the criticality of applications and

    data and decide what is cloud appro-

    priate. They must gauge what risks

    they are willing to takefor example,

    whether to move new product data or

    customer data to the cloudin context

    of the benefits of doing so and theregulations that apply to where the

    data must reside.

    Get to know key cloudprovidersAs with any outsourcing arrangement,

    it is essential to carry out detailed due

    diligence on providers performance

    including their financial performance.

    Cloud computing providers vary in

    market position and approach; differ-

    ent vendors have different levels of IT

    security and data management. It is

    also necessary to help confirm that

    they meet key standardsfor example,

    regulations, standards, guidelines and

    codes of practice such as ISO 27001.

    Also important: reviews of a providers

    previous audits and compliance reports,

    looking for gaps in service compared

    to your on-premise solution.

    Contracts should be clearIt is vital to put in writing the standards

    to which you require adherence.

    Analyze the data flowThis calls for charting the lifecycle of

    the relevant data assets, from develop-

    ment to their destruction. IT managers

    must know where data is at all times

    so they can help confirm that it is being

    stored and shared in compliance with

    local laws and industry regulations at

    appropriate levels of IT security.

    Build a cloud security strategyLeveraging well-proven IT security

    principles, IT leaders must define the

    key security elements, knowing where

    encryption is needed, for example, and

    understanding which transport layers

    are important. Accentures High Per-

    formance Business research initiative

    also underscores the need to under-stand how such a strategy relates to

    implementation of the technology as

    well as to its ongoing effectiveness.

    Manage complianceThe regulatory complexities are enor-

    mous when doing business in multiple

    nations: some governments regulate the

    physical locations of the servers where

    organizations keep their data. Well-

    known mandates include the European

    Unions Data Privacy Directive, the

    U.S. Health Insurance Portability and

    Accountability Act (HIPAA) and the

    U.S. Sarbanes-Oxley Act. The financial

    services sector is the target of a host

    of emerging regulations, and many

    new rules are in development that will

    affect critical infrastructure. IT leaders

    cannot expect their cloud providers

    to be compliant for them. But they

    must expect them to provide what is

    needed to help achieve compliance.

    Help strengthen continuityWhat happens if something breaks

    while in the cloud? How is the data

    owner notified, and how quickly? How

    is the data recovered? These are the

    basics of best practices in business

    continuity, and they apply just as much

    to cloud computing as to any IT out-

    sourcing arrangement. They must,

    of course, align with regulatory man-

    datesparticularly in tightly regulated

    industries such as financial services.

    Educate, communicate

    It is the IT leaders responsibilityto educate employees on IT security

    policies and procedures and to be

    very clear about how those policies

    and procedures relate to the cloud.

    For example, employees must adhere

    to corporate IT security policies when

    exploring cloud services for any work-

    related activities, such as testing a new

    IT service or storing data on the cloud.

  • 8/8/2019 ATC Cloud Security

    11/16

    11

    The conversation about cloudsecurity and the associatedpolicies are matters for discus-sion at the highest levels of the

    organization. There must beparticular emphasis on thequestions of data privacy andgovernance, on service-levelagreements and on the ins andouts of contracting with cloudproviders. Here is a samplingof the kinds of questions thatshould be on the table:

    Who is accountable for the

    security of our data and towhom do they report? Whoare the stewards of our dataand how do they ensure thatthe data is tracked and securedappropriately?

    Do we have a defined andexplicit stance on the risks andrewards of cloud computingone that has been or is beingshared with all relevant IT staffand business users?

    Might the provider lose ourdatathrough misuse, or theftor fraud, for example? If so,what recovery plans do wehave? And how are weprotected contractually?

    What are our obligationsregarding data protectionversus those of a cloudservices provider?

    Do we know how some ofour intellectual property mightbecome visible when reassem-bled in collaboration clouds?

    What is our policy for whichstaff are authorized to depositand store data with a cloudprovider?

    What do our e-discoverypolicies and processes looklike and how do they compareto those of a cloud provider?

    Do we know how a cloudservice provider might changeits terms of service?

    What formal standardsinternational or regional orindustry-basedare used inthe development and operationof the cloud service?

    What are we obligated todisclose to our customersregarding where and howtheir data is being stored?

    How do we stay up-to-datewith where our cloud providersdata centers are locatedandwith what local laws governtheir activities and securityprotocols?

    How do cloud providers assistcustomers with their compliancerequirements?

    What round-the-clock incidentresponse can cloud providersoffer? What about intrusionprotection? What about sepa-rating noise from relevantdata?

    What kinds of physical segre-gation of virtual machines areavailable for customers?

    Top questions to ask about cloud security

  • 8/8/2019 ATC Cloud Security

    12/16

    12

    A community of support oncloud securityIT leaders are not alone when it

    comes to determining the appropriate

    approach to secure cloud computing.

    Accenture has deep experience and

    combined decades of specialization in

    addressing the complex challenges of

    IT security and enterprise risk man-

    agement. And cross-industry groups

    are actively working to identify and

    promote best practices.

    In May 2009, two of the leading

    cross-industry groups joined forces

    to promote industry-leading practices

    for secure collaboration in the cloud.

    The Jericho Forum, an independent IT

    security expert group, and the Cloud

    Security Alliance (CSA), a not-for-

    profit group of information security

    and cloud computing security leaders,

    share the goals of encouraging common

    and secure cloud practices and helping

    businesses understand the opportunity

    posed by cloud computing.

    Jericho Forum is an international IT

    security thought-leadership associa-

    tion dedicated to advancing secure

    business in a global open-network

    environment. Members include IT

    security officers from Fortune500

    multinationals as well as from entre-

    preneurial companies, major security

    vendors, government and academia. The

    Forum has been working to develop

    and demonstrate secure collaborative

    architectures. Last year it published a

    Collaboration Oriented Architecturesframework presenting a set of design

    principles that will allow businesses to

    protect themselves against the secu-

    rity challenges posed by increased

    collaboration and the business poten-

    tial offered by Web 2.0. Its most

    recent position paper describes a

    cloud cube model in some detail.10

    The mission of the CSA is not dissimilar:

    It is to promote the use of best prac-

    tices for providing security assurance

    within cloud computing, and to pro-

    vide education on the uses of cloud

    computing to help secure all other

    forms of computing.11 The CSA has

    engaged specialists in crucial areas

    such as governance, law, network

    security, audit, application security,

    storage, cryptography, virtualization

    and risk management to provide author-

    itative guidance on how to adopt cloud

    computing solutions securely.

    The CSA has recently published a

    useful set of guidelines for business

    and IT leaders.12 The guidelines empha-size the fundamentals of IT security:

    While we do see cloud computing as

    being a major change coming to every

    business, as information security prac-

    titioners, we recognize that there are

    verities which must not change: good

    governance, managing risks and com-

    mon sense, says Dave Cullinane, chief

    information security officer and vice

    president at eBay, in the reports

    foreword.

  • 8/8/2019 ATC Cloud Security

    13/16

    13

    At the same time, leading vendors

    are going to some lengths to persuade

    the IT community and business users

    that they are not wide open to attack.

    The majorsAmazon Web Services,

    Microsoft, IBM, Salesforce.com and

    Googlepoint out that they apply at

    least the same level of rigor to defend-

    ing their cloud offerings as they do

    their own computing environments.

    Indeed, some say that their IT security

    execution levels are far higher than

    those found at many of the companiesthat are questioning their security.

    Arguably, the big cloud providers are

    now setting the standards for IT security.

    The Amazons and Googles have the

    scale and the resources to be able

    to invest in the most sophisticated

    monitoring and data security tools

    and processesand to hire and train

    top IT security talent. Observers agree

    that Microsoft is one of the most

    attacked organizations, but that its

    high levels of redundancy ensure robust

    protection. Vendors also point out that

    they adhere to well-known guidelines

    at the data center levelguidelines that

    look at logical and physical security

    along with the processes and overall

    organization and which conform to

    standards such as AICPA SAS 70

    Type II and ISO 27001 and 27002.

    The CEO of one prominent cloud

    services provider noted that while

    most companies undergo quarterly

    or biannual security audits by a fewauditing firms, his organization goes

    through such scrutiny at least weekly

    as current and potential customers

    examine the companys IT security

    systems. What weve learned is that

    there is no finish line when it comes

    to security, and things are getting

    more intense than ever before, he

    said. Providers like this also have well-

    honed systems for reporting on their

    security status.

    Further, there are growing bodies of

    knowledge about enterprise security

    risk that map to COBIT guidelines; others

    align with the draft risk-management

    guidelines outlined in the ISO 31100

    standards. A growing number of

    industry-specific regulationsHIPAA

    and Payment Card Industry mandates

    among themare also coming to the

    attention of CIOs and senior informa-

    tion security managers.

  • 8/8/2019 ATC Cloud Security

    14/16

    14

    For IT leaders everywhere, it is not a

    matter of whether cloud resources

    will be used, but how and when. As

    more and more senior executives

    understand what it takes to become

    a high-performance business, cloud

    computing becomes one more tool

    they can use. But the cloud must not

    be treated as an unknown to be wary

    of. Implemented and managed prop-

    erly, it should not add risk; ideally, it

    should reduce data security risks.

    The fundamental question is one of

    balanceweighing, as accurately and

    in as much detail as possible, the risks

    of a data security breach against the

    power of the cloud to directly address

    many of todays most pressing busi-

    ness issuesand to help achieve high

    performance.

    Accenture contends that it is vital to

    have dispassionate discussions with

    cloud providers about the four key IT

    security concerns. The sooner those

    security questions are tackled, the

    sooner the IT group can add signifi-

    cantly more value for the business as

    a whole.

  • 8/8/2019 ATC Cloud Security

    15/16

    15

    Sources1 Citigroup signs 30,000 seat deal

    with Salesforce.com, Computer-

    worldUK, November 16, 2007.

    2 Early experiments in cloud com-

    puting, InfoWorld, April 7, 2008.

    3 Workday: The Next Software Power?

    BusinessWeek, August 19, 2008.

    4 Cloud Computing Survey: IT Leaders

    See Big Promise, Have Big SecurityQuestions, CIO, October 21, 2008,

    www.cio.com/article/455832/Cloud_

    Computing_Survey_IT_Leaders_See_

    Big_Promise_Have_Big_Security_

    Questions.

    5 Welcome to the Real-time Cloud,

    presentation by Marc Benioff, chair-

    man and CEO of Salesforce.com.

    6 Cloud Computing Survey: IT Leaders

    See Big Promise, Have Big Security

    Questions, CIO, October 21, 2008,

    www.cio.com/article/455832/Cloud_

    Computing_Survey_IT_Leaders_See_

    Big_Promise_Have_Big_Security_

    Questions.

    7 Ibid.

    8 Microsoft exec: Internet still not

    safe enough, CNET News, April 21,

    2009, http://news.cnet.com/8301-13860_3-10224542-56.html?tag=

    mncol;txt.

    9 Data security services under a

    cloud, Financial Times, August 3,

    2009.

    10 Cloud Cube Model: Selecting Cloud

    Formations for Secure Collaboration,

    Jericho Forum, April 2009, www.

    opengroup.org/jericho/cloud_cube_

    model_v1.0.pdf.

    11 Industry Leaders Form Cloud Secu-

    rity Alliance; Will Unveil Inaugural

    Findings at RSA Conference 2009,

    Cloud Security Alliance press release,

    www.cloudsecurityalliance.org/

    pr20090331.html.

    12 Security Guidance for Critical Areas

    of Focus in Cloud Computing, Cloud

    Security Alliance, April 2009,

    www.cloudsecurityalliance.org/

    guidance/csaguide.pdf.

  • 8/8/2019 ATC Cloud Security

    16/16

    B d Pl t

    Copyright 2009 Accenture

    All rights reserved.

    Accenture, its logo, and

    High Performance Delivered

    are trademarks of Accenture.

    For more information, please contact:

    Alastair MacWillson

    [email protected]

    +44 20 7844 6131

    Joe Tobolski

    [email protected]

    +1 312 693 6481

    Walid Negm

    [email protected]

    +1 408 817 2778

    About AccentureAccenture is a global management

    consulting, technology services and

    outsourcing company. Combining

    unparalleled experience, comprehensive

    capabilities across all industries and busi-

    ness functions, and extensive research

    on the world's most successful compa-

    nies, Accenture collaborates with clients

    to help them become high-performance

    businesses and governments. With

    approximately 177,000 people serving

    clients in more than 120 countries, the

    company generated net revenues of

    US $21.58 billion for the fiscal year

    ended August 31, 2009. Its home page

    is www.accenture.com.

    About AccentureTechnology LabsAccenture Technology Labs, the

    dedicated technology research and

    development (R&D) organization within

    Accenture, has been turning technology

    innovation into business results for more

    than 20 years. The Labs create the

    Accenture Technology Vision, a view of

    how technology will shape the future

    and invent the next wave of cutting-

    edge business solutions. Working closely

    with Accentures global network of

    specialists, Accenture Technology Labs

    helps clients innovate to achieve high

    performance. The Labs are located in

    Chicago, Illinois; San Jose, California;

    Sophia Antipolis, France; and Bangalore,

    India. For more information, please visitour website at www.accenture.com/

    Global/Services/Accenture_Technology_

    Labs.


Recommended