of 16
8/8/2019 ATC Cloud Security
1/16
Having Confidence inCloud ComputingAddressing Enterprise Security Concerns
8/8/2019 ATC Cloud Security
2/16
8/8/2019 ATC Cloud Security
3/16
3
Although there is growing
recognition of cloud com-
putings benefitsand an
ever stronger business
case for achieving high
performance by moving
deeper into the cloud
progress is snagged on
concerns about IT security.Enterprise IT leaders now
must find the right bal-
ance between the risks
and rewards of computing
in the cloud. They can
benefit by revisiting
well-established IT secu-
rity and enterprise riskmanagement practices.
8/8/2019 ATC Cloud Security
4/16
4
It is fair to say that cloud computing
has arrived. Not long ago, Citigroup
purchased 30,000 seats of Salesforces
customer-facing software-as-a-service
(SaaS) applications for its financial
advisors worldwide.1 NASDAQ relies
on Amazon Web Services S3 to store
historical data on stocks and funds and
uses a lightweight rich Internet appli-
cation to generate new revenues.2 And
contract manufacturer Flextronics says
it will use human capital management
solutions from SaaS provider Workdayto service its 200,000-plus employees
around the globe.3
These days, IT professionals can very
quickly help their organizations move
toward high performance by using
increasingly available compute cycles
not only to run applications off-premise
but also to test and develop software
applications in the cloud. Today, plat-
form providers such as Force.com and
Amazon Web Services give developers
access to real-time workflow, program-
mable user interfaces, real-time mobile
deployment, and real-time analytics
without the capital expenditures
associated with maintaining data
centers to enable these activities.
However, more than a few IT profes-
sionals, alarmed by news stories about
Internet security breaches and facing
a daunting array of complex regulations,
are taking a go-slow approach to cloud
computing. Even if they favor a faster
move into the cloud, they know they
face resistance from business execu-tives who have legitimate concerns
about how cloud computing could
heighten the risks for the overall
organization.
The trouble is, IT leaders caution may
be limiting their organizations ability to
significantly reduce IT operating costs.
Of course, prudence is warranted with
any move to relinquish or share control
of key data assets, but fear and mis-
trust are not. Accenture believes it
is incumbent on IT professionals to
help lead the way here. They are best
positioned to present the increasingly
powerful business case for cloud
computing and balance it with a dis-
passionate analysis of the real threats
their organizations may be exposed
to and how these will be mitigated,
managed and measured over time.
In this paper, Accenture suggests waysin which IT managers, chief operating
officers, chief information security
officers and enterprise risk manage-
ment professionals might plan to
establish the most appropriate balance,
applying a clear, straightforward and
practical approach that is rooted in
longstanding IT security principles.
8/8/2019 ATC Cloud Security
5/16
5
Facing the key security concernsFour major security concerns worry
IT leaders. First, they struggle to trust
relatively new and unfamiliar cloud
providers as part of their extended
enterprises. Can they be sure that
these providers will treat their data as
they do? Where exactly is their data
being stored, and how, if it is frag-
mented among many data centers,
is it re-integrated?
Second, IT professionals questionwhether cloud providers have the
levels of infrastructure security to
be able to ward off cyber-attacks.
Third, do providers have the mechanisms
in place to be able to manage, measure
and report on industry regulations?
And can they be accountable if they
fail to comply?
The last concern is about availability. IT
managers are right to look for service-
level guarantees. But in the case of
the cloud, response times cannot be
guaranteed since data travels through
the Internet. (This challenge is even
greater for the infrastructure cloud,
since it supports the software code.)
They also need reassurance about
business continuity in the event of a
problem. IT professionals have to be
sure that their third-party providers
have the right recovery strategies inplace.
The fundamental response to these con-
cerns is that good security practices
are good everywhere. If a customers
cloud providers follow the same secu-
rity procedures and policies that it does,
adhering to the same regulations and
following the same data privacy laws,
then the customers risk posture should
be unchanged. If the providers fall
short of those practices, then the cus-
tomers risks will have increased, which
can result in fines or even legal action.
But ifas is increasingly the casethe
providers security practices are more
rigorous than the customers, then the
customer will not only have cut IT
operating costs, but it will have reduced
its overall IT security risks.
8/8/2019 ATC Cloud Security
6/16
6
Tracking the clouds rapid riseCloud computing adoption is increasing
as more and more senior managers rec-
ognize its potential for achieving high
performance; 30 percent of IT decision
makers polled in late 2008 by CIO
magazine said they were already using
or implementing the cloud in some form,
and another 17 percent were actively
planning or researching.4 Cloud services
will make up a significant part of the
increase in IT spending growth by
2012, according to research firm IDC.Interestingly, it is one of the very few
technology sectors where industry
analysts have revised their forecasts
to account for stronger growth than
originally anticipated.
The economics of the cloud are com-
pelling for large enterprises as well as
small- to mid-sized organizations. At
Dell, for instance, the cloud is credited
with providing the computer maker with
a 10 percent lift in sales productivity
and a unified global CRM approach.5
In the case of one large UK-based
insurer, going to the cloud for develop-
ment and implementation of the firms
new corporate intranet produced 50
percent savings, reduced operational
costs and deferred capital expenditure.
The intranet initiative came online in
half the time it would have taken for
an on-premise solution.
A key selling point of the cloud is
substantially reduced or no capital
spending for a given application in
favor of flexible on-demand computingthat is accounted for as operating
expenses. In one project under devel-
opment, a US government agency was
looking at how to manage predictable
peak load demand for a nonsensitive
application. The on-premise solution
would have cost about $4 million for
equipment, $1 million for the software
licenses and $70,000 per year in
energy costs. A comparable cloud
solution cost $131,000 a year for
round-the-clock service, with no
additional power costs.
IT leaders are becoming familiar with
different opportunities to use cloud
computing, extending their horizon
beyond the concepts of running or
storing applications off-premise.
(See Figure 1.) More and more com-
panies are actively exploring cloud
services as potential software test
beds; some are looking to the cloud
to help resolve peak-load challenges
or to help support IT infrastructure
needs. Accenture believes that it is
unrealistic to expect that the cloud willbecome a proxy for enterprise IT oper-
ations in the foreseeable future, given
the dependence of the typical large
enterprise on quirky legacy systems. It
will, though, become a permanent and
increasingly important aspect of any
CIOs IT landscape and toolkit.
Figure 1. Identifying cloud opportunities
Easy
HardHigh ValueValue to the Enterprise
Ease of
Implementation
Business Continuity
(Storage)
Extensive storage Backup and recovery Batch and Data Intensive Applications
One-off applications that do not rely on real-time response
Data and high-performance intensive applications (financial risk
modeling, simulation, data compression, graphics rendering...)
New back-office applications
Legacy
Specific existing infrastructure
Complex legacy systems
Software Development and Testing
Software development and testing environment
Performance testing
Nonproduction projects
R&D activities
Reduced time to market
Desktop Productivity
Web 2.0 applications
Workgroup applications
Office suites
E-mail and calendaring
Sensitivity
Mission critical applications
Regulation-protected data (HIPAA,
SOX, PCI...)
Peak Load Demands
New business activities
Applications with peak-loads
Seasonal websites
Applications with scalability needs
8/8/2019 ATC Cloud Security
7/16
7
The drivers of the clouds uptake are
plain to see. Consumption-based on
demand compute cycles are inherently
low-cost. Capital expenditure is hardly
an issue since cloud computing is, de
facto, an exercise in outsourcing. On
top of that, the cloud offers agility
achieving value more quicklyas well
as unprecedented scalability. Each is
a sweet spot for companies that prize
rapid business change and speedy
introductions of products and services.
In fact, scalability on demand andflexibility for the business were the
primary rationales for going to the
cloud among the IT managers surveyed
by CIO.6
Over the last decade, the core technolo-
gies have converged to make the cloud
a reality: virtualization, grid computing,
Web services, and massively parallel
computation frameworks are maturing
rapidly. In tandem, a cadre of capable,
credible vendors has emergednames
such as Salesforce.com, Workday, Ama-
zon Web Services, Google, ServerVault,
Microsoft BPOS, Microsoft Azure, and
AppNexus among them. In their wake
has come a growing roster of cloud
success stories. We see the layers ofthe cloud along the following lines.
8/8/2019 ATC Cloud Security
8/16
8/8/2019 ATC Cloud Security
9/16
8/8/2019 ATC Cloud Security
10/16
10
Taking action tomorrowSo what actions make sense for IT
leaders right now? Accentures empir-
ical IT security work over many years
with a wide range of organizations
shows that the following fundamentals
apply to cloud computing initiatives:
Carry out a detailed cloud riskassessmentWith the collaboration of the relevant
business colleagues, IT leaders must
weigh the criticality of applications and
data and decide what is cloud appro-
priate. They must gauge what risks
they are willing to takefor example,
whether to move new product data or
customer data to the cloudin context
of the benefits of doing so and theregulations that apply to where the
data must reside.
Get to know key cloudprovidersAs with any outsourcing arrangement,
it is essential to carry out detailed due
diligence on providers performance
including their financial performance.
Cloud computing providers vary in
market position and approach; differ-
ent vendors have different levels of IT
security and data management. It is
also necessary to help confirm that
they meet key standardsfor example,
regulations, standards, guidelines and
codes of practice such as ISO 27001.
Also important: reviews of a providers
previous audits and compliance reports,
looking for gaps in service compared
to your on-premise solution.
Contracts should be clearIt is vital to put in writing the standards
to which you require adherence.
Analyze the data flowThis calls for charting the lifecycle of
the relevant data assets, from develop-
ment to their destruction. IT managers
must know where data is at all times
so they can help confirm that it is being
stored and shared in compliance with
local laws and industry regulations at
appropriate levels of IT security.
Build a cloud security strategyLeveraging well-proven IT security
principles, IT leaders must define the
key security elements, knowing where
encryption is needed, for example, and
understanding which transport layers
are important. Accentures High Per-
formance Business research initiative
also underscores the need to under-stand how such a strategy relates to
implementation of the technology as
well as to its ongoing effectiveness.
Manage complianceThe regulatory complexities are enor-
mous when doing business in multiple
nations: some governments regulate the
physical locations of the servers where
organizations keep their data. Well-
known mandates include the European
Unions Data Privacy Directive, the
U.S. Health Insurance Portability and
Accountability Act (HIPAA) and the
U.S. Sarbanes-Oxley Act. The financial
services sector is the target of a host
of emerging regulations, and many
new rules are in development that will
affect critical infrastructure. IT leaders
cannot expect their cloud providers
to be compliant for them. But they
must expect them to provide what is
needed to help achieve compliance.
Help strengthen continuityWhat happens if something breaks
while in the cloud? How is the data
owner notified, and how quickly? How
is the data recovered? These are the
basics of best practices in business
continuity, and they apply just as much
to cloud computing as to any IT out-
sourcing arrangement. They must,
of course, align with regulatory man-
datesparticularly in tightly regulated
industries such as financial services.
Educate, communicate
It is the IT leaders responsibilityto educate employees on IT security
policies and procedures and to be
very clear about how those policies
and procedures relate to the cloud.
For example, employees must adhere
to corporate IT security policies when
exploring cloud services for any work-
related activities, such as testing a new
IT service or storing data on the cloud.
8/8/2019 ATC Cloud Security
11/16
11
The conversation about cloudsecurity and the associatedpolicies are matters for discus-sion at the highest levels of the
organization. There must beparticular emphasis on thequestions of data privacy andgovernance, on service-levelagreements and on the ins andouts of contracting with cloudproviders. Here is a samplingof the kinds of questions thatshould be on the table:
Who is accountable for the
security of our data and towhom do they report? Whoare the stewards of our dataand how do they ensure thatthe data is tracked and securedappropriately?
Do we have a defined andexplicit stance on the risks andrewards of cloud computingone that has been or is beingshared with all relevant IT staffand business users?
Might the provider lose ourdatathrough misuse, or theftor fraud, for example? If so,what recovery plans do wehave? And how are weprotected contractually?
What are our obligationsregarding data protectionversus those of a cloudservices provider?
Do we know how some ofour intellectual property mightbecome visible when reassem-bled in collaboration clouds?
What is our policy for whichstaff are authorized to depositand store data with a cloudprovider?
What do our e-discoverypolicies and processes looklike and how do they compareto those of a cloud provider?
Do we know how a cloudservice provider might changeits terms of service?
What formal standardsinternational or regional orindustry-basedare used inthe development and operationof the cloud service?
What are we obligated todisclose to our customersregarding where and howtheir data is being stored?
How do we stay up-to-datewith where our cloud providersdata centers are locatedandwith what local laws governtheir activities and securityprotocols?
How do cloud providers assistcustomers with their compliancerequirements?
What round-the-clock incidentresponse can cloud providersoffer? What about intrusionprotection? What about sepa-rating noise from relevantdata?
What kinds of physical segre-gation of virtual machines areavailable for customers?
Top questions to ask about cloud security
8/8/2019 ATC Cloud Security
12/16
12
A community of support oncloud securityIT leaders are not alone when it
comes to determining the appropriate
approach to secure cloud computing.
Accenture has deep experience and
combined decades of specialization in
addressing the complex challenges of
IT security and enterprise risk man-
agement. And cross-industry groups
are actively working to identify and
promote best practices.
In May 2009, two of the leading
cross-industry groups joined forces
to promote industry-leading practices
for secure collaboration in the cloud.
The Jericho Forum, an independent IT
security expert group, and the Cloud
Security Alliance (CSA), a not-for-
profit group of information security
and cloud computing security leaders,
share the goals of encouraging common
and secure cloud practices and helping
businesses understand the opportunity
posed by cloud computing.
Jericho Forum is an international IT
security thought-leadership associa-
tion dedicated to advancing secure
business in a global open-network
environment. Members include IT
security officers from Fortune500
multinationals as well as from entre-
preneurial companies, major security
vendors, government and academia. The
Forum has been working to develop
and demonstrate secure collaborative
architectures. Last year it published a
Collaboration Oriented Architecturesframework presenting a set of design
principles that will allow businesses to
protect themselves against the secu-
rity challenges posed by increased
collaboration and the business poten-
tial offered by Web 2.0. Its most
recent position paper describes a
cloud cube model in some detail.10
The mission of the CSA is not dissimilar:
It is to promote the use of best prac-
tices for providing security assurance
within cloud computing, and to pro-
vide education on the uses of cloud
computing to help secure all other
forms of computing.11 The CSA has
engaged specialists in crucial areas
such as governance, law, network
security, audit, application security,
storage, cryptography, virtualization
and risk management to provide author-
itative guidance on how to adopt cloud
computing solutions securely.
The CSA has recently published a
useful set of guidelines for business
and IT leaders.12 The guidelines empha-size the fundamentals of IT security:
While we do see cloud computing as
being a major change coming to every
business, as information security prac-
titioners, we recognize that there are
verities which must not change: good
governance, managing risks and com-
mon sense, says Dave Cullinane, chief
information security officer and vice
president at eBay, in the reports
foreword.
8/8/2019 ATC Cloud Security
13/16
13
At the same time, leading vendors
are going to some lengths to persuade
the IT community and business users
that they are not wide open to attack.
The majorsAmazon Web Services,
Microsoft, IBM, Salesforce.com and
Googlepoint out that they apply at
least the same level of rigor to defend-
ing their cloud offerings as they do
their own computing environments.
Indeed, some say that their IT security
execution levels are far higher than
those found at many of the companiesthat are questioning their security.
Arguably, the big cloud providers are
now setting the standards for IT security.
The Amazons and Googles have the
scale and the resources to be able
to invest in the most sophisticated
monitoring and data security tools
and processesand to hire and train
top IT security talent. Observers agree
that Microsoft is one of the most
attacked organizations, but that its
high levels of redundancy ensure robust
protection. Vendors also point out that
they adhere to well-known guidelines
at the data center levelguidelines that
look at logical and physical security
along with the processes and overall
organization and which conform to
standards such as AICPA SAS 70
Type II and ISO 27001 and 27002.
The CEO of one prominent cloud
services provider noted that while
most companies undergo quarterly
or biannual security audits by a fewauditing firms, his organization goes
through such scrutiny at least weekly
as current and potential customers
examine the companys IT security
systems. What weve learned is that
there is no finish line when it comes
to security, and things are getting
more intense than ever before, he
said. Providers like this also have well-
honed systems for reporting on their
security status.
Further, there are growing bodies of
knowledge about enterprise security
risk that map to COBIT guidelines; others
align with the draft risk-management
guidelines outlined in the ISO 31100
standards. A growing number of
industry-specific regulationsHIPAA
and Payment Card Industry mandates
among themare also coming to the
attention of CIOs and senior informa-
tion security managers.
8/8/2019 ATC Cloud Security
14/16
14
For IT leaders everywhere, it is not a
matter of whether cloud resources
will be used, but how and when. As
more and more senior executives
understand what it takes to become
a high-performance business, cloud
computing becomes one more tool
they can use. But the cloud must not
be treated as an unknown to be wary
of. Implemented and managed prop-
erly, it should not add risk; ideally, it
should reduce data security risks.
The fundamental question is one of
balanceweighing, as accurately and
in as much detail as possible, the risks
of a data security breach against the
power of the cloud to directly address
many of todays most pressing busi-
ness issuesand to help achieve high
performance.
Accenture contends that it is vital to
have dispassionate discussions with
cloud providers about the four key IT
security concerns. The sooner those
security questions are tackled, the
sooner the IT group can add signifi-
cantly more value for the business as
a whole.
8/8/2019 ATC Cloud Security
15/16
15
Sources1 Citigroup signs 30,000 seat deal
with Salesforce.com, Computer-
worldUK, November 16, 2007.
2 Early experiments in cloud com-
puting, InfoWorld, April 7, 2008.
3 Workday: The Next Software Power?
BusinessWeek, August 19, 2008.
4 Cloud Computing Survey: IT Leaders
See Big Promise, Have Big SecurityQuestions, CIO, October 21, 2008,
www.cio.com/article/455832/Cloud_
Computing_Survey_IT_Leaders_See_
Big_Promise_Have_Big_Security_
Questions.
5 Welcome to the Real-time Cloud,
presentation by Marc Benioff, chair-
man and CEO of Salesforce.com.
6 Cloud Computing Survey: IT Leaders
See Big Promise, Have Big Security
Questions, CIO, October 21, 2008,
www.cio.com/article/455832/Cloud_
Computing_Survey_IT_Leaders_See_
Big_Promise_Have_Big_Security_
Questions.
7 Ibid.
8 Microsoft exec: Internet still not
safe enough, CNET News, April 21,
2009, http://news.cnet.com/8301-13860_3-10224542-56.html?tag=
mncol;txt.
9 Data security services under a
cloud, Financial Times, August 3,
2009.
10 Cloud Cube Model: Selecting Cloud
Formations for Secure Collaboration,
Jericho Forum, April 2009, www.
opengroup.org/jericho/cloud_cube_
model_v1.0.pdf.
11 Industry Leaders Form Cloud Secu-
rity Alliance; Will Unveil Inaugural
Findings at RSA Conference 2009,
Cloud Security Alliance press release,
www.cloudsecurityalliance.org/
pr20090331.html.
12 Security Guidance for Critical Areas
of Focus in Cloud Computing, Cloud
Security Alliance, April 2009,
www.cloudsecurityalliance.org/
guidance/csaguide.pdf.
8/8/2019 ATC Cloud Security
16/16
B d Pl t
Copyright 2009 Accenture
All rights reserved.
Accenture, its logo, and
High Performance Delivered
are trademarks of Accenture.
For more information, please contact:
Alastair MacWillson
+44 20 7844 6131
Joe Tobolski
+1 312 693 6481
Walid Negm
+1 408 817 2778
About AccentureAccenture is a global management
consulting, technology services and
outsourcing company. Combining
unparalleled experience, comprehensive
capabilities across all industries and busi-
ness functions, and extensive research
on the world's most successful compa-
nies, Accenture collaborates with clients
to help them become high-performance
businesses and governments. With
approximately 177,000 people serving
clients in more than 120 countries, the
company generated net revenues of
US $21.58 billion for the fiscal year
ended August 31, 2009. Its home page
is www.accenture.com.
About AccentureTechnology LabsAccenture Technology Labs, the
dedicated technology research and
development (R&D) organization within
Accenture, has been turning technology
innovation into business results for more
than 20 years. The Labs create the
Accenture Technology Vision, a view of
how technology will shape the future
and invent the next wave of cutting-
edge business solutions. Working closely
with Accentures global network of
specialists, Accenture Technology Labs
helps clients innovate to achieve high
performance. The Labs are located in
Chicago, Illinois; San Jose, California;
Sophia Antipolis, France; and Bangalore,
India. For more information, please visitour website at www.accenture.com/
Global/Services/Accenture_Technology_
Labs.