Security and the Cloud: The Great Reconciliation
May 14, 2012 5:00 AM PT
It now falls to CIOs not only to rapidly adapt to cloud computing, but also to find the ways to protect their employees and customers as they adopt cloud models, even as security threats grow.
This is a serious -- but not insurmountable -- challenge.
Cloud computing has clearly sparked the imagination of business leaders, who see it as a powerful new way to be innovative and gain first-mover advantages, with or without traditional IT's consent.
This simply now means that the center of gravity for IT services is shifting toward the enterprise's boundaries -- moving increasingly outside their firewalls. And so how can companies have it both ways: Exploit cloud's promise but also provide enough security to make the risks acceptable? How can organizations retain rigor and control while pursuing cloud benefits?
In a special BriefingsDirect sponsored HP Expert Chat discussion on how to define and obtain improved security, I recently moderated an in-depth session with Tari Schreider, HP chief architect of HP Technology Consulting and IT Assurance Practice. Tari is a distinguished technologist with 30 years of IT and cybersecurity experience, and he has designed, built and managed some of the world's largest information protection programs.
In our discussion, you'll see the latest recommendations for how to enable and protect the many cloud models being considered by companies the world over.
As part of our chat, we're also joined by three other HP experts: Lois Boliek, worldwide manager in the HP IT Assurance Program; Jan De Clercq, worldwide IT solution architect in the HP IT Assurance Program; and Luis Buezo, HP IT assurance program lead for EMEA.
If you understand the security risk, gain a detailed understanding of your own infrastructure, and follow proven reference architectures and methods, security can move from an inhibitor of cloud adoption to an enabler.
Listen to the podcast (50:06 minutes).
Here are some excerpts from our discussion on how to make the move:
Tari Schreider: It's always a pleasure to be able to chat about some of the technology issues of the day, and certainly cloud computing protection is the topic that's top of mind for many of our customers.
I want to begin talking about the four immutable laws of cloud security. For those of you who have been involved in information security over time, you understand that there is a certain level of immutability that is incumbent within security. These are things that will always be, things that will never change, and it is a state of being.
When we started working on building clouds at HP a few years ago, we were also required to apply data protection and security controls around those platforms we built. We understood that the same immutable laws that apply to security, business continuity, and disaster recovery extended into the cloud world.
First is an understanding that if your data is hosted in the cloud, you no longer directly control its privacy and protection. You're going to have to give up a bit of control, in order to achieve the agility, performance and cost savings that a cloud ecosystem provides you.
The next immutable law is that when your data is burst into the cloud, you no longer directly control where the data resides or is processed.
One of the benefits of cloud-based computing is that you don't have to have all of the resources at any one particular time. In order to control your costs, you want to have an infrastructure that supports you for daily business operations, but there are ebbs and flows to that. This is the whole purpose of cloud bursting. For those of you who are familiar with grid-based computing, the models are principally the same.
Rather than your data being in one or maybe a secondary location, it could actually be in 5, 10, or maybe 30 different locations, because of bursting, and also be under the jurisdiction of many different rules and regulations, something that we're going to talk about in just a little bit.
The next immutable law is that if your security controls are not contractually committed to, then you may not have any legal standing in terms of the control over your data or your assets. You may feel that you have the most comprehensive security policy that is rigorously reviewed by your legal department, but if that is not ensconced in the terminology of the agreement with a service provider, then you don't have the standing that you may have thought you had.
The last immutable law is that if you don't extend your current security policies and controls in the cloud computing platform, you're more than likely going to be compromised.
You want to resist trying to create two entirely separate, disparate security programs and policy manuals. Cloud-based computing is an attribute on the Internet. Your data and your assets are the same. It's where they reside and how they're being accessed where there is a big change. We strongly recommend that you build that into your existing information security program.
Dana Gardner: Tari, these are clearly some significant building blocks in moving towards cloud activities, but as we think about that, what are the top security threats from your perspective? What should we be most concerned about?
Schreider: Dana, we have the opportunity to work with many of our customers who, from time to time, experience breaches of security. As you might imagine, HP, a very large organization, has literally hundreds of thousands of customers around the world. This provides us with a unique vantage point to be able to study the morphology of cloud computing platform, security, outages, and security events.
One of the things that we also do is take the pulse of our customer base. We want to know what's keeping them up at night. What are the things that they're most concerned with? Generally, we find that there is a gap between what actually happens and what people believe could happen.
I want to share with you something that we feel is particularly poignant, because it is a direct interlock between what we're seeing actually happening in the industry and also what keeps our clients up late at night.
First and foremost, there's the ensured continuity of the cloud-computing platform. The reason to move to cloud is for making data and assets available anywhere, anytime, and also being able to have people from around the world accept that data and be able to solve business needs.
If the cloud computing platform is not continuously available, then the business justification as to why you went there in the first place is significantly mooted.
Next is the loss of span of governance, risk management, and compliance (GRC) control. In today's environment, we can build an imperfect program and we can have a GRC management program with dominion over our assets and our information within our own environment.
Unfortunately, when we start extending this out into a cloud ecosystem, whether private, public, or hybrid, we don't necessarily have the same span of control that we have had before. This requires some delicate orchestration between multiple parties to ensure that you have the right governance controls in place.
The next is data privacy. Much has been written on data privacy and protection across the cloud ecosystem. Today, you may have a data privacy program that's designed to address the security and privacy laws of your specific country or your particular state that you might reside in.
However, when you're moving into a cloud environment, that data can now be moved or burst anywhere in the world, which means that you could be violating data-privacy laws in another country unwittingly. This is something that clients want to make sure that they address, so it does not come back in terms of fines or regulatory penalties.
Mobility access is the key to the enablement of the power of the cloud. It could be a bring-your-own-device (BYOD) scenario, or it could be devices that are corporately managed. Basically you want to provide the data and put it in the hands of the people.
Whether they're out on an oil platform and they need access to data, or whether it's the sales force that need access to Salesforce.com data on BlackBerrys, the fact remains that the data in the cloud has to land on those mobile devices, and security is an integral part.
You may be the owner of the data, but there are many custodians of the data in a cloud ecosystem. You have to make sure that you have an incident-response plan that recognizes the roles and responsibilities between owner and custodian. ...
Gardner: There's a question here about key challenges regarding data lifecycle specifically. How do you view that? What are some of the issues about secure data, even across the data lifecycle?
Luis Buezo: Based on CSA recommendations, we're not only talking about data security related to confidentiality, integrity, and availability, but there are other key challenges in the cloud like location of the data to guarantee that the geographical locations are permitted by regulations.
There's data permanence, in order to guarantee that data is effectively removed, for example, when moving from one CSP to a new one, or data backup and recovery schemes. Don't assume that cloud-based data is backed up by default.
There are also data discovery capabilities to ensure that all data requested by authorities can be retrieved.
Another example is data aggregation on inference issues. This will be implemented to prevent revealing protected information. So there are many issues with having data lifecycle management.
Gardner: Our next question is about being cloud ready for dealing with confidential company data, how do you come down on that?
Jan De Clercq: HP's vision on that is that we think that many cloud service today are not always ready for letting organizations store their confidential or important data. That's why we recommend to organizations, before they consider moving data into the cloud, to always do a very good risk assessment.
They should make sure that they clearly understand the value of their data, but also understand the risks that can occur to that data in the cloud provider's environment. Then, based on those three things, they can determine whether they should move their data into the cloud.
We also recommend that consumers get clear insights from the CSP on exactly where their organization's data is stored and processed, and where travels inside the network environment of the job provider.
As a consumer you need to get a complete view on what's done with your data and how the CSP is protecting them. ...
Gardner: Lois, how can HP help clients get started, as they determine how and when to implement cloud?
Lois Boliek: We offer a full lifecycle of cloud-related services and we can help clients get started on their transition to the cloud, no matter where they are in that process.
We have the Cloud Discovery Workshop. That's where we can help customers in a very interactive work session on all aspects of considerations of the cloud, and it will result in a high-level strategy and a roadmap for helping to move forward.
We also offer the Hybrid Delivery Strategy Services. That's where we drill down into all the necessary components that you need to gain business and IT alignment, and it also results in a well-defined cloud service delivery model.
We also have some fast-start services. One of those is the CloudStart service, where we come in with a pre-integrated architecture to help speed up the deployment of the production-ready private cloud, and we can do that in less than 30 days.
We also offer a Cloud System Enablement service, and in this we can help fast track setting up the initial cloud service catalog development, metering and reporting.