The Cloud provides an alternative way of procuring IT services that offers many benefits, including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and sold. However, in a recent survey by global IT association ISACA, 30% of the 3,700 respondents said cloud computing is one of the top issues expected to impact their enterprise’s security in the next 12 months. Clearly, a good understanding of cloud is critical, as is effective governance over the cloud.
The Cloud is not one thing. It covers a wide spectrum of types of service and delivery models ranging from in-house virtual servers to software accessed by multiple organizations over the Internet. For example, an organization can run the IT services in-house; this is the most flexible but usually the most expensive arrangement. It can contract the running of the services through a managed service or hosting agreement; this is less flexible but may be cheaper. Infrastructure as a service provides packaged hosting service, which requires no capital expenditure. A similar spectrum applies to business applications; an organization can develop its own applications, these can be designed to the organization’s exact requirements, but it is very expensive. It can use commercial applications, which are tailored to the organization’s needs; this is usually cheaper, but still involves the management and running costs. Software as a Service provides access to a packaged application that is managed and run by the service provider and can be bought on a charge per use basis.
It is important to understand the varieties of Cloud services and deployment models to choose the one most suitable for your needs. For definitions of various cloud types, view a free guide from ISACA.
Choose the Right Type of Cloud Service
Infrastructure as a Service (IaaS) provides basic computing resources that the customer can use to run software, both operating systems and applications, and to store data. IaaS allows the customer to transfer an existing workload to the Cloud with minimal if any change needed. The customer does not manage or control the underlying Cloud infrastructure but remains responsible for managing the OS and applications. IaaS removes the need to buy, house and maintain the physical servers and can provide the ability for an organisation to respond quickly to changing demand.
Platform as a Service (PaaS) provides and environment upon which the customer can use to build and deploy Cloud applications. These applications may be for use by the customer or offered as a service to others. Building applications using PaaS means that they are inherently Cloud enabled and the PaaS provider also provides the service upon which these applications run. The benefits include no need for capital hardware investment and rapid deployment. The major downside is “lock-in;” most PaaS platforms are based on proprietary programming interfaces (APIs), so it can be very difficult to change provider at a later date.
Software as a Service (SaaS) provides an application and data that can be accessed via a network (usually the Internet) using a variety of client devices such as web browsers, and mobile ‘phones. The major benefit of SaaS is the immediate availability of a working solution for a specific business problem with no need for up-front investment. This is particularly valuable for areas such as mature business processes which are essential, well understood and need to be delivered at minimal cost. SaaS provides an opportunity for service vendors to offer the best solution to this kind of problem at the lowest cost.
The risks associated with SaaS include loss of governance, data privacy issues and return of customer data. Mature business processes are often subject to regulations and laws and organizations have invested heavily in IT to ensure compliance. Using SaaS means devolving control to the SaaS provider and it is essential to have independent confirmation that the provider will comply with the regulatory requirements. The SaaS provider also has control of the business data held by the service. Contracts need to specify how this data will be returned in a useable form at termination of contract to allow business continuity and provide flexibility to switch provider.
Choose the Right Cloud Deployment Model
Public Cloud services are available for anyone to subscribe to and use. The key benefit of a Public Cloud approach is one of scale; the Cloud provider can potentially offer a better service at a lower cost because the scale of their operation means that they can afford the skilled people and state of the art technology. The Public Cloud model inherently provides service on demand. The Cloud provider can dynamically reallocate resources as they are required. Spreading the service delivery across multiple locations also improves resilience. Local problems with power supplies, telecommunication, natural disasters and so forth can be managed more effectively when there are several data centres in multiple geographies.
The downside of the Public Cloud is the risks of compliance and data security. For example, data privacy laws in the EU mandate that personal data must be processed within defined guidelines. The Cloud service customer, who is the “data controller” is responsible in law, and needs to ensure that these guidelines are adhered to. Large Cloud providers have recognised this need and can offer compliant services. Sharing applications and infrastructure with unknown co-tenants can lead to concerns over data security and data leakage. There are standards1 and best practices2 for this and it is essential to check that the Cloud provider is externally certified3 as adhering to these.
The Her Majesty's Revenue and Customs (HMRC) online tax filing service is Software as a Service with a Public deployment model and this has been praised4 by the Audit Office, although it unclear whether it provides value for money.
A Private Cloud service is used exclusively by a single organization. The Private Cloud allows organisations to outsource the management of their IT infrastructure while retaining tighter control over the location and management of the resources. The price to pay for this is that the costs are likely to be higher because there is less potential for economy of scale, and resilience may be lower because of the limit on service resources available.
Isolation is one of the key techniques for ensuring security and, while in the Public Cloud applications and data exist in a shared environment, the Private Cloud offers greater isolation by dedicating resources to a particular customer.
A Community Cloud service is for the exclusive use of a specific community of organizations that have shared concerns; e.g., mission, security requirements, policy, and compliance considerations. A Community Cloud provides many of the benefits of scale of the public cloud while retaining greater control over compliance and data privacy. Community Cloud services already exist but under a different name! For example, NHSmail,5 the national email and directory service available to NHS staff in England and Scotland, is effectively Software as a Service with a Community deployment model. As regards security, NHSmail is accredited to Government RESTRICTED status, and is the only NHS email service that is secure enough for the transmission of confidential patient information.
When moving to the Cloud it is important that the business requirements for the move are understood and that the Cloud service and deployment models are selected to meets these needs. Taking a good governance approach, such as COBIT,
6 is the key to safely embracing the Cloud and the benefits that it provides:
- Identify the business requirements for the Cloud based solution. This seems obvious but many organizations are using the Cloud without knowing it.
- Determine the Cloud service needs based on the business requirements. Some applications will be more business critical than others.
- Develop scenarios to understand the benefits and risks. Use these to determine the requirements for controls and questions to be answered. Considering the risks may lead to the conclusion that moving to the Cloud is not appropriate.
- Understand what the certification and accreditations offered by the Cloud provider mean and actually cover and how these support your needs.
- In most organisations Cloud computing will co-exist with other IT service delivery models. Therefore an approach to governance and management is needed which covers both traditional and Cloud models.
Cloud Security Challenges
Integration: The Missing Link in the Cloud
Preventing Cloud Vendor Lock-in
Mike Small is a Fellow of the BCS and a Senior Analyst at KuppingerCole and a member of the London Chapter of ISACA. Until 2009, Small worked for CA where he developed CA’s identity and access management product strategy. He is a frequent speaker at IT security events around EMEA. Mike will be speaking at the European Identity and Cloud Conference in Munich during April.