Profiting From the Cloud: CSP
Trust & Efficiency Are Key
Senior Analyst, Heavy Reading
on behalf of
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 2
Cloud computing represents a significant market opportunity for communications
service providers (CSPs). CSPs are in an excellent position to add cloud services to
existing enterprise connectivity and hosting portfolios, and many have advanced
plans for doing so.
To succeed in the cloud market, CSPs need to provide superior cloud services that
are more trusted than those offered by the current generation of Web-based
cloud providers. Cloud security and efficiency present large challenges, and
enterprises fear the loss of intellectual property and/or customer data, reputation-
al risk, malicious activity and outages in the cloud.
CSPs that can provide cloud services with the highest levels of trust and availability
at the lowest cost will profit most from the cloud. Such CSPs will persuade a critical
mass of enterprises to migrate to the cloud and benefit from the increased
revenues this will bring,
The five characteristics of cloud computing, as defined by the National Institute of
Standards and Technology (NIST), bring new vulnerabilities and threats. To create
a trusted cloud, CSPs need to address these additional cloud security require-
ments, providing consistent, ubiquitous customer policy-driven and service-
appropriate security across multiple cloud deployment models and services, while
guaranteeing highest performance at the lowest cost.
The guidance provided by the Cloud Security Alliance (CSA) provides a useful
starting point as CSPs embark on defining the secure "silver lining" to their cloud.
CSPs can differentiate themselves by designing into their cloud architectures a
more comprehensive and complete set of CSA controls (policies, procedures and
processes for 14 CSA-defined security domains) than enterprises – or third-party
cloud service providers that the CSP is aggregating on behalf of an enterprise –
can implement for themselves. These controls need to be implemented as a
global security management layer that is populated with strong countermeasures,
provides organization-wide visibility of all aspects of security and compliance and
has a high level of security process automation to maximize the effectiveness of
countermeasures and minimize operational costs.
This white paper discusses the opportunity and requirements for building a trusted
and efficient cloud, including best practice security design principles and a
blueprint for an efficient global security management layer.
Section II expands on the role security plays in creating trusted cloud services and
deployment models, explains CSP advantages in leveraging existing security
capabilities and discusses how effective security can differentiate CSPs in an
increasingly crowded cloud market.
Section III looks at the four design principles that CSPs need to build into a trusted
and efficient cloud, and how these principles and CSA guidance come together
in a global security management architecture that supports effective governance
of the trusted cloud.
Section IV illustrates the application of the global security management architec-
ture and its underlying security design principles in the context of mobile health
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 3
The Cloud: CSP Opportunities & Challenges
Expanding Into the Cloud
Cloud computing represents the most significant market opportunity for commu-
nications service providers (CSPs) since the arrival of the Internet. Like the early
days of the Internet, cloud computing also presents considerable challenges for
providers in the areas of security and efficiency.
Cloud computing, according to the NIST definition, is a model for enabling
convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications and services).
Enterprises benefit from the agility, scalability, flexibility and lower costs conferred
by the cloud model. Such are the perceived advantages of the cloud that the
Open Data Center Alliance's 300 enterprise members, representing some $100
billion worth of IT procurement power, plan to triple cloud deployment in the next
two years – an adoption rate five times faster than had previously been expected.
CSPs already have established businesses delivering network resources to enter-
prise customers; the cloud is a natural evolution of this business. It gives CSPs the
opportunity to aggregate all types of information communications technology
(ICT) resources and deliver them in an on-demand, low-cost model that will
displace enterprise-owned ICT infrastructure over time. CSPs gain incremental
revenue from providing cloud-based computing, storage, applications and
services in addition to connectivity (network) solutions.
No wonder Heavy Reading research shows that an overwhelming majority of CSPs
across the world plan to offer cloud services within the next three years, with many
intending to roll out all three cloud service models identified by NIST: Infrastructure
as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
SaaS is a catch-all for any type of application/service delivered from the cloud,
from communications services such as voice, videoconferencing and IP PBX to
more general applications such as collaboration, business services and security.
Security Creates a Trusted Silver Lining to the Cloud
The riches of the cloud market will not rain down on CSPs unless they can provide
a cloud environment that is superior to those available from the first generation of
Web-based cloud providers.
While utilization of Web-based cloud services is growing, the main consumers
today are IT-based, highly tech-savvy companies and/or enterprises with non-
critical computing requirements, such as test and development. Most enterprises
do not trust over-the-top providers of cloud services, citing security and perfor-
mance as the top reasons for not using Web-based clouds for their computing
requirements. They fear the loss of intellectual property and/or customer data,
which would damage their business and lay them open to reputational risk. They
also feel threatened by the fact that malicious activity or outages in the cloud
could affect critical services on which their business depends.
To persuade a critical mass of enterprises to migrate to the cloud and to profit
from the revenue opportunities this will bring, CSPs need to offer secure cloud
services over which their enterprise customers have as much, if not more, visibility
and control as they do over their in-house, physical ICT infrastructures. CSPs need
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 4
to demonstrate that their clouds have a silver lining – security – as the foundation
for building trust in the cloud.
CSPs already control the cost of secure connectivity to the cloud in the way that
over-the-top cloud providers cannot. Their ability to combine secure network with
server and other resources make the economics of cloud even more compelling
for customers. CSPs can also leverage trusted relationships with enterprises, based
on years of delivering secure network and physical hosted services, which typically
require an understanding of governance, risk management and compliance
(GRC), including compliant and certified operational processes and infrastructure.
While CSPs may have a head start over Web-based cloud providers in their
understanding of trust and security issues such as GRC, identity management and
information protection and management, the cloud introduces new challenges in
all these areas. Figure 1 explains the vulnerabilities and threats associated with the
five NIST-defined characteristics that turn hosted/managed computing into cloud.
CSPs need to provide countermeasures for all these threats in order to create a
trusted cloud environment that meets the security and high-availability require-
ments of the majority of enterprise customers.
Figure 1: Cloud Characteristics Introduce New Vulnerabilities & Threats
Customers take charge of configuring/managing
"their" part of a cloud service. They thus need
access inside the traditional perimeter firewall
and to be granted administrative access rights.
Identity theft, unauthorized access,
data leakage, spam data, malicious
code, targeted attacks, phishing
Any device can potentially connect to the cloud
and instigate processes within, or downloading of
data from, a cloud service. Devices may have
varying levels of security depending on the
enterprise/cloud service provider's level of control
over it. Devices may be infected with malware.
Data loss, compromise of data
integrity and confidentiality,
unauthorized access, malicious
code, reputational risk.
Multiple tenants can coexist within the same
resource pool(s) on virtualized infrastructure.
Cloud is based on (virtualized) software, which is
typically unanchored to specific, secure physical
hardware and which naturally has vulnerabilities
that can be exploited.
Risk activity, malicious code, data
leakage, data loss, loss of service
(e.g., if an adjacent tenant has
infrastructure frozen for legal reasons),
unauthorized access, reputational risk.
In order to scale up and down rapidly and
balance utilization across the cloud infrastructure
– a key cost advantage of cloud – workloads can
be moved, dynamically, anywhere in the cloud.
Lack of compliance if data is moved/
processed in a non-compliant geo-
graphy, compromise of data integrity
and confidentiality if data moved in
the clear, data loss, reputational risk,
loss of availability if elasticity fails.
Cloud services are metered in order to charge on
a usage basis.
Fraud activity, revenue leakage.
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 5
No Single Cloud
The challenge of providing security in the cloud is compounded by the fact that
there is no single type of "cloud." Instead, there are multiple permutations of cloud
service models (IaaS, PaaS and SaaS) and cloud deployment models. NIST defines
four deployment models: private, public, hybrid and community. An enterprise is
likely to want to use many combinations of these deployment models, for example
running a private cloud in its own or a third-party data center, but able to reach
out to a public or community cloud at times of peak workloads and/or for specific
(PaaS/SaaS) services and applications.
Enterprises are therefore likely to use CSPs as part of a hybrid cloud deployment
strategy, where a CSP may run:
· A "hosted" private cloud on its own infrastructure on behalf of an enter-
· A public cloud and/or an aggregation of public clouds, e.g., SaaS clouds
that enterprise customers can tap into on an as-needed basis
· A community cloud on behalf of multiple enterprises
In all three, enterprises will expect to be able to apply their security policies and
performance SLAs to the cloud deployment, with no degradation of policy/SLAs
because they have moved processing and data outside their organizations. The
higher up the stack of cloud services they choose to engage with a CSP, the more
reliant they will be on the CSP's security policies and performance guarantees.
Figure 2 illustrates the security responsibilities of enterprise customers and CSPs for
each service type in the cloud stack.
Figure 2: Security Responsibility Across Three Cloud Service Models
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 6
A CSP must therefore make its policies and guarantees at each level of the cloud
services stack transparent to enterprise customers and as aligned as possible with
enterprise customer policies around GRC, identity management and information
protection and management. For example, if a CSP wants to provide SaaS in a
public/hybrid/community cloud model to enterprises in the financial services
industry, the CSP will be responsible for implementing and managing a higher level
of PCI-compliancy than if it provides IaaS.
The challenge for CSPs, as they step up to seize the cloud opportunity, is to
provide consistent, ubiquitous, customer policy-driven and service-appropriate
security across multiple cloud deployment models and services, all while guaran-
teeing highest performance at the lowest cost.
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 7
Designing a Trusted & Efficient CSP Cloud
Such challenges dictate four key design principles for a trusted cloud:
· Security by design
· Security through integration
· Security through visibility
· Security through automation.
These principles help CSPs to build a cloud fabric in which security is the silver
lining, persistently protecting enterprise customers in whatever cloud services they
choose to consume, in whichever deployment model. They enable CSPs to offer
security cost-effectively and in a way that allows them to best manage their and
their customers' risk.
Security by Design
Security needs to be designed into the cloud architecture from the beginning.
The four pillars of security needed to address vulnerabilities and threats in the
cloud are no different from those required for any ICT service: identity protection,
data protection, information management and GRC auditing. But these functions
need to be designed into the cloud architecture from the beginning, not added
as an afterthought. When countermeasures are inserted into an infrastructure not
originally architected for them, there is a higher risk of hidden vulnerabilities and
more difficulty in gaining visibility into different types of threat and/or non-
compliance with security policies.
These challenges are compounded in a cloud environment, where a CSP will be
providing different permutations of cloud service and deployment models to
individual customers. Adding security measures after the fact, rather than design-
ing them in as an integral part of the cloud architecture, adds integration and
testing cost and the potential cost of failure.
The Cloud Security Alliance (CSA) is rapidly becoming the most respected source
of cloud security guidance and standards globally. Its best practices suggest that
cloud providers align their architectures with the CSA's emerging security require-
ments and controls (policies, procedures and processes) for the 14 security domains
identified as involved in governing or operating cloud services (see Figure 3).
The CSA's controls draw on and rationalize multiple, disparate government and
other industry-accepted security policies such as HITRUST CSF, ISO 27001/27002,
ISACA COBIT, PCI, HIPAA and NIST. The controls adjust such policies for the cloud
and populate each domain with a set of best practices for cloud providers and
consumers to follow.
CSPs can differentiate themselves by designing into their cloud architectures a
more comprehensive and complete set of controls than many enterprises, or third-
party cloud service providers that the CSP is aggregating on behalf of an enter-
prise, can implement for themselves. The CSA's controls augment a CSP's existing
security control environment by specifically addressing security vulnerabilities in
the cloud. For example, auditability is built into each CSA control, automatically
making the level of the CSP's compliance to that control transparent to a cloud
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 8
consumer. This will be an important reassurance factor for enterprise consumers of
cloud services, enabling them to understand the level of protection for their
information and thus the level of risk to which they are exposing themselves. A CSP
that designs its cloud architecture from the ground up to comply with CSA controls
gains a powerful competitive advantage in the current market.
Once accounted for in the design of the cloud architecture, security can be more
successfully implemented using tools and systems that provide identity manage-
ment, data protection, information management and GRC audit functions, with
lower cost and risk.
Figure 3: Cloud Security Alliance Domains
REQUIRED COUNTERMEASURES/CAPABILITIES TO
IMPLEMENT CONTROLS IN EACH DOMAIN
requirements for organizations
concerned with governing and
measuring enterprise risk intro-
duced by cloud computing.
Plan for policy automation with regulatory and technical
content automatically mapped to policies and updated
as regulations change. Assess the ability to automatically
import data from third parties for even greater visibility
into risk posture. Report from a centralized database
which pulls together controls data from multiple sources
and maps it back to policies. Remediate and fix with
built-in risk scoring and integration with ticketing systems.
Potential legal issues when using
cloud computing, including
protection requirements for
information and computer
systems, regulatory and
Search with e-discovery; provide roles-based access for
legal and/or IT users to search, preserve, review and
export electronically-stored information efficiently.
Global de-duplication of archived content across email,
files, SharePoint documents, IM. Create Data Classifica-
tion Services (DCS) based on context and relevance.
Maintaining and proving
compliance when using cloud
computing, including evaluating
how cloud affects compliance
with internal and external
Create host-based detection and prevention to shield
cloud-based virtual machine infrastructures and services
against inappropriate behaviors and activities that lead
to data compromise. Design procedural controls to
govern appropriate behavior.
& Data Security
Managing data placed in the
cloud, identifying and control-
ling data in the cloud and
moving to the cloud. Addressing
data confidentiality, integrity
and availability in the cloud.
Detect and protect organization's intellectual property in
the cloud or wherever it is stored. Help customer cloud
teams identify at risk workloads to drive risk management
on placement of workloads in public vs. private clouds.
Provide insight to help control and define the scope of
audit for cloud-based assets.
Moving data and services
between cloud providers or
cloud provider and enterprise
Deliver functionality and interactivity between applica-
tions and the OS. Provide for portability of applications,
data, and content with portable software format.
Simplify the virtualization process with application
packages that run in the native operating environment
for which they were designed.
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 9
Figure 3: Cloud Security Alliance Domains (Continued)
REQUIRED COUNTERMEASURES/CAPABILITIES TO
IMPLEMENT CONTROLS IN EACH DOMAIN
Adapting and applying
operational processes and
procedures relating to the
implementation of security,
business continuity and
disaster recovery to the cloud.
Provide effective protection with unique platform-
independent logical policy groupings (physical/virtual).
Reduce security workloads across both virtual and physical
deployments in private, public and hybrid environments.
Identify, monitor and manage rogue, vulnerable or non-
Evaluating data center
architecture and operations
and their risk profile for cloud-
Require an assessment that allows organizations to gain
visibility into resources across multiple data centers and
customizable geographical, physical, and organizational
boundaries. Address capacity planning to prevent service
outage by identifying misaligned storage and applications.
Promote responsible usage by making customers account-
able with chargeback reports.
Ensuring proper and ade-
quate incident detection,
response, notification and
remediation are in place
for the cloud
Deliver ITIL and best-practice processes for incident,
problem and change management. Provide highly
configurable help desk software that adapt processes to
organizational needs. Include self-service capabilities to
speed service and drive down costs.
Securing application software
that is being run in, or devel-
oped for, the cloud
Integrate security at the design and development software
phases. Implement application vulnerability management,
penetration testing and code analysis.
Understanding the require-
ments for proper encryption
usage and scalable key
management in the cloud
Provide ability to create keys and certificates for use with
different applications. Ensure provisioning works with policy
and automation to automatically deliver keys and certifi-
cates to applications. Store keys within a protected, fault-
tolerant, high-availability database. Control the administra-
tive processes and key attributes through policy.
identities, entitlements and
Provide solutions that allow companies and consumers to
engage in communications and commerce online. Provide
services that include: SSL Certificates, Code Signing
Certificates, and User Authentication.
Scoping the risks associated
with virtualization, including
multi-tenancy, VM isolation,
VM co-residence, hypervisor
Coordinate recovery and management of applications in
VMware vSphere, LDOM, LPAR, KVM virtual environments.
Require compatibility with key virtualization features,
including integration with Application Awareness API, high-
availability, site recovery, fault tolerance and key virtualiza-
tion features such as Live Migration and Warm Migration in
Unix platforms. Provide integration with backup software,
which provides virtual machine image restoration as a
possible remediation mechanism in virtual environments.
Feature centralized application health monitoring and
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 10
Security Through Integration
Security must be integrated across operational domains.
Within a service provider organization, the responsibility for security is typically
fragmented across different business units and IT groups. The cloud embraces
different ICT components – such as network, servers, storage, databases and
applications – and makes them available in a more holistic way than conventional
ICT. The level of virtualization in the cloud, and its multi-tenant nature within a
service provider organization, introduces more scope for components to affect
each other in unpredictable ways, resulting in new vulnerabilities.
Security that is implemented by separate organizational functions with point tools
and idiosyncratic processes is not effective for a cloud environment. CSPs will find
it difficult to comprehensively monitor and manage security states in the cloud or
provide robust identity management in a consistent way, supported by single sign-
on (SSO), across the cloud. Such a situation introduces vulnerabilities in the gaps
where the security functions provided by individual groups with different point
tools fail to dovetail.
CSPs will therefore find it necessary to manage security in a more global way than
they have in the past, joining up the disparate organizations responsible for
different aspects of security and ensuring a common view of security and consis-
tent processes, practices and tools.
Security Through Visibility
Security depends on complete visibility of security policies and countermeasures.
Enterprise customers are used to feeling that they are in control of their ICT
environments. This sense of control is founded on their visibility of employee actions
and endpoint/infrastructure behavior, which they gain from management data
visualized in reports and dashboards. Enterprises use such visualized intelligence to
modify and create policies that change actions and behavior for different
purposes – for example to increase efficiency, reduce cost and improve security.
Enterprises moving critical applications and data to a CSP's cloud environment will
want equivalent, if not greater, control over "their" portion of the cloud. If they are
to trust the cloud, they especially need visibility of the security policies and
countermeasures in place, visible evidence of the effectiveness of both and the
Figure 3: Cloud Security Alliance Domains (Continued)
REQUIRED COUNTERMEASURES/CAPABILITIES TO IMPLEMENT
CONTROLS IN EACH DOMAIN
Security as a
remediation and governance
of security infrastructure to
trusted third party with
specialist cloud security
expertise and tools
Protect from Web-borne threats and enable the control,
monitoring and enforcement of Web acceptable use
policies with minimal latency. Automatically update anti-
malware layers, block threats away from the network.
Reduce Web misuse and help protect bandwidth through
URL filtering policies and Web traffic quota limits.
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 11
ability to change/customize policies directly themselves, so they have the highest
visibility that action has been taken.
The CSP cloud needs to design in mechanisms that give enterprise customers
comprehensive visibility of their environment and the security policies and counter-
measures at work to protect it. Conformance with CSA controls can help here,
through their provision of an audit capability.
Security Through Automation
Security management in the cloud must be automated for high efficiency and
The cloud is a highly dynamic environment with many moving parts. It is also a
high-scale environment, especially when implemented by a CSP to support
multiple large enterprise customers. The scale and dynamic nature of the cloud
means that it can only be managed and controlled cost-effectively through ultra-
high levels of automation.
Security processes and procedures certainly need to be automated. Manual
processes of threat discovery and response are too slow and costly in a cloud
environment. Automation is key to the CSP's ability to:
· Detect and respond to threats in real time.
· Monitor CSA controls, send alerts to the right organizational function when
non-compliance is detected and remediate (e.g., reconfigure infrastruc-
ture) without manual intervention.
· Manage secure, cloud-based processes that involve high volumes. Exam-
ples include: issuing and examining employee credentials in the cloud
(both the CSP's own employee credentials and those of its enterprise cus-
tomers); and de-duplication and encryption of large amounts of data tra-
velling between an enterprise and the CSP's cloud for backup and disas-
ter recovery purposes.
· Create a detailed audit trail to meet GRC requirements at low cost.
Automation ensures that security processes and procedures are applied consis-
tently, reliably and at a manageable cost. Automation is therefore core to the
trust an enterprise has in a cloud provider and to the profitability and sustainability
of a CSP's cloud services.
Applying the Design Principles: A Global Security Management
Layer for the Cloud
CSPs will find it helpful to apply the four design principles when specifying a global
cloud security management layer for their trusted and efficient cloud. The global
security management layer gives the CSP cloud its security "silver lining." A global
security management layer should:
· Map to the CSA controls, to ensure that all aspects of security have been
adapted to the specific requirements of the cloud.
· Support the second principle of organizational and domain integration by
enabling CSPs to manage countermeasures (security processes and tools)
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 12
across the cloud from a single logical decision point. The global security
management layer should centralize control for all security functions in-
cluding strong authentication, authorization, password management,
endpoint protection, information classification and encryption, DLP, se-
cure device management, audit and compliance management.
· Provide seamless visibility throughout the cloud of the identity, data and
information protection mechanisms working to secure individual custom-
ers' cloud environments (public/private/hybrid, IaaS/PaaS/SaaS). The
global security management layer should give CSPs and (through multi-
tenant support) their enterprise customers end-to-end visualizations of the
way security is being applied within the cloud, tailored to the needs of
their various security functions/organizations.
· Support the high levels of automation that are central to the success of
trusted cloud delivery, including allowing CSPs to automate new security
processes and to apply policies to new cloud-based services, so that they
can develop their cloud business rapidly and cost-effectively.
Figure 4 illustrates an architecture for a global security management layer that
implements the four design principles. Components of the architecture include:
· Support for multi-tenancy, so that security management can be exposed,
in a secure and controlled way, to enterprise customers. Enterprise cus-
tomers can then be given delegated powers to manage security policies
and processes within their "own" cloud environments, as well as to monitor
policies and processes for GRC audit purposes – a key requirement for
generating trust in the cloud.
· A sophisticated, real-time event data collection and analysis capability
that can collate multiple sources of event data into a common data set
to identify emerging threats, including risk and fraud activity, malicious
code, vulnerabilities, spam data and targeted and phishing attacks
across the cloud. The management layer can then use this intelligence to
prioritize, in real time, the remediation of threats through the countermea-
sures under its control.
· Built-in reporting and auditing capabilities that give CSPs and their enter-
prise customers immediate, basic visibility and control over their cloud
environment(s). Such capabilities should be extensible so that CSPs and
enterprises can define their own, differentiated views of security data
and/or their own workflows for management and audit purposes.
· A policy engine for the definition, application and monitoring of security
policies. Policy engines may be pre-populated with policies for specific
industry segments (e.g., PCI, HIPAA) but it should also be possible for the
CSP and/or its enterprise customers to add their own, company-specific
· A flexible workflow system and common workflow templates that support
automation. CSPs should consider whether candidates for a global securi-
ty management layer can provide, out of the box, a high level of built-in
automation, especially for high volume, cloud-based processes such as
data de-duplication and encryption. Ready-to-use automated support for
common security processes will reduce a CSP's costs, as it won't need to
develop such a capability itself. However, a standalone workflow system is
also necessary to enable CSPs to customize automation for their own and
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 13
their enterprise customer environments. A workflow system allows CSPs to
extend automated security management to new cloud services and dep-
loyment models over time, especially as they continue to aggregate and
broker third-party cloud services on behalf of enterprise customers.
· An integrated set of countermeasures (tools and processes) that can work
with each other, the common, real-time data set and the global reporting
and workflow components within the architecture to prevent any security
Figure 4: A Global Security Management Architecture
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 14
Implementing a Trusted Cloud: An mHealth
Mobile Health (mHealth) represents a multi-billion-dollar opportunity for health
providers to streamline and improve the delivery of medical services using mobile
devices and health-related applications and data in the cloud. Governments
around the world are sponsoring telehealth and electronic patient record
schemes, at the heart of which are cloud-based infrastructures providing access,
processing, storage and workflow capabilities. Healthcare providers are looking
for CSP partners to help them achieve their mHealth vision.
Cloud is essential to the flexibility, accelerated treatment processes and cost-
advantages associated with mHealth, but as we have seen its characteristics
introduce new vulnerabilities and threats. Health is rightly a highly regulated sector
given the nature of medical information, the need for complete patient confiden-
tiality and the critical role of patient monitoring and treatment systems. Any CSP
wanting to provide cloud services to the emerging mHealth market will need to
demonstrate that they can meet the stringent levels of compliance required to
protect patient data and healthcare systems.
CSPs will need to show that the health care systems and operations in their clouds
are secure and compliant, that they have policy-driven countermeasures in place
to prevent, detect and respond to threats, that they can manage petabytes of
medical data efficiently and securely, and that their security not only extends
across the cloud, but out to the tens of thousands of endpoints – mobile devices –
that interact with systems and data in the cloud.
A global security management capability will be key to protecting mHealth
providers that put their trust in a CSP mHealth cloud. The global security manage-
ment layer provides:
· The real-time event correlation and analysis function that enables CSPs to
detect anomalies arising in the mHealth cloud and to gain early warning
of vulnerabilities that threaten systems and/or data
· The ability to support security policies required by mHealth regulatory bo-
dies and specific medical provider customers
· Centralized management of security, providing a global and comprehen-
sive view of security compliance across the mHealth cloud
· Workflow to automate security processes to increase the trust, efficiency
and cost-effectiveness of the mHealth cloud
· A set of countermeasures to provide specific aspects of systems and data
protection in the mHealth cloud, specifically:
o Access control and identity authentication
o Server and system hardening
o Intrusion detection and network access control
o File whitelisting, scanning
o Compliance monitoring
o Efficient lifecycle storage management
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 15
o Disaster recovery and business continuity
o Data protection and backup
o Archiving, cataloguing and e-discovery of information
o Tracking and controlling critical information, including automatic ca-
o Encryption tools
o Medical device authentication
A large North American CSP is targeting the opportunity for cloud-based storage
of modern Picture Archiving and Communication Systems (PACS). Hospitals are
struggling with the fact that they have many different medical imaging systems
from multiple vendors producing huge volumes of PACS data. A small hospital
alone can generate as many as 300,000 images per year, all of which need to be
managed and stored securely.
The CSP has set up a secure and compliant cloud-based storage environment to
which hospitals can safely download their images. The CSP uses global security
management infrastructure components to lock down the infrastructure support-
ing the cloud-based storage environment, limit and manage access to it and
provide an audit trail of hospital user activity. At the same time, the CSP monitors
the infrastructure so that it remains compliant with HIPAA requirements, demon-
strating this continued compliance through frequent generation of user reports.
As a result, the CSP has created a valuable cloud-based service for a group of
mHealth customers and a new revenue stream for itself, with the opportunity to
grow this revenue by adding new mHealth services to its secure cloud infrastruc-
ture over time.
HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 16
In conclusion, cloud computing represents a critical opportunity for CSPs to
develop new and lucrative sources of revenue. CSPs are well positioned to
address enterprise cloud requirements, since they can leverage established
businesses delivering network services to enterprise customers. Enterprises are
eager to move to a cloud model, recognizing that they can significantly reduce
costs by drawing IT down as a service, on-demand.
But while enterprises understand the business benefits of cloud computing, they
have concerns over its security and the protection of valuable intellectual
property assets. CSPs must demonstrate they can deliver secure cloud services in
which enterprises can have the highest degree of trust.
Cloud computing is a young market, and there is plenty of scope for CSPs to build
cloud services that are more highly trusted than the first generation of over-the-
top cloud offers. CSPs with secure cloud services will differentiate themselves in the
market, creating a reputation based on trust. This will inspire brand loyalty, making
enterprise customers less likely to churn. CSPs will also gain incremental opportuni-
ties to take on enterprises' more critical ICT requirements and to address valuable
market segments, such as finance and mHealth, where regulatory compliance
and stringent protection are key.
CSPs intending to implement trusted cloud service delivery infrastructure need to
ensure that security is its bedrock. The infrastructure should conform to the four
design principles described in this paper. Security should be designed in as an
integral part of a CSP's cloud architecture from the start. The security manage-
ment layer should be comprehensive, embracing all security functions within their
organization. It should provide unparalleled visibility of security policies and coun-
termeasures, and it must be highly automated for high efficiency and low cost.
CSPs that put global security management in place – the security lining for their
cloud – will be best positioned to provide the level of trust and efficiency that
enterprises require. They will be the providers with both the credibility and the right
cost base to grow a profitable cloud services business. They will be able to protect
their brand, seize new vertical market opportunities and attract and retain
enterprise customers. In the future, trusted CSPs will persuade enterprises to
relinquish their private ICT infrastructures and to outsource most, if not all, of their
requirements to the cloud. Security is the enabler of this vision, and those CSPs that
build the right protection measures into their clouds from the beginning will be
best placed to profit from it.