• Like

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

GDS International - Next - Generation - Telecommunications - Summit - Africa - 2

  • 420 views
Uploaded on

Profiting from the Cloud: CSP Trust&Efficiency are key

Profiting from the Cloud: CSP Trust&Efficiency are key

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
420
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. White PaperProfiting From the Cloud: CSPTrust & Efficiency Are KeyPrepared byCaroline ChappellSenior Analyst, Heavy Readingwww.heavyreading.comon behalf ofwww.symantec.comFebruary 2012
  • 2. Introduction Cloud computing represents a significant market opportunity for communications service providers (CSPs). CSPs are in an excellent position to add cloud services to existing enterprise connectivity and hosting portfolios, and many have advanced plans for doing so. To succeed in the cloud market, CSPs need to provide superior cloud services that are more trusted than those offered by the current generation of Web-based cloud providers. Cloud security and efficiency present large challenges, and enterprises fear the loss of intellectual property and/or customer data, reputation- al risk, malicious activity and outages in the cloud. CSPs that can provide cloud services with the highest levels of trust and availability at the lowest cost will profit most from the cloud. Such CSPs will persuade a critical mass of enterprises to migrate to the cloud and benefit from the increased revenues this will bring, The five characteristics of cloud computing, as defined by the National Institute of Standards and Technology (NIST), bring new vulnerabilities and threats. To create a trusted cloud, CSPs need to address these additional cloud security require- ments, providing consistent, ubiquitous customer policy-driven and service- appropriate security across multiple cloud deployment models and services, while guaranteeing highest performance at the lowest cost. The guidance provided by the Cloud Security Alliance (CSA) provides a useful starting point as CSPs embark on defining the secure "silver lining" to their cloud. CSPs can differentiate themselves by designing into their cloud architectures a more comprehensive and complete set of CSA controls (policies, procedures and processes for 14 CSA-defined security domains) than enterprises – or third-party cloud service providers that the CSP is aggregating on behalf of an enterprise – can implement for themselves. These controls need to be implemented as a global security management layer that is populated with strong countermeasures, provides organization-wide visibility of all aspects of security and compliance and has a high level of security process automation to maximize the effectiveness of countermeasures and minimize operational costs. This white paper discusses the opportunity and requirements for building a trusted and efficient cloud, including best practice security design principles and a blueprint for an efficient global security management layer. Section II expands on the role security plays in creating trusted cloud services and deployment models, explains CSP advantages in leveraging existing security capabilities and discusses how effective security can differentiate CSPs in an increasingly crowded cloud market. Section III looks at the four design principles that CSPs need to build into a trusted and efficient cloud, and how these principles and CSA guidance come together in a global security management architecture that supports effective governance of the trusted cloud. Section IV illustrates the application of the global security management architec- ture and its underlying security design principles in the context of mobile health (mHealth).HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 2
  • 3. The Cloud: CSP Opportunities & Challenges Expanding Into the Cloud Cloud computing represents the most significant market opportunity for commu- nications service providers (CSPs) since the arrival of the Internet. Like the early days of the Internet, cloud computing also presents considerable challenges for providers in the areas of security and efficiency. Cloud computing, according to the NIST definition, is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services). Enterprises benefit from the agility, scalability, flexibility and lower costs conferred by the cloud model. Such are the perceived advantages of the cloud that the Open Data Center Alliances 300 enterprise members, representing some $100 billion worth of IT procurement power, plan to triple cloud deployment in the next two years – an adoption rate five times faster than had previously been expected. CSPs already have established businesses delivering network resources to enter- prise customers; the cloud is a natural evolution of this business. It gives CSPs the opportunity to aggregate all types of information communications technology (ICT) resources and deliver them in an on-demand, low-cost model that will displace enterprise-owned ICT infrastructure over time. CSPs gain incremental revenue from providing cloud-based computing, storage, applications and services in addition to connectivity (network) solutions. No wonder Heavy Reading research shows that an overwhelming majority of CSPs across the world plan to offer cloud services within the next three years, with many intending to roll out all three cloud service models identified by NIST: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). SaaS is a catch-all for any type of application/service delivered from the cloud, from communications services such as voice, videoconferencing and IP PBX to more general applications such as collaboration, business services and security. Security Creates a Trusted Silver Lining to the Cloud The riches of the cloud market will not rain down on CSPs unless they can provide a cloud environment that is superior to those available from the first generation of Web-based cloud providers. While utilization of Web-based cloud services is growing, the main consumers today are IT-based, highly tech-savvy companies and/or enterprises with non- critical computing requirements, such as test and development. Most enterprises do not trust over-the-top providers of cloud services, citing security and perfor- mance as the top reasons for not using Web-based clouds for their computing requirements. They fear the loss of intellectual property and/or customer data, which would damage their business and lay them open to reputational risk. They also feel threatened by the fact that malicious activity or outages in the cloud could affect critical services on which their business depends. To persuade a critical mass of enterprises to migrate to the cloud and to profit from the revenue opportunities this will bring, CSPs need to offer secure cloud services over which their enterprise customers have as much, if not more, visibility and control as they do over their in-house, physical ICT infrastructures. CSPs needHEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 3
  • 4. to demonstrate that their clouds have a silver lining – security – as the foundation for building trust in the cloud. CSPs already control the cost of secure connectivity to the cloud in the way that over-the-top cloud providers cannot. Their ability to combine secure network with server and other resources make the economics of cloud even more compelling for customers. CSPs can also leverage trusted relationships with enterprises, based on years of delivering secure network and physical hosted services, which typically require an understanding of governance, risk management and compliance (GRC), including compliant and certified operational processes and infrastructure. While CSPs may have a head start over Web-based cloud providers in their understanding of trust and security issues such as GRC, identity management and information protection and management, the cloud introduces new challenges in all these areas. Figure 1 explains the vulnerabilities and threats associated with the five NIST-defined characteristics that turn hosted/managed computing into cloud. Figure 1: Cloud Characteristics Introduce New Vulnerabilities & Threats NIST CLOUD VULNERABILITIES THREATS CHARACTERISTICS Customers take charge of configuring/managing Identity theft, unauthorized access, On-Demand "their" part of a cloud service. They thus need data leakage, spam data, malicious Self Service access inside the traditional perimeter firewall code, targeted attacks, phishing and to be granted administrative access rights. attacks. Any device can potentially connect to the cloud and instigate processes within, or downloading of Data loss, compromise of data Broad Network data from, a cloud service. Devices may have integrity and confidentiality, Access varying levels of security depending on the unauthorized access, malicious enterprise/cloud service providers level of control code, reputational risk. over it. Devices may be infected with malware. Multiple tenants can coexist within the same Risk activity, malicious code, data resource pool(s) on virtualized infrastructure. leakage, data loss, loss of service Resource Cloud is based on (virtualized) software, which is (e.g., if an adjacent tenant has Pooling typically unanchored to specific, secure physical infrastructure frozen for legal reasons), hardware and which naturally has vulnerabilities unauthorized access, reputational risk. that can be exploited. Lack of compliance if data is moved/ In order to scale up and down rapidly and processed in a non-compliant geo- balance utilization across the cloud infrastructure graphy, compromise of data integrity Rapid Elasticity – a key cost advantage of cloud – workloads can and confidentiality if data moved in be moved, dynamically, anywhere in the cloud. the clear, data loss, reputational risk, loss of availability if elasticity fails. Measured Cloud services are metered in order to charge on Fraud activity, revenue leakage. Service a usage basis. CSPs need to provide countermeasures for all these threats in order to create a trusted cloud environment that meets the security and high-availability require- ments of the majority of enterprise customers.HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 4
  • 5. No Single Cloud The challenge of providing security in the cloud is compounded by the fact that there is no single type of "cloud." Instead, there are multiple permutations of cloud service models (IaaS, PaaS and SaaS) and cloud deployment models. NIST defines four deployment models: private, public, hybrid and community. An enterprise is likely to want to use many combinations of these deployment models, for example running a private cloud in its own or a third-party data center, but able to reach out to a public or community cloud at times of peak workloads and/or for specific (PaaS/SaaS) services and applications. Enterprises are therefore likely to use CSPs as part of a hybrid cloud deployment strategy, where a CSP may run: · A "hosted" private cloud on its own infrastructure on behalf of an enter- prise customer · A public cloud and/or an aggregation of public clouds, e.g., SaaS clouds that enterprise customers can tap into on an as-needed basis · A community cloud on behalf of multiple enterprises In all three, enterprises will expect to be able to apply their security policies and performance SLAs to the cloud deployment, with no degradation of policy/SLAs because they have moved processing and data outside their organizations. The higher up the stack of cloud services they choose to engage with a CSP, the more reliant they will be on the CSPs security policies and performance guarantees. Figure 2 illustrates the security responsibilities of enterprise customers and CSPs for each service type in the cloud stack. Figure 2: Security Responsibility Across Three Cloud Service Models Source: SymantecHEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 5
  • 6. A CSP must therefore make its policies and guarantees at each level of the cloud services stack transparent to enterprise customers and as aligned as possible with enterprise customer policies around GRC, identity management and information protection and management. For example, if a CSP wants to provide SaaS in a public/hybrid/community cloud model to enterprises in the financial services industry, the CSP will be responsible for implementing and managing a higher level of PCI-compliancy than if it provides IaaS. The challenge for CSPs, as they step up to seize the cloud opportunity, is to provide consistent, ubiquitous, customer policy-driven and service-appropriate security across multiple cloud deployment models and services, all while guaran- teeing highest performance at the lowest cost.HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 6
  • 7. Designing a Trusted & Efficient CSP Cloud Such challenges dictate four key design principles for a trusted cloud: · Security by design · Security through integration · Security through visibility · Security through automation. These principles help CSPs to build a cloud fabric in which security is the silver lining, persistently protecting enterprise customers in whatever cloud services they choose to consume, in whichever deployment model. They enable CSPs to offer security cost-effectively and in a way that allows them to best manage their and their customers risk. Security by Design Security needs to be designed into the cloud architecture from the beginning. The four pillars of security needed to address vulnerabilities and threats in the cloud are no different from those required for any ICT service: identity protection, data protection, information management and GRC auditing. But these functions need to be designed into the cloud architecture from the beginning, not added as an afterthought. When countermeasures are inserted into an infrastructure not originally architected for them, there is a higher risk of hidden vulnerabilities and more difficulty in gaining visibility into different types of threat and/or non- compliance with security policies. These challenges are compounded in a cloud environment, where a CSP will be providing different permutations of cloud service and deployment models to individual customers. Adding security measures after the fact, rather than design- ing them in as an integral part of the cloud architecture, adds integration and testing cost and the potential cost of failure. The Cloud Security Alliance (CSA) is rapidly becoming the most respected source of cloud security guidance and standards globally. Its best practices suggest that cloud providers align their architectures with the CSAs emerging security require- ments and controls (policies, procedures and processes) for the 14 security domains identified as involved in governing or operating cloud services (see Figure 3). The CSAs controls draw on and rationalize multiple, disparate government and other industry-accepted security policies such as HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST. The controls adjust such policies for the cloud and populate each domain with a set of best practices for cloud providers and consumers to follow. CSPs can differentiate themselves by designing into their cloud architectures a more comprehensive and complete set of controls than many enterprises, or third- party cloud service providers that the CSP is aggregating on behalf of an enter- prise, can implement for themselves. The CSAs controls augment a CSPs existing security control environment by specifically addressing security vulnerabilities in the cloud. For example, auditability is built into each CSA control, automatically making the level of the CSPs compliance to that control transparent to a cloudHEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 7
  • 8. consumer. This will be an important reassurance factor for enterprise consumers of cloud services, enabling them to understand the level of protection for their information and thus the level of risk to which they are exposing themselves. A CSP that designs its cloud architecture from the ground up to comply with CSA controls gains a powerful competitive advantage in the current market. Once accounted for in the design of the cloud architecture, security can be more successfully implemented using tools and systems that provide identity manage- ment, data protection, information management and GRC audit functions, with lower cost and risk. Figure 3: Cloud Security Alliance Domains DOMAIN DOMAIN GUIDANCE REQUIRED COUNTERMEASURES/CAPABILITIES TO NAME DESCRIPTION IMPLEMENT CONTROLS IN EACH DOMAIN Governance Domains Plan for policy automation with regulatory and technical content automatically mapped to policies and updated Recommendations and as regulations change. Assess the ability to automatically Governance & requirements for organizations import data from third parties for even greater visibility Enterprise Risk concerned with governing and into risk posture. Report from a centralized database Management measuring enterprise risk intro- which pulls together controls data from multiple sources duced by cloud computing. and maps it back to policies. Remediate and fix with built-in risk scoring and integration with ticketing systems. Potential legal issues when using Search with e-discovery; provide roles-based access for cloud computing, including legal and/or IT users to search, preserve, review and Legal Contracts protection requirements for export electronically-stored information efficiently. & Electronic information and computer Global de-duplication of archived content across email, Discovery systems, regulatory and files, SharePoint documents, IM. Create Data Classifica- legal requirements. tion Services (DCS) based on context and relevance. Maintaining and proving Create host-based detection and prevention to shield compliance when using cloud cloud-based virtual machine infrastructures and services Compliance & computing, including evaluating against inappropriate behaviors and activities that lead Audit how cloud affects compliance to data compromise. Design procedural controls to with internal and external govern appropriate behavior. security/regulatory policies. Managing data placed in the Detect and protect organizations intellectual property in cloud, identifying and control- the cloud or wherever it is stored. Help customer cloud Information ling data in the cloud and teams identify at risk workloads to drive risk management Management moving to the cloud. Addressing on placement of workloads in public vs. private clouds. & Data Security data confidentiality, integrity Provide insight to help control and define the scope of and availability in the cloud. audit for cloud-based assets. Deliver functionality and interactivity between applica- Moving data and services tions and the OS. Provide for portability of applications, Portability & between cloud providers or data, and content with portable software format. Interoperability cloud provider and enterprise Simplify the virtualization process with application customers. packages that run in the native operating environment for which they were designed.HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 8
  • 9. Figure 3: Cloud Security Alliance Domains (Continued) DOMAIN DOMAIN GUIDANCE REQUIRED COUNTERMEASURES/CAPABILITIES TO NAME DESCRIPTION IMPLEMENT CONTROLS IN EACH DOMAIN Operational Domains Traditional Adapting and applying Provide effective protection with unique platform- Security, operational processes and independent logical policy groupings (physical/virtual). Business procedures relating to the Reduce security workloads across both virtual and physical Continuity & implementation of security, deployments in private, public and hybrid environments. Disaster business continuity and Identify, monitor and manage rogue, vulnerable or non- Recovery disaster recovery to the cloud. compliant systems. Require an assessment that allows organizations to gain visibility into resources across multiple data centers and Evaluating data center customizable geographical, physical, and organizational Data Center architecture and operations boundaries. Address capacity planning to prevent service Operations and their risk profile for cloud- outage by identifying misaligned storage and applications. based services Promote responsible usage by making customers account- able with chargeback reports. Ensuring proper and ade- Deliver ITIL and best-practice processes for incident, Incident quate incident detection, problem and change management. Provide highly Response, response, notification and configurable help desk software that adapt processes to Notification & remediation are in place organizational needs. Include self-service capabilities to Remediation for the cloud speed service and drive down costs. Securing application software Integrate security at the design and development software Application that is being run in, or devel- phases. Implement application vulnerability management, Security oped for, the cloud penetration testing and code analysis. Provide ability to create keys and certificates for use with Understanding the require- different applications. Ensure provisioning works with policy Encryption & ments for proper encryption and automation to automatically deliver keys and certifi- Key Man- usage and scalable key cates to applications. Store keys within a protected, fault- agement management in the cloud tolerant, high-availability database. Control the administra- tive processes and key attributes through policy. Provide solutions that allow companies and consumers to Identity & Managing cloud-based engage in communications and commerce online. Provide Access identities, entitlements and services that include: SSL Certificates, Code Signing Management access rights Certificates, and User Authentication. Coordinate recovery and management of applications in VMware vSphere, LDOM, LPAR, KVM virtual environments. Require compatibility with key virtualization features, Scoping the risks associated including integration with Application Awareness API, high- with virtualization, including availability, site recovery, fault tolerance and key virtualiza- Virtualization multi-tenancy, VM isolation, tion features such as Live Migration and Warm Migration in VM co-residence, hypervisor Unix platforms. Provide integration with backup software, vulnerabilities, etc. which provides virtual machine image restoration as a possible remediation mechanism in virtual environments. Feature centralized application health monitoring and management.HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 9
  • 10. Figure 3: Cloud Security Alliance Domains (Continued) DOMAIN DOMAIN GUIDANCE REQUIRED COUNTERMEASURES/CAPABILITIES TO IMPLEMENT NAME DESCRIPTION CONTROLS IN EACH DOMAIN Delegating detection, Protect from Web-borne threats and enable the control, remediation and governance monitoring and enforcement of Web acceptable use Security as a of security infrastructure to policies with minimal latency. Automatically update anti- Service trusted third party with malware layers, block threats away from the network. specialist cloud security Reduce Web misuse and help protect bandwidth through expertise and tools URL filtering policies and Web traffic quota limits. Security Through Integration Security must be integrated across operational domains. Within a service provider organization, the responsibility for security is typically fragmented across different business units and IT groups. The cloud embraces different ICT components – such as network, servers, storage, databases and applications – and makes them available in a more holistic way than conventional ICT. The level of virtualization in the cloud, and its multi-tenant nature within a service provider organization, introduces more scope for components to affect each other in unpredictable ways, resulting in new vulnerabilities. Security that is implemented by separate organizational functions with point tools and idiosyncratic processes is not effective for a cloud environment. CSPs will find it difficult to comprehensively monitor and manage security states in the cloud or provide robust identity management in a consistent way, supported by single sign- on (SSO), across the cloud. Such a situation introduces vulnerabilities in the gaps where the security functions provided by individual groups with different point tools fail to dovetail. CSPs will therefore find it necessary to manage security in a more global way than they have in the past, joining up the disparate organizations responsible for different aspects of security and ensuring a common view of security and consis- tent processes, practices and tools. Security Through Visibility Security depends on complete visibility of security policies and countermeasures. Enterprise customers are used to feeling that they are in control of their ICT environments. This sense of control is founded on their visibility of employee actions and endpoint/infrastructure behavior, which they gain from management data visualized in reports and dashboards. Enterprises use such visualized intelligence to modify and create policies that change actions and behavior for different purposes – for example to increase efficiency, reduce cost and improve security. Enterprises moving critical applications and data to a CSPs cloud environment will want equivalent, if not greater, control over "their" portion of the cloud. If they are to trust the cloud, they especially need visibility of the security policies and countermeasures in place, visible evidence of the effectiveness of both and theHEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 10
  • 11. ability to change/customize policies directly themselves, so they have the highest visibility that action has been taken. The CSP cloud needs to design in mechanisms that give enterprise customers comprehensive visibility of their environment and the security policies and counter- measures at work to protect it. Conformance with CSA controls can help here, through their provision of an audit capability. Security Through Automation Security management in the cloud must be automated for high efficiency and low cost. The cloud is a highly dynamic environment with many moving parts. It is also a high-scale environment, especially when implemented by a CSP to support multiple large enterprise customers. The scale and dynamic nature of the cloud means that it can only be managed and controlled cost-effectively through ultra- high levels of automation. Security processes and procedures certainly need to be automated. Manual processes of threat discovery and response are too slow and costly in a cloud environment. Automation is key to the CSPs ability to: · Detect and respond to threats in real time. · Monitor CSA controls, send alerts to the right organizational function when non-compliance is detected and remediate (e.g., reconfigure infrastruc- ture) without manual intervention. · Manage secure, cloud-based processes that involve high volumes. Exam- ples include: issuing and examining employee credentials in the cloud (both the CSPs own employee credentials and those of its enterprise cus- tomers); and de-duplication and encryption of large amounts of data tra- velling between an enterprise and the CSPs cloud for backup and disas- ter recovery purposes. · Create a detailed audit trail to meet GRC requirements at low cost. Automation ensures that security processes and procedures are applied consis- tently, reliably and at a manageable cost. Automation is therefore core to the trust an enterprise has in a cloud provider and to the profitability and sustainability of a CSPs cloud services. Applying the Design Principles: A Global Security Management Layer for the Cloud CSPs will find it helpful to apply the four design principles when specifying a global cloud security management layer for their trusted and efficient cloud. The global security management layer gives the CSP cloud its security "silver lining." A global security management layer should: · Map to the CSA controls, to ensure that all aspects of security have been adapted to the specific requirements of the cloud. · Support the second principle of organizational and domain integration by enabling CSPs to manage countermeasures (security processes and tools)HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 11
  • 12. across the cloud from a single logical decision point. The global security management layer should centralize control for all security functions in- cluding strong authentication, authorization, password management, endpoint protection, information classification and encryption, DLP, se- cure device management, audit and compliance management. · Provide seamless visibility throughout the cloud of the identity, data and information protection mechanisms working to secure individual custom- ers cloud environments (public/private/hybrid, IaaS/PaaS/SaaS). The global security management layer should give CSPs and (through multi- tenant support) their enterprise customers end-to-end visualizations of the way security is being applied within the cloud, tailored to the needs of their various security functions/organizations. · Support the high levels of automation that are central to the success of trusted cloud delivery, including allowing CSPs to automate new security processes and to apply policies to new cloud-based services, so that they can develop their cloud business rapidly and cost-effectively. Figure 4 illustrates an architecture for a global security management layer that implements the four design principles. Components of the architecture include: · Support for multi-tenancy, so that security management can be exposed, in a secure and controlled way, to enterprise customers. Enterprise cus- tomers can then be given delegated powers to manage security policies and processes within their "own" cloud environments, as well as to monitor policies and processes for GRC audit purposes – a key requirement for generating trust in the cloud. · A sophisticated, real-time event data collection and analysis capability that can collate multiple sources of event data into a common data set to identify emerging threats, including risk and fraud activity, malicious code, vulnerabilities, spam data and targeted and phishing attacks across the cloud. The management layer can then use this intelligence to prioritize, in real time, the remediation of threats through the countermea- sures under its control. · Built-in reporting and auditing capabilities that give CSPs and their enter- prise customers immediate, basic visibility and control over their cloud environment(s). Such capabilities should be extensible so that CSPs and enterprises can define their own, differentiated views of security data and/or their own workflows for management and audit purposes. · A policy engine for the definition, application and monitoring of security policies. Policy engines may be pre-populated with policies for specific industry segments (e.g., PCI, HIPAA) but it should also be possible for the CSP and/or its enterprise customers to add their own, company-specific security policies. · A flexible workflow system and common workflow templates that support automation. CSPs should consider whether candidates for a global securi- ty management layer can provide, out of the box, a high level of built-in automation, especially for high volume, cloud-based processes such as data de-duplication and encryption. Ready-to-use automated support for common security processes will reduce a CSPs costs, as it wont need to develop such a capability itself. However, a standalone workflow system is also necessary to enable CSPs to customize automation for their own andHEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 12
  • 13. their enterprise customer environments. A workflow system allows CSPs to extend automated security management to new cloud services and dep- loyment models over time, especially as they continue to aggregate and broker third-party cloud services on behalf of enterprise customers. · An integrated set of countermeasures (tools and processes) that can work with each other, the common, real-time data set and the global reporting and workflow components within the architecture to prevent any security blind spots. Figure 4: A Global Security Management ArchitectureHEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 13
  • 14. Implementing a Trusted Cloud: An mHealth Case Study Mobile Health (mHealth) represents a multi-billion-dollar opportunity for health providers to streamline and improve the delivery of medical services using mobile devices and health-related applications and data in the cloud. Governments around the world are sponsoring telehealth and electronic patient record schemes, at the heart of which are cloud-based infrastructures providing access, processing, storage and workflow capabilities. Healthcare providers are looking for CSP partners to help them achieve their mHealth vision. Cloud is essential to the flexibility, accelerated treatment processes and cost- advantages associated with mHealth, but as we have seen its characteristics introduce new vulnerabilities and threats. Health is rightly a highly regulated sector given the nature of medical information, the need for complete patient confiden- tiality and the critical role of patient monitoring and treatment systems. Any CSP wanting to provide cloud services to the emerging mHealth market will need to demonstrate that they can meet the stringent levels of compliance required to protect patient data and healthcare systems. CSPs will need to show that the health care systems and operations in their clouds are secure and compliant, that they have policy-driven countermeasures in place to prevent, detect and respond to threats, that they can manage petabytes of medical data efficiently and securely, and that their security not only extends across the cloud, but out to the tens of thousands of endpoints – mobile devices – that interact with systems and data in the cloud. A global security management capability will be key to protecting mHealth providers that put their trust in a CSP mHealth cloud. The global security manage- ment layer provides: · The real-time event correlation and analysis function that enables CSPs to detect anomalies arising in the mHealth cloud and to gain early warning of vulnerabilities that threaten systems and/or data · The ability to support security policies required by mHealth regulatory bo- dies and specific medical provider customers · Centralized management of security, providing a global and comprehen- sive view of security compliance across the mHealth cloud · Workflow to automate security processes to increase the trust, efficiency and cost-effectiveness of the mHealth cloud · A set of countermeasures to provide specific aspects of systems and data protection in the mHealth cloud, specifically: o Access control and identity authentication o Server and system hardening o Intrusion detection and network access control o File whitelisting, scanning o Compliance monitoring o Efficient lifecycle storage managementHEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 14
  • 15. o Disaster recovery and business continuity o Data protection and backup o Archiving, cataloguing and e-discovery of information o Tracking and controlling critical information, including automatic ca- tegorization o Encryption tools o Medical device authentication A large North American CSP is targeting the opportunity for cloud-based storage of modern Picture Archiving and Communication Systems (PACS). Hospitals are struggling with the fact that they have many different medical imaging systems from multiple vendors producing huge volumes of PACS data. A small hospital alone can generate as many as 300,000 images per year, all of which need to be managed and stored securely. The CSP has set up a secure and compliant cloud-based storage environment to which hospitals can safely download their images. The CSP uses global security management infrastructure components to lock down the infrastructure support- ing the cloud-based storage environment, limit and manage access to it and provide an audit trail of hospital user activity. At the same time, the CSP monitors the infrastructure so that it remains compliant with HIPAA requirements, demon- strating this continued compliance through frequent generation of user reports. As a result, the CSP has created a valuable cloud-based service for a group of mHealth customers and a new revenue stream for itself, with the opportunity to grow this revenue by adding new mHealth services to its secure cloud infrastruc- ture over time.HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 15
  • 16. Conclusion In conclusion, cloud computing represents a critical opportunity for CSPs to develop new and lucrative sources of revenue. CSPs are well positioned to address enterprise cloud requirements, since they can leverage established businesses delivering network services to enterprise customers. Enterprises are eager to move to a cloud model, recognizing that they can significantly reduce costs by drawing IT down as a service, on-demand. But while enterprises understand the business benefits of cloud computing, they have concerns over its security and the protection of valuable intellectual property assets. CSPs must demonstrate they can deliver secure cloud services in which enterprises can have the highest degree of trust. Cloud computing is a young market, and there is plenty of scope for CSPs to build cloud services that are more highly trusted than the first generation of over-the- top cloud offers. CSPs with secure cloud services will differentiate themselves in the market, creating a reputation based on trust. This will inspire brand loyalty, making enterprise customers less likely to churn. CSPs will also gain incremental opportuni- ties to take on enterprises more critical ICT requirements and to address valuable market segments, such as finance and mHealth, where regulatory compliance and stringent protection are key. CSPs intending to implement trusted cloud service delivery infrastructure need to ensure that security is its bedrock. The infrastructure should conform to the four design principles described in this paper. Security should be designed in as an integral part of a CSPs cloud architecture from the start. The security manage- ment layer should be comprehensive, embracing all security functions within their organization. It should provide unparalleled visibility of security policies and coun- termeasures, and it must be highly automated for high efficiency and low cost. CSPs that put global security management in place – the security lining for their cloud – will be best positioned to provide the level of trust and efficiency that enterprises require. They will be the providers with both the credibility and the right cost base to grow a profitable cloud services business. They will be able to protect their brand, seize new vertical market opportunities and attract and retain enterprise customers. In the future, trusted CSPs will persuade enterprises to relinquish their private ICT infrastructures and to outsource most, if not all, of their requirements to the cloud. Security is the enabler of this vision, and those CSPs that build the right protection measures into their clouds from the beginning will be best placed to profit from it.HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 16