Is the Cloud Safe? Cloud Computing, Security, and Data Sovereignty
1. IS THE CLOUD SAFE?
CLOUD COMPUTING,
SECURITY, AND DATA
SOVEREIGNTY
A MeetTheBoss TV ebook
In collaboration with HP
24 roundtables, 36 hours of conversation, 120
senior IT executives, one question: what is the
impact of cloud on data ownership?
2. MeetTheBoss TV and HP have hosted 24 roundtables
with senior IT professionals. Each roundtable is
a 90-minute deep dive into the business impact
of cloud computing, led by the executives and
independently moderated by MeetTheBoss TV.
This ebook gathers the highlights, challenges
and learning from 24 roundtables, 36 hours of
conversation, and 120 senior IT executives on the
impact of cloud on data ownership.
What does business really think?
It’s all here.
INTRODUCTION:
ABOUT THIS EBOOK
3. The paranoia of a post-Snowden world
has companies locking down digital
borders in the quest to deliver a secure
cloud environment. But where do the real
risks lie?
Cloud promised the world: unfettered access to
computing resources and assets, irrespective of
geographic location or device. Sure, people had
concerns, security chief amongst them; but even
so the cost, speed and agility benefits were largely
considered to outweigh any potential risks.
Then along came Snowden, with his revelations of
widespread NSA data collection and surveillance.
Suddenly, data sovereignty – the concept of where
your data resides and who has authority over it –
was right back at the top of the CIO agenda, with a
growing number of firms refusing to countenance
storing data outside of their own country borders.
The benefits of cloud were still there, but which
provider you used and where they were located
became all-important. According to research
from NTT Communications, a whopping 95% of IT
decision-makers believe location matters when it
comes to storing company data, with 88% changing
their cloud-buying behaviors in light of the
Snowden scandal.
CHAPTER 1
CLOUD, SECURITY AND DATA
SOVEREIGNTY: WHAT ARE THE RISKS?
By Ben Thompson, Editor,
MeetTheBoss TV
4. But sovereignty is not just about geography; it is also
about legal jurisdiction. “Who owns the legal rights to
that data?” asked Martin Hagen, Head of IT for the City
of Bremen. “Which laws and regulations is it subject
to? And who has control over that?” It was a concern
echoed across the region. “Establishing the legal
location is very important,” agreed Lorenzo Bandelli,
CIO for Trieste. “We need legal assurance that the data
is ours, and knowledge about who can do what with
that data.”
A chief concern for attendees was a lack of
transparency into what happens to your data once
you hand it over to a provider. “My fear is that when
you purchase cloud services, you might be purchasing
hosted infrastructure that is contracted to third-party
providers located elsewhere,” said Eero Oksa, IT
Director for METSO.
...of ICT decision-makers believe
location matters when it comes
to storing company data
...are also changing their cloud
buying behaviour
88%
95%
5. “NSA disclosures could
significantly lower US
technology sales overseas”
“Owning the data and making sure we know where
it is sitting and that we can pull it back if we need
to is really important,” added Richard Epstein, Head
of Enterprise Architecture at Maersk Line. “Cloud
computing companies have yet to provide a clear
strategy about how we can do that.”
Indeed, Forrester has estimated that the NSA
disclosures could lower US technology sales
overseas by as much as $180 billion by 2016. “In
certain areas we simply cannot use the cloud
following the Snowden revelations,” confirms Olli
Hyyppä, SVP and CIO for NXP Semiconductors.
“Now, European clients are nervous about two
things: cloud, and American cloud providers.”
And this is what it all comes back to in the end:
trust. And not just trust in vendors, but trust in
the governments of the countries in which they
operate. There is an argument to be made that
cloud providers are already better equipped
to handle data security than all but the most
sophisticated of customers; the question is, in a
post-Snowden world, can those providers restore
lost confidence in their data sovereignty strategies?
“My fear is that when you purchase cloud
services, you might be purchasing hosted
infrastructure that is contracted to
third-party providers located elsewhere”
EERO OKSA, IT DIRECTOR, METSO
6. LOSING CONTROL
PETER RASMUSSEN
SVP, Danske Bank
“We used to have total control of all servers, settings
and data and where they were stored, and we could
go and inspect it at any time with our service provider.
Moving into cloud, this is no longer the case. You have
to rely on reporting, on certifications, and you have to
build your security around that.”
SHIFTING SANDS
COLIN MILES
Director Enterprise Services, Virgin Media
“We need to maintain UK residence of data due to
government controls, but use accredited partners to
place our data in a managed private cloud. There’s a
lot to recommend this approach – not least due to the
significant management resource required to deal with
changing government requests.”
WHO DO YOU TRUST?
MARTIN HAGEN
Head of IT, City of Bremen
“Politicians assume that if the data is in Germany then
all is well, and if not then we have a problem. But from
my technology-based perspective, that doesn’t make
much sense, because it wasn’t just the American secret
service spying on data, it was other countries
too – including Germany.”
7. HAVE THE SNOWDEN REVELATIONS
CHANGED YOUR APPROACH TO
THE CLOUD?
Are carrying out
greater due dilligence
on cloud providers
than ever before
95%88%
38%31%
52%84%
Are moving data to
locations where the
business knows it will
be safe
Feel they need
more training on data
protection laws
Are changing their
cloud buying behaviour
Are amending their
procurement conditions
for cloud providers
Of ICT ‘decision-makers’
believe location matters
when it comes to storing
company data
Source: NTT Communications, March 2014
8. “We are seeing
organised gangs
focusing on data”
CHAPTER 2
CLOUD, SECURITY AND DATA
SOVEREIGNTY: HOW DO YOU
MANAGE THE RISKS?
By Adam Burns, Editor, MeetTheBoss TV
A wise CIO once told me the problem with regulators:
“they are neither cutting edge, nor consistent”. The
reality, he conceded, is that it makes no difference.
Regulators are red of teeth and claw and the smell of
data breach is in their nostrils.
Of course it’s not just regulators after you. Stephen
Deakin, Interim CTO for London’s Metropolitan Police,
confirms what chief information security officers
have been saying for years: “We are seeing organised
gangs focusing on data”.
Four ways businesses are managing risk
But enough fear, uncertainty and doubt (the benefits
of cloud computing hugely outweigh them anyway),
our roundtable executives are managing risks – and
this is how:
9. Andrew Stanton is charged with Global
Infrastructure Strategy and Design for global
asset management company Schroders. He
sums this point up perfectly: “If we allow SaaS,
anything cloud, then we have said the data will
go outside of our borders. Recognise it is going
to happen, educate, show true governance,
do everything you can to show people the
importance of data.”
Find out who is using shadow IT, find out what
they are using it for, and either integrate or
provide an alternative. Then fix the issue that
made your business turn to the dark side in the
first place.
Norbert Weidinger is Deputy CIO for the City
of Vienna. He has recently “formally established
rules that internal customers are obliged
to comply with,” and, as part of a two-part
strategy, also offers alternative services that
provide similar services to those offered by
Dropbox, etc. “Maybe not as sophisticated, but
a lot more secure.”
STAY OUT OF THE SHADOWS
CHANGE THE
BUSINESS MINDSET
1
2
10. Bernhard Schaffrik, VP Global Enterprise
Architecture with Merck, has a defined
decision framework around cloud (“can it
go cloud or not”). Håkan Borglund, CIO
for Toyota Material Handling Europe, has
ringfenced some transactional and IP data,
specifically in the design area (“those systems
are not going anywhere”). Schroders is trying
to work to a system of concentric circles
(“the centre circle is core data surrounded by
procurement and contracts,” says Stanton.
“The next circle is still using data from the
middle, but can have analytical services. In the
final, outside circle, you can create your own
apps – but if you want to bring those into the
core, you have to answer the long list
of questions”).
Bjorn Fagerstedt, Head of Corporate IT with
Scandinavian Airlines, said the company took
three years to transition to a new cloud-based
revenue management solution, and it put a
lot of effort into “a complicated contract” that
included all of the necessary mechanisms “to
ensure we are fully compliant on personal data
privacy, payment card industry data standards,
accounting laws, etc.” Peter Rasmussen, Senior
Vice President at Danske Bank, agrees: “Moving
into cloud, you have to rely on reporting. You
have to rely on certifications. And you have
to build your security around that.” Work with
your cloud service provider. Audit your cloud
service provider. Are they compliant?
WORK OUT WHAT’S NOT
RIGHT FOR CLOUD
BE A CONTRACT KILLER
3
4
11. CHAPTER 3
A HOLISTIC APPROACH TO
SECURING THE CLOUD
By Jeremy Ward, Global Development Manager, Security
Consulting, HP Enterprise Services
From security to sovereignty, trust clearly
remains an issue for companies looking
to transition to the cloud. So how do you
get assurance that your data is both safe
and accessible? The answer might be
to develop a more holistic approach to
working with your cloud provider.
Cloud security is not what you might think. Despite
media reports, many cloud security incidents
are actually previously known issues with web
applications and data-hosting – but at a greater scale
and frequency due to the early adoption of
cloud services.
Companies using cloud need to understand that
they are consuming a shared resource and must,
therefore, select the service that provides the levels
of security and service that they need. As with most
security challenges, technical solutions are only
part of the puzzle. What is needed is a
well-rounded approach.
12. ESTABLISH THE RISKS
As a starting point, a risk assessment
is necessary to fully understand the
impact of moving chosen applications
and data to a particular cloud
deployment and/or service model.
This assessment must be undertaken
from the viewpoint of how it affects
the enterprise, not just from a security
department viewpoint. The primary
objective of a risk-based approach
is to help an enterprise move from
a reactive to a proactive stance for
enterprise security, with the end goal
of measurably reducing business risk.
HP has developed its ATOM risk-based
methodology – assess, transform,
optimise, manage – to help enable
enterprises to achieve these goals.
We assess your risk tolerance profile,
compliance requirements, operational
requirements, organisational
capabilities, and resources. We
typically do this within short HP Cloud
and HP Security Discovery Workshops.
We then look to transform your
environments, structuring and
prioritising security issues and
undertaking remediation projects
with you. Next, we optimise the
environment and also broaden your
level of security awareness. Our
experts proactively recommend
operational and process improvements
that can deliver an optimised security
and risk posture. Finally, we manage
security transformation programs that
deliver security in the most effective
way for the enterprise, adopting
proven security technologies and
flexible sourcing models.
INFORMATION-CENTRIC
APPLICATIONS
The next thing to consider is that
existing applications were not
designed to run in a potentially
hostile environment. The dynamic
behaviour and public environment
of cloud implicitly require that data
and applications be self-defending,
and be information-centric. As such,
application developers need to adopt
an information-centric approach to
securing critical applications and
data in the cloud by focusing on
confidentiality, integrity
and availability.
13. Developing applications with security
already designed in dramatically reduces
the risk of vulnerabilities and produces
solutions that have greater security
assurance at lower cost. And by addressing
new attack surfaces early in the design
cycle with a security requirements analysis,
security maintenance and remediation
needs are reduced during the testing and
operational phases.
AUDIT AND COMPLIANCE
In today’s highly regulated environment,
and in a post-Snowden world where data
sovereignty requirements are top-of-
mind, a dynamic cloud-based services
environment needs continual and ongoing
audit and compliance management. A
traditional regime of annual or monthly
audits becomes meaningless in an
environment that changes completely on a
daily or hourly basis.
To comply with policy and legislation
such as the EU Data Protection Directive,
GLBA, HIPAA, and export compliance
controls such as ITAR, enterprises require
continuously running audit and compliance
monitoring. Continuous monitoring is also
crucial for enabling forensic examination
and analysis if a security breach or
disclosure occurs. What is more, this
information must be available in real time
to facilitate rapid response, notification and
containment measures.
FINDING THE RIGHT PARTNER
The use of cloud services significantly
alters an enterprise’s ability to exert strict
controls over infrastructure, storage and
network security measures. Therefore,
the choice of cloud provider is critical to
your success. Enterprises should conduct
rigorous due-diligence assessments of the
selected service providers’ infrastructure
security policies as part of service sourcing
and contract negotiations.
Do they offer an appropriate review of
legal issues, dedicated infrastructure
and select in-country hosting? Are they
compliant with the requirements of the
US Patriot Act and the EU’s Safe Harbour
Framework? Can they ensure that
transferring data across national borders
is done only in accordance with the needs
of the data’s owner and applicable local
laws? These are the types of questions you
should be asking of your provider.
You need to be clear about where your
data resides, and where the risks lie. Only
by taking a holistic approach to the cloud
can you gain that level of assurance.
14. ASSESS INFRASTRUCTURE
AND PLATFORM SECURITY
DURING SERVICE SOURCING
ESTABLISH A
RISK-BASED APPROACH
IMPLEMENT ONGOING
AUDITING AND
MANAGEMENT
DESIGN OR CONVERT
APPLICATIONS TO SECURELY
RUN IN THE CLOUD
HOLISTIC CLOUD
SECURITY
15. SUMMARY
WHAT WE LEARNED
1
ADDRESS THE TRUST ISSUE
CIOs want assurances over where data sits and who has jurisdiction over it.
“It’s a question of how much do you potentially expose your IP if you put it
on public cloud? That makes people nervous,” says Laurent De Haas, CTO
and VP for Global IT at Electrolux. Establish what your appetite for cloud
is, and what you’re comfortable putting in the cloud. Involve business and
legal units in the process.
2
MANAGE YOUR RISKS
Conducting a thorough risk analysis is an essential part of any cloud
strategy. “Every enterprise or public entity needs to do their own risk
assessment,” explains Katarina De Brisis, Deputy Director General at
Norway’s Ministry for Local Government and Modernisation. “What kind
of data is it, what is the application, and what kind of cloud services are you
looking at?”
3
BEWARE SHIFTING SANDS
A key challenge is the pace of change. Re-evaluating policies, procedures
and strategies on a regular basis will be critical to gaining the all-important
visibility required to meet compliance and regulatory demands. As Merck’s
Bernhard Schaffrik puts it: “I need a dedicated outsourcing contract that
allows me the kind of transparency I am legally required to have.” Constant
monitoring is key.
16. 4
FIND THE RIGHT PARTNERS
Expectations are rising as cloud usage becomes more pervasive – which
is putting increasing pressure on vendors to deliver. “Every time we try
to buy a cloud service, we have to explain to the provider how to be
secure,” complains Richard Copley, Head of Corporate ICT for Rotherham
Metropolitan Borough Council. Finding vendors that can meet these rising
expectations will be vital.
5
READ THE SMALL PRINT
You’ve found a partner: the next step is to establish baseline expectations
of what that relationship entails. Service levels can differ significantly
between providers. “Contracts and SLAs are important today; they will
become even more important tomorrow,” asserts Joan Ignasi Grau, CIO
at Spanish casino giant CIRSA. Do your due diligence upfront, and save
yourself a service headache later.
6
THE FUTURE IS HYBRID
To meet heightened requirements around data privacy and security,
organisations should carefully consider the best option between private
and public cloud for each application or workload. If you need to define
a very specific environment for your application, to tightly control that
environment and have greater control over data, private clouds are better;
if you’re after lower costs, immediate access and standard SLAs, then
consider public cloud providers. In reality, your approach is likely to be hybrid.
17. Now cloud
moves the merchandise
Now cloud
shows you the money
Starting today, cloud lives up to its promise.
Introducing HP Helion. It’s a flexible fabric that unifies public, private, and hybrid cloud solutions with your
existing IT. It accelerates innovation by enhancing OpenStack® technology with new levels of manageability,
security, and support. And it extends HP’s leadership in private cloud, already trusted by more than ⅓ of the
Fortune 100, through an expansion of our overall cloud services and infrastructure around the world. Now
cloud runs through your enterprise. To move the merchandise and close the sale. To empower government
and transform the classroom. To help you test faster, learn faster, and succeed faster. See how to run HP
Helion through your organization at hp.com/helion
www.hp.com/helion
Click here to findout
more about HP Helion
Looking for real Cloud Stories?
Visit hp-cloudstories and join us on
@cloud_stories