BT AssureRiding technology wavesFinding the sunshine in the cloud
“You think about technology waves, and every once in a while you get one that you know is meaningful, that actually changes the way companies spend their money and invest in solutions; it actually changes the way the tech industry itself is shaped — and cloud computing is one of those things.” Ted Schadler, vice president and principal analyst, Forrester Research.Finding the sunshine in the cloud
We can see clearly now,the haze has goneCloud is here to stay; more and more organisations areusing cloud services — no great surprise when everybusiness is looking to make efficiency and cost savingsin these difficult times.Cloud computing is a top-of-mind consideration formost CIOs, finding that most organisations are lookingto the cloud for ‘extension’ — the capability to taketheir business in new directions faster — rather thansimply as a method of cost management.The benefits of moving to cloud architecture arewidely accepted and potentially huge:• Increased agility due to rapid provisioning and de-provisioning of resources;• Significantly-reduced capital expenditure and fixed costs;• A faster return on investment thanks to pay-as-you-use commercial models;• Easy availability of services to a mobile workforce;• Less time spent managing technology and software and more time spent managing information and And now the hype haze has cleared we have data to drive business innovations. a much clearer picture of how to get the best from the cloud — and what could be holding back take-up.
Are you in the cloud withoutknowing it?Although just over half of businesses state they’re It’s rarely an all-or-nothing decision; cloudnow using the cloud1, this figure is conscious use; in deployment is far more likely to be on areality more businesses are using the cloud (every project-by-project basis:time they access something hosted remotely) justwithout giving it that specific label. • Opportunities to try out new business areas that would otherwise be beyond the budget available. • Sharing internal services and resources moreThe need for a cost-effective solution to effectively, enabling a more collaborative waythese scenarios (and others) pushes of working.organisations into cloud acceptance, often • Increasing work force mobility.without widespread recognition of the fact. • Rapid, low-cost introduction of new trading points. • Sharing the cost of control and regulation of big data with other user organisations.Finding the sunshine in the cloud
The cloud needs a different,conscious approach Is the security issue holding back cloud take-up?This is a crucial time for those managing IT. The cloudcomputing and consumerisation (BYOD) technology Not really; it’s more a question of trust.waves are changing the distribution of IT control:users are taking more control of the devices they use; To use cloud services CIOs and IT managers have tobusiness managers are taking more control of the put their organisation’s data in others’ hands, andbudgets; and service suppliers are taking more control this creates concerns about a perceived lackof the data they handle. of control.CIOs and IT managers wanting to contribute to their In fact the way you exercise control is through yourorganisation’s acceleration in 2012 need to be able to security policies, and this does not change at allcoordinate these different elements in a much wider with a cloud deployment; even when you ownedscope than previously in order to retain control; it’s all your organisation’s computers and controlledtime to adapt or be swept aside. all its hardware, you had to trust vendors, service providers, outsources, suppliers, governments, and your co-workers, and your security policy always defined your organisation’s security posture. All that’s happening now is that the relatively new model of the cloud is highlighting the trust-control and security policy issue afresh. What CIOs and IT managers need to cultivate is mindful trust — being aware that exploiting the cloud requires trust and a careful assessment of where to place it. Mindful delegation of responsibility frees the IT professional to take on a more strategic role within the organisation.
Determine your risk appetite toSuccessful cloud is all about make the cloud work for youpragmatic trade-offs Jeff Schmidt, Executive Global Head of BusinessThe decision to go to the cloud should always be Continuity, Security & Governance, BT Global Servicesas a result of practical and balanced benefit-riskassessments to reveal the true value of cloud “Enterprises often take a blanket approachservices to your organisation. to information security. Some try to protect everything against every imaginable threatThis may involve new ways of thinking; traditional (sometimes at tremendous expense). OthersICT approaches focus on owning and controlling spread whatever they can afford evenly,resources, assets and contracts for specified hoping — praying — this will keep attackersservices — but the cloud allows a shift beyond at bay.that, to a focus on accessing evolving services. Instead you should define your risk appetite — the amount of risk you’re prepared to takePart of the pragmatic trade-off is identifying and in each area of your operations, from yourtackling the biggest security concerns associated interfaces with customers and suppliers to thewith the cloud: corporate data confidentiality, ‘inner sanctums’ that hold your most valuableprivacy and the integrity of services and/or data2. assets. That done, you can start to think not just about the defences you need to put inFinding the right trade-off for your organisation place, but the processes you need to enforceinvolves determining your organisation’s appetite the security policy you’ve set out.for risk and then facilitating the cultural movefrom a zero-risk/zero-breach mentality to a And when everything’s in place, you need topredict-and-prevent/risk-resilient mentality. check that it works.”Above all, a successful cloud policy depends on arealistic view about the trade-offs you’re making. • Determine your risk appetite. • Build appropriate defences. • Test to validate, ideally with ethical hacking. • Continue to ‘rinse and repeat’ to have a best-of-breed security programme. Finding the sunshine in the cloud
Eight essentials to keep your datasecure in the cloud1. Plan and research. 5. Prepare for cloud culture. Understand exactly what you want to achieve and The automated interface of many cloud services work out what type of data you want to move to can feel alien to IT departments used to dealing the cloud. Research the market and the different with people within supplier organisations. services, service level agreements and security Procurement, legal or commercial teams can also features available. Investigate hosting and find out find the pay-as-you-go contracting model of cloud the regulatory implications of data being stored in services demanding. Work to help these teams different countries. understand the value of the cloud, or they may2. Look for a supplier you can trust. become strategic barriers. Create higher levels You need a relationship grounded in a shared of security literacy amongst your people. Give understanding of accountabilities and them the understanding they need to react in the expectations. The choice will not just be about right way to new situations; it’s about helping whether a supplier can provide a service within them think things through rather than blindly desired cost and time parameters. Rather, the following rules. choice will confirm that they will do it with the 6. Protect your data. same care you provide when doing it yourself. Use strong authentication. Encrypt your data when3. Outsource responsibility responsibly. stored and transmitted and keep access to your Use the tools that are there to protect your encryption keys within your organisation. Make organisation against risks — contracts, governance sure data no longer needed is permanently erased frameworks, due diligence procedures and from computer memory and storage. insurance policies. 7. Prepare to prevent DDoS attacks.4. Put your prospective supplier under Attack via denial of access to legitimate users the microscope. is relatively common. However, with the right Find out who within the supplier organisation will planning, cloud systems are highly resilient against have access to your data; ask for audit logs, details simple flood attacks and excel at ramping up more of compliance certification, or info about a recent bandwidth and resources in the face of gigabytes audit that they can share. of malicious traffic. 8. Review regularly. Seek independent audits of suppliers’ offerings, to ensure they are still the best-in-class and best fit for your needs. Test your systems and procedures, and remember to review the human elements too.
A cloudy futureGartner predicts that by the end of 2016 more than50 per cent of Global 1000 companies will be storingcustomer-sensitive data in the public cloud. What’smore, it estimates that more than 20 per cent oforganisations have already begun to selectively storetheir customer-sensitive data in a hybrid architecturethat’s a combined deployment of an on-premisesolution and a private and/or public cloud provider3.Half of business decision-makers surveyed said theywould be willing to consider using the cloud if theyknew more about how their data would be secured4.The cloud is ready; challenge your cloud provider tohelp you make sure what’s proposed matches yourrisk appetite and that you have the cyber-securitymeasures in place to cover your cloud activity. BT Assure brings you powerful security and risk management products to build a sustainable business with added security and resilience in every process. BT Assure combines the necessary elements of IT security management with the seamless transition between cloud, hosted, and on-premise — offering well-built solutions to complex problems that are adaptable to the most elaborate network environments in the world. We can help you with all aspects of security, including the issues raised by the cloud. Please get in touch if you’d like to find out more.Finding the sunshine in the cloud
Cloud Industry Forum, 2011.1EU Network and Information Security Agency (ENISA).23 Gartner’s Top Predictions for IT Organizations and Users,2012 and Beyond: Control Slips Away.Trend Micro research.4