Expert Chat with HP on How Understanding Security Makes it an Enabler, Rather than an Inhibitor, of Cloud Adoption
Expert Chat with HP on How Understanding Security Makes itan Enabler, Rather than an Inhibitor, of Cloud AdoptionTranscript of a BrieﬁngsDirect podcast on the role of security in moving to the cloud and howsound security practices can make adoption easier.Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP View the full Expert Chat presentation on cloud adoption best practices.Dana Gardner: Welcome to a special BrieﬁngsDirect presentation, a sponsored podcast created from a recent HP Expert Chat discussion on best practices for protecting cloud-computing implementations and their use. Business leaders clearly want to exploit the cloud values that earn them results fast, but they also fear the risks perceived in moving to cloud models rashly. It now falls to CIOs to not only rapidly adapt to cloud, but ﬁnd the ways to protect their employees and customers – even as security threats grow.This is a serious but not insurmountable challenge.This is Dana Gardner, Principal Analyst at Interarbor Solutions. To help ﬁnd out how to bestimplement protected cloud models, I recently moderated an HP Expert Chat session with TariSchreider, HP Chief Architect of HP Technology Consulting and IT Assurance Practice. Tari is aDistinguished Technologist with 30 years of IT and cyber security experience, and he hasdesigned, built, and managed some of the world’s largest information protection programs.In our discussion, you’ll hear the latest recommendations for how to enable and protect the manycloud models being considered by companies the world over. [Disclosure: HP is a sponsor ofBrieﬁngsDirect podcasts.]As part of our chat, were also joined by three other HP experts, Lois Boliek, World WideManager in the HP IT Assurance Program; Jan De Clercq, World Wide IT Solution Architect inthe HP IT Assurance Program; and Luis Buezo, HP IT Assurance Program Lead for EMEA.Our discussion begins with a brief overview from me of the cloud market and current adoptionrisks. Well begin by looking at why cloud and hybrid computing are of such great interest tobusinesses and why security concerns may be unnecessarily holding them back.
If you understand the security risk, gain a detailed understanding of your own infrastructure, andfollow proven reference architectures and methods, security can move from an inhibitor of cloudadoption to an enabler.Cloud has sparked the imagination of business leaders clearly, and many see it now as essential.Part of that is because the speed of business execution, especially the need for creatinginnovations that span corporate boundaries and extend across business ecosystems, has made thisa top priority for corporations.Every survey that Ive seen and every panelist that Ive talked to is saying that the cloud iselevating in terms of priority, and a lot of it has to do with the agility beneﬁts. Theres is a rush tobe innovative and to be a ﬁrst mover. That also puts a lot of pressure on the business peopleinside these companies, and they have been intrigued by cloud computing as a mean of gettingthem where they need to go fast.This now means that the center of gravity for IT services is shifting towards the enterprise’sboundaries, moving increasingly outside of their ﬁrewalls, and therefore beyond the traditionalcontrol of IT.Protection risksBusiness leaders want to exploit the cloud values that bring them productivity results fast, but IT leaders think that the protection risk perceived in moving to cloud models could come back to bite them. They need to be aware and maybe even put the brakes on in order to do this correctly. So it now falls on CIOs and other leaders in IT not only to rapidly adopt cloud models, but to quickly ﬁnd the means to make cloud use protected for operations, data, processes, intellectual property, their employees, and their customers, even as security and cyber threats ramp up.Well now hear from HP experts from your region about meeting these challenges and obtainingthe business payoffs by making the transition to cloud enablement securely. Now is the time formaking preparation for successful cloud use.Were going to be hearing speciﬁcally about how HP suggests that you best understand thetransition to cloud-protected enablement. Please join me now in welcoming our main speaker,Tari Schreider. Tari, please tell us more about how we can get into the cloud and do it with lowrisk.Tari Schreider: Its always a pleasure to be able to sit with you and chat about some of thetechnology issues of the day, and certainly cloud computing protection is the topic that’s top ofmind for many of our customers.
I want to begin talking about the four immutable laws of cloud security. For those of you who have been involved in information security over time, you understand that there is a certain level of immutability that is incumbent within security. These are things that will always be, things that will never change, and it is a state of being. When we started working on building clouds at HP a few years ago, we were also required to apply data protection and security controls around those platforms we built. We understood that the same immutable laws that apply to security, business continuity, and disaster recovery extended into the cloudworld.First is an understanding that if your data is hosted in the cloud, you no longer directly control itsprivacy and protection. Youre going to have to give up a bit of control, in order to achieve theagility, performance, and cost savings that a cloud ecosystem provides you.The next immutable law is that when your data is burst into the cloud, you no longer directlycontrol where the data resides or is processed.One of the beneﬁts of cloud-based computing is that you don’t have to have all of the resourcesat any one particular time. In order to control your costs, you want to have an infrastructure thatsupports you for daily business operations, but there are ebbs and ﬂows to that. This is the wholepurpose of cloud bursting. For those of you who are familiar with grid-based computing, themodels are principally the same.Different locationsRather than your data being in one or maybe a secondary location, it could actually be in 5, 10,or maybe 30 different locations, because of bursting, and also be under the jurisdiction of manydifferent rules and regulations, something that were going to talk about in just a little bit.The next immutable law is that if your security controls are not contractually committed to, thenyou may not have any legal standing in terms of the control over your data or your assets. Youmay feel that you have the most comprehensive security policy that is rigorously reviewed byyour legal department, but if that is not ensconced in the terminology of the agreement with aservice provider, then you don’t have the standing that you may have thought you had.The last immutable law is that if you don’t extend your current security policies and controls inthe cloud computing platform, youre more than likely going to be compromised.You want to resist trying to create two entirely separate, disparate security programs and policymanuals. Cloud-based computing is an attribute on the Internet. Your data and your assets are thesame. It’s where they reside and how theyre being accessed where there is a big change. Westrongly recommend that you build that into your existing information security program.
Gardner: Tari, these are clearly some signiﬁcant building blocks in moving towards cloudactivities, but as we think about that, what are the top security threats from your perspective?What should we be most concerned about?Schreider: Dana, we have the opportunity to work with many of our customers who, from timeto time, experience breaches of security. As you might imagine, HP, a very large organization,has literally hundreds of thousands of customers around the world. This provides us with aunique vantage point to be able to study the morphology of cloud computing platform, security,outages, and security events.One of the things that we also do is take the pulse of our customer base. We want to know what’skeeping them up at night. What are the things that theyre most concerned with? Generally, weﬁnd that there is a gap between what actually happens and what people believe could happen.I want to share with you something that we feel is particularly poignant, because it is a directinterlock between what were seeing actually happening in the industry and also what keeps ourclients up late at night.First and foremost, theres the ensured continuity of the cloud-computing platform. The reason tomove to cloud is for making data and assets available anywhere, anytime, and also being able tohave people from around the world accept that data and be able to solve business needs.If the cloud computing platform is not continuously available, then the business justiﬁcation as towhy you went there in the ﬁrst place is signiﬁcantly mooted.Loss of GRC controlNext is the loss of span of governance, risk management, and compliance (GRC) control. Intoday’s environment, we can build an imperfect program and we can have a GRC managementprogram with dominion over our assets and our information within our own environment.Unfortunately, when we start extending this out into a cloud ecosystem, whether private, public,or hybrid, we don’t necessarily have the same span of control that we have had before. Thisrequires some delicate orchestration between multiple parties to ensure that you have the rightgovernance controls in place.The next is data privacy. Much has been written on data privacy and protection across the cloudecosystem. Today, you may have a data privacy program that’s designed to address the securityand privacy laws of your speciﬁc country or your particular state that you might reside in.However, when youre moving into a cloud environment, that data can now be moved or burstanywhere in the world, which means that you could be violating data-privacy laws in anothercountry unwittingly. This is something that clients want to make sure that they address, so it doesnot come back in terms of ﬁnes or regulatory penalties.
Mobility access is the key to the enablement of the power of the cloud. It could be a bring-your-own-device (BYOD) scenario, or it could be devices that are corporately managed. Basically youwant to provide the data and put it in the hands of the people.Whether theyre out on an oil platform and they need access to data, or whether it’s the salesforce that need access to Salesforce.com data on BlackBerrys, the fact remains that the data inthe cloud has to land on those mobile devices, and security is an integral part.You may be the owner of the data, but there are many custodians of the data in a cloudecosystem. You have to make sure that you have an incident-response plan that recognizes theroles and responsibilities between owner and custodian.Gardner: Tari, the notion of getting control over your cloud activities is important, but a lot ofpeople get caught up in the devil in the details. We know that cloud regulations and laws changefrom region to region, country to country, and in many cases, even within companies themselves.What is your advice, when we start to look at these detailed issues and all of the variables in thecloud?Schreider: Dana, that is a central preoccupation of law ﬁrms, courts, and regulatory bodiestoday. What tenets of law apply to data that resides in the cloud? I want to talk about a couple ofareas that we think are the most crucial, when putting together a program to secure data from aprivacy perspective.Just as you have to have order in the courts, you have to have order in the clouds. First andforemost, and I alluded to this earlier, is that the terms and conditions of the cloud computingservices are really what adjudicates the rights, roles, and responsibilities between a data ownerand a data custodian.Choice of lawHowever, within that is the concept of choice of law. This means that, wherever the breach ofsecurity occurs, the courts can actually go to the choice of the law, which means whatever is thelaw of the land where the data resides, in order to determine who is at fault and at breach ofsecurity.This is also true for data privacy. If your data resides in your home location, is that the choice oflaw by which you follow the data privacy standards? Or if your data is burst, how long does thishave to be in that other jurisdiction before it is covered by that choice of law? In either case, it isa particularly tricky situation to ensure that you understand what rules and regulations apply toyou.The next one is transporter data ﬂow triggers. This is an interesting concept, because when yourdata moves, if you do a data-ﬂow analysis for a cloud ecosystem, youll ﬁnd that the data canactually go across various borders, going from jurisdiction to jurisdiction.
The data may be created in one jurisdiction. It may be sent to another jurisdiction for processingand analysis, and then may be sent to another location for storage, for intermediate use, and yet afourth location for backup, and then possibly a ﬁfth location for a recovery site.This is not an atypical example. You could have ﬁve triggering events across ﬁve differentborders. So you have to understand the legal obligations in multiple jurisdictions.The next one is reasonable security, which is, under the law, what would a prudent person do?What is reasonable under the choice of law for that particular country? When youre puttingtogether your own private cloud, in which you may have a federated client base, this ostensiblymakes you a cloud service provider (CSP).Or, in an environment where you are using several CSPs, what are the data integrity disclaimers?The onus is predominantly placed on the owner of the data for the integrity of the data, and aftercareful crafting of terms and conditions, the CSP basically wants no direct responsibility formaintaining the integrity of that data.When we talk about who owns the data, there is an interesting concept, and there are a few testcases that are coursing their way through various courts. It’s called the Berne Convention.In the late 1990s, there were a number of countries that got together and said, "Information isﬂowing all over the place. We understand copyright protection for works of art and for songs andthose types of things, but let’s take it a step further."In the context of a cloud, could not the employees of an organization be considered authors, andcould not the data they produce be considered work? Therefore wouldn’t it be covered by theBerne Convention, and therefore be covered under standard international copyright laws. This isalso something that’s interesting.Modify policiesThe reason that I bring this to your attention is that it is this kind of analysis that you should dowith your own legal counsel to make sure that you understand the full scope of what’s requiredand modify your existing security policies.The last point is around electronic evidence and eDiscovery. This is interesting. In some cases itcan be a dual-edged sword. If I have custody of the data, then it is open under the rules ofdiscovery. They can actually request that I produce that information.However, if I don’t directly have control of that data, then I don’t have the right, or I don’t havethe obligation, to turn it over under eDiscovery. So you have to understand what rules andregulations apply where the data is, and that, in some cases, it could actually work to youradvantage.
Gardner: So weve identiﬁed some major building blocks for safe and proper cloud, we haveidentiﬁed the concerns that people should have as they go into this. We understand there is lot ofdetail involved. What are the risks in terms of what we should prioritize? How should we createa triage effect, if you will, in identifying what’s most important from that risk perspective?Schreider: There are certainly unique risks that are extant to a cloud computing environment.However, one has to understand where that demarcation point is between a current risk register,or threat inventory, for assets that have already been classiﬁed and those that are unique to acloud-computing environment.Much has been said about uniqueness, but at the end of the day, there are only a handful of trulyunique threats. In many cases, theyve been reconstituted from what is classically known as thetop 20 types of threats and vulnerabilities to affect an organization.If you have an asset, an application, and data, theyre vulnerable. It is the manner or the vector bywhich they become vulnerable and can be compromised that come from some idiosyncrasies in acloud-computing environment.One of the things that we like to do at HP for our own cloud environment, as well as for ourcustomers, is to avail ourselves of the body of work that has been done through EuropeanNetwork and Information Security Agency (ENISA), the US National Institute of Standards andTechnology (NIST), and the Cloud Security Alliance (CSA) in understanding the types of threatsthat have been vetted internationally and are recognized as the threats that are most likely tooccur within our environment.Were strong believers of qualitative risk assessments and using a Facilitated Risk AssessmentProcess (FRAP), where we simply want to understand the big picture. NIST has published agreat model, a nine-box chart, where you can determine where the risk is to your cloudcomputing environment. You can use it from an impact from a high to low, to the likelihood fromhigh to low as well.So in a very graphical form, we can present to executives of an organization where we feel wehave the greatest threats and. Youd have to have several overlays and templates for this, becauseyoure going to have multiple constituencies in an ecosystem for a cloud. So youre going to havedifferent views of this.Different risk proﬁlesYour risk proﬁle may be different, if you are the custodian, versus the risk proﬁle if youre theowner of the data. This is something that you can very easily put together and present to yourexecutives. It allows you to model the safeguards and controls to protect the cloud ecosystem.Gardner: We certainly know that there is a great deal of opportunity for cloud models, butunfortunately, there is also signiﬁcant down side, when things don’t go well. Youre exposed.
Youre branded in front of people. Social media allows people to share issues when they arise.What can we learn from the unfortunate public issues that have cropped up in the past few yearsthat allows us to take steps to prevent that from happening to us?Schreider: These are all public events. Weve all read about these events over the last 16-18months, and some of them have occurred within just the last 30 days or so. This is not toadmonish anybody, but basically to applaud these companies that have come forward in theinterest of security. Theyve shared their postmortem of what worked and what didn’t work.What goes up can certainly come down. Regardless of the amount of investment that one can putinto protecting their cloud computing environment, nobody is immune, whether it’s a signiﬁcantand pervasive hacking attempt against an organization, where sensitive data is exﬁltrated, orwhether it is a service-oriented cloud platform that has an outage that prevents people from beingable to board a plane. View the full Expert Chat presentation on cloud adoption best practices.When an outage happens in your cloud computing environment, it deﬁnitely has a reverberationeffect. It’s almost a digital quake, because it can affect people from around the world.One of the things that I mentioned before is that were very fortunate that we have thatopportunity to look at disaster events and breaches of security and study what worked and whatdidn’t.Ive put together a little model that would reanalyze the storm damage. if you look at the types ofmajor events that have occurred. Ive looked at the control construct that would exist, or shouldexist, in a private cloud and the control construct that should exist in a public cloud, and ofcourse in a hybrid cloud. Its the convergence of the two, and we would be able to mix and matchthose.If you have a situation where you have an external threat that inﬁltrates an application, hacks intoit, compromises an application, in a private cloud environment, you want to make sure that youhave a secure system development lifecycle methodology to ensure that the application is secureand has been tested for all conventional threats and vulnerabilities.In a public cloud environment, you normally don’t have that same avenue available to you. Soyou want to make sure that you either have presented to you, or on behalf of the service provider,have a web-application security review, external threat and vulnerability test.In a cloud environment, where you are dealing in the situation of grouping many differentcustomers and users together, you have to have a basis to be able to segregate data and operation,so that one of that doesn’t affect everybody.
Multi-tenancy strategiesIn a private cloud environment, you would set up your security zone and segmentation, but inthe public cloud environment, you would have your multi-tenancy strategies in place and youwould make sure that you work with that service provider to ensure that they had the right layersof security to protect you in a multi-tenant environment.Data encryption is critical. One of the things youre going to ﬁnd is that the difference between aprivate cloud is that its your responsibility to provide the data encryption.Most public cloud providers don’t provide data encryption. If they do, then its on a service. Youend up in a dedicated model as opposed to a shared model, and its more expensive. But theprotection of that data from the encryption perspective is generally going to lie with the owner.The difference with disaster recovery is that physical assets need to be recovered from a DRperspective versus business continuity to make sure that you can cover your business by the CSP.As you can see, the list goes on. Theres a deﬁnite correlation with some slight nuances betweencloud computing incidents that affect a private cloud versus a public cloud.Gardner: Tari, weve talked about the ills. Weve talked about cloud protection. What about theremediation and the prescription? How can we get on top of this?Schreider: As we get towards the end and open it up for questions for our experts to answerspeciﬁc questions for those who have attended, Ill share with you what we do at HP, because wedo believe in eating our own dog food.First and foremost, we understand that the cloud computing environment can be a bit chaotic. Itcan be very gelatinous. You never really know where your perimeter is. Your perimeter is deﬁnedby the mobility devices, and you have many different moving parts.Were a great believer that you need a structure to bring order to that chaos. So were veryfortunate to have one of the authors of HP’s Cloud Protection Reference Architecture, Jan DeClercq, on with us today. I encourage people to please take advantage of that and ask anyarchitecture questions of him.But as you can see here, we cleanly deﬁned the types of security that should exist within theaccess device zone, the types of security that are going to be unique to the model for software asa service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), how thatinteracts with a virtualized environment. Having access to this information is very crucial.
Unique perspectiveThe other thing we also understand is that we have to bring in service providers who have aunique perspective on security. One of those partners that weve chosen to help build our cloudreference architecture with is Symantec.The next thing that I want to share with you is that its also an immutable law that the level ofinvestment that you make in protecting your cloud environment should be commensurate withthe value of the assets that are being burst or hosted in that cloud environment.At HP, we work with HP Labs and our Information Technology Assurance practice. Weve puttogether what is now a patent-pending model on how to analyze the security controls, their levelof maturity, in contrast to the threat posture of an organization, to be able to arrive at the rightlayer of investment to protect your environment.We can look at the value of the assets. We can take a look at your budget. We can also do a what-if analysis. If youre going to have a 10 percent cut in your budget, which security controls canyou most likely cut that will have the least amount of impact on your threat posture?The last point that I want to talk about, before we open it up to the experts, is that we talked alittle bit about the architecture, but I really wanted to emphasize the framework. HP is a foundingmember in ITIL, principal provider of ITSM type services. We are on CSA standards bodies.Weve written a number of chapters. We believe that you needs to have a very cohesiveprotection framework for your cloud computing environment.Were a big believer in, whether its cloud or just in security, having an information technologyarchitecture thats deﬁned by layers. What is the business rationale for the cloud and what are wetrying to protect? How should it work together functionally? Technically, what types of productsand services will we use, and then how will it all be implemented?We also have a suite of products that we can bring to our cloud computing environment to ensurethat were securing and providing governance, securing applications, and then also trying todetect breaches of security. Ive talked about our reference architecture.Something thats also unique is our P5 Model, where basically we look at the cloud computingcontrols and we have an abstraction of ﬁve characteristics that should be true to ensure that theyare deployed correctly.As I mentioned before, were either a principal member, contributing member, or foundingmember of virtually every cloud security standards organization thats out there. Once again, wecant do it by ourselves, and thats why we have strategic partners with VMwares and theSymantecs of the world.Gardner: Okay. Now, were going to head over to our experts who are going to take questions.
Id like to direct the ﬁrst one to Luis Buezo joining us from Spain. Theres a question here aboutkey challenges regarding data lifecycle speciﬁcally. How do you view that? What are some of theissues about secure data, even across the data lifecycle?Key challengesLuis Buezo: Based on CSA recommendations, were not only talking about data security related to conﬁdentiality, integrity, and availability, but there are other key challenges in the cloud like location of the data to guarantee that the geographical locations are permitted by regulations. Theres data permanence, in order to guarantee that data is effectively removed, for example, when moving from one CSP to a new one, or data backup and recovery schemes. Dont assume that cloud-based data is backed up by default. There are also data discovery capabilities to ensure that all data requested byauthorities can be retrieved.Another example is data aggregation on inference issues. This will be implemented to preventrevealing protected information. So there are many issues with having data lifecyclemanagement.Gardner: Our next question should go to Jan. The inquiries about being cloud ready for dealingwith conﬁdential company data, how do you come down on that?Jan De Clercq: HPs vision on that is that we think that many cloud service today are not always ready for letting organizations store their conﬁdential or important data. Thats why we recommend to organizations, before they consider moving data into the cloud, to always do a very good risk assessment. They should make sure that they clearly understand the value of their data, but also understand the risks that can occur to that data in the cloud provider’s environment. Then, based on those three things, they can determine whether they should move their data into the cloud.We also recommend that consumers get clear insights from the CSP on exactly where theirorganizations data is stored and processed, and where travels inside the network environment ofthe job provider.As a consumer you need to get a complete view on whats done with your data and how the CSPis protecting them.Gardner: Okay. Jan, here is another one Id like to direct to you. What are essential dataprotection security controls that they should look for from their provider?
Clercq: It’s important that you have security controls in place that protect the entire datalifecycle. By data lifecycle we mean from the moment that the data is created to the moment thatthe data is destroyed.Data creationWhen data is created it’s important that you have a data classiﬁcation solution in place and thatyou apply proper access controls to the data. When the data is stored, you need conﬁdentiality,integrity, and availability protection mechanisms in place. Then, you need to look at things likeencryption tools, and information rights management tools.When the data is in use, it’s important that you have proper access control in place,so that youcan make sure that only authorized people can access the data. When the data is shared, or whenit’s sent to another environment, it’s important that you have things like information rightsmanagement or data loss prevention solutions in place.When the data is archived, it’s important that it is archived in a secured way, meaning that youhave proper conﬁdentiality, integrity, and availability protection.When the data is destroyed, it’s important, as a consumer, that you make sure that the data isreally destroyed on the storage systems of your CSP. That’s why you need to look at things likecrypto-shredding and other data destruction tools.Gardner: Tari, a question for you. How does cloud computing change my risk proﬁle? Its ageneral subject, but do you really reduce or lose risk control when you start doing cloud?Schreider: An interesting question to be sure, because in some cases, your risk proﬁle could bevastly improved. In other cases, it could be signiﬁcantly diminished. If you ﬁnd yourself nolonger in a position to be able to invest in a hardened data center, it may be more prudent for youto move your data to a CSP that is already classiﬁed as a data-carrier grade, Tier 1 infrastructure,where they have the ability to invest the tens of millions of dollars for a hardened facility thatyou wouldn’t normally be able to invest yourself.On the other hand, you may have a scenario where youre using smaller CSPs that don’tnecessarily have that same level of rigor. We always recommend, from a strategic perspectivewhen you are looking at application deployment, you consider its risk proﬁle and where best toplace that application and how it affects your overall threat posture.Gardner: Lois, the next question is for you. How can HP help clients get started, as theydetermine how and when to implement cloud?Lois Boliek: We offer a full lifecycle of cloud-related services and we can help clients get startedon their transition to the cloud, no matter where they are in that process.
We have the Cloud Discovery Workshop. That’s where we can help customers in a very interactive work session on all aspects of considerations of the cloud, and it will result in a high-level strategy and a roadmap for helping to move forward. We also offer the Hybrid Delivery Strategy Services. That’s where we drill down into all the necessary components that you need to gain business and IT alignment, and it also results in a well-deﬁned cloud service delivery model. We also have some fast-start services. One of those is the CloudStart service,where we come in with a pre-integrated architecture to help speed up the deployment of theproduction-ready private cloud, and we can do that in less than 30 days.We also offer a Cloud System Enablement service, and in this we can help fast track setting upthe initial cloud service catalog development, metering, and reporting.Gardner: Lois, I have another question here on products or the security issues. Does HP havethe services to implement security in the cloud?Boliek: Absolutely. We believe in building security into the cloud environment from thebeginning through our architectures and our services. We offer something called HP CloudProtection Program, and what we have done is extended the cloud service offerings that Ive justmentioned by addressing the cloud security threats and vulnerabilities.Weve also integrated a defense in depth approach to cloud infrastructure. We address the people,process, policies, products improved, and the P5 Model that Tari covered, and this is just to helpto address conﬁdently and securely build out the hybrid cloud environment.We have service modules that are available, such as the Cloud Protection Workshop. This is fordeep-dive discussions on all the security aspects of cloud, and it results in a high-level cloudsecurity strategy and next steps.We offer the Cloud Protection Roadmap Service, where we can deﬁne the speciﬁc controlrecommendations, also based on our P5 Model, and a roadmap that is very customized andspeciﬁc to our clients’ risk and compliance requirements.We have a Foundation Service that is also like a fast start, speciﬁc to implementing the pre-integrated, hardened cloud infrastructure, and we mitigate the most common cloud securitythreats and vulnerabilities.Then, for customers who require very speciﬁc custom security, we can do custom design andimplementation. All these services are based on the Cloud Reference Architecture that Jan andTari mentioned earlier, as well as extensive research that we do ahead of time, before coming outwith customers with our Cloud Protection Research & Development Center.
Gardner: Luis Buezo, a fairly large question, sort of a top-down one I guess. Not all levels ofsecurity would be appropriate for all applications or all data in all instances. So what are thesecurity levels in the cloud that we should be aware of that we might be able to then align withthe proper requirements for a speciﬁc activity?Open questionBuezo: This is a very open question. Understanding the security level as the real capability tomanage different threats or compliance needs, cloud computing has different possible servicemodels, like IaaS, PaaS, or SaaS, or different deployment models -- public, private, community,or hybrid.Regarding service models, the consumer has more potential risk and less control and ﬂexibilityin SaaS models, compared to PaaS and IaaS. But when you go to a PaaS or IaaS, the consumer isresponsible for implementing more security controls to achieve the security level that herequires.Regarding deployment models, when you go to a public cloud, the consumer will be able tocontract the security level already furnished by the provider. If consumer needs more capabilityto deﬁne speciﬁc security levels, he will need to go to community, private, or hybrid models.My recommendation is that if youre looking to move to the cloud, the approach should be ﬁrst todeﬁne assets for the cloud deployment and then evaluate it to know how sensitive this asset is.After this exercise, youll be able to match the asset to potential cloud deployment models,understanding the implication of each one. At this stage, you should have an idea of the securitylevel required to transition to the cloud.Gardner: Jan De Clercq, our solution architect, next question should go to you, and it’s aboutCSPs. How can we as an organization and enterprise that consumes cloud services be sure thatthe CSP’s infrastructure remains secure?Clercq: It’s very important that, as a consumer during the contact negotiation phase with theCSP, you get complete insight into how the CSP secures its cloud infrastructure, how it protectsyour data, and how it shields the environments of different customers or tenants inside this cloud.It’s also important that, as a cloud consumer, you establish a very clear service level agreementswith your cloud provider, to agree on who does exactly what it comes down to security. Thisbasically boils down to make sure that you know who takes care of things like infrastructuresecurity controls and data protection controls.This is not only about making sure that these controls are in place, but it’s also about makingsure that they are maintained and that they are maintained using proper security management andoperation process.
A third thing is that you also may want to consider monitoring tools that can cover the CSPinfrastructure for checking things like availability of the service and for things like integratedsecurity information and event management.To check the quality of the CSP security controls, a good resource to get you started here is thequestionnaire that’s provided by the CSA. You can download it from their website. It is titled the"Consensus Assessments Initiative Questionnaire."Gardner: Tari, its such a huge question about how to rate your CSP, and unfortunately, we don’tseem to have a rating agency or an insurance handicapper now to rate these on a scale of 1-5stars. But I still want to get your input on what should I do to determine how good my serviceprovider is when it comes to these security issues?Incumbent on usSchreider: I wish we did have a rating system, but unfortunately, its still incumbent upon us todetermine the veracity of the claims of security and continuity of the CSPs.However, there are actually a number of accepted methods to gauge whether ones CSP is secure.Many organizations have had whats referred to as an attestation. Formally, most people arefamiliar with SAS 70, which is now SSAE 16, or you can have an ISO 27000.Basically, you have an independent attestation body, typically an auditing ﬁrm, that will come inand test the operational efﬁciency and design of your security program to ensure that whateveryou have declared as your control schema, maybe ISO, NIST, CSA, is properly deployed.However, there is a fairly signiﬁcant caveat here. These attestations can also be very narrowlyscoped, and many of the CSPs will only attach it to a very narrow portion of their infrastructure,maybe not their entire facility, and maybe not even the application that youre a customer of.Also, we found that CSPs many application-as-service providers don’t even own their own datacenters. Theyre actually provided elsewhere, and there also may be some support mechanisms inplace. In some cases, you may have to evaluate three attestations just to have a sense of securitythat you have the right controls in place, or the CSP does.Gardner: And I suppose in our marketplace, theres also an element of self-regulation, becausewhen things don’t go well, most people become aware of it and they will tend to share thatinformation with the ecosystem that they are in.Schreider: Absolutely.Gardner: Theres another question Id like to direct to you, Tari. This is at an operational processlevel, and they are asking about their security policy manual. If they start to do more cloudactivities -- private, public, or hybrid -- should they update or change their security policymanual and a little bit about how?
Schreider: Deﬁnitely. As I had mentioned before, one of the things you want to do is make yoursecurity policy manual extensible. Just like a cloud is elastic, you want to make sure that yourpolicy manual is elastic as well.Typically one of the missing things that youll ﬁnd in a conventional security policy manual islocation of the data. What youll ﬁnd is that it covers data classiﬁcation, the types of assets, andmaybe some standards, but it really doesn’t cover the triggering, the transborder triggeringaspects.We strongly encourage organizations to add that nuance to make their policy manuals elastic, andresist creating all new security policies that people have to learn, so you end up with twodisparate programs to try to maintain.Gardner: Well, well have to leave it there. I really want to thank our audience for joining us. Ihope you found it as insightful and valuable as I did.And I also thank our main expert guest, Tari Schreider, Chief Architect of HP TechnologyConsulting and IT Assurance Practice.Id furthermore like to thank our three other HP experts, Lois Boliek, World Wide Manager in theHP IT Assurance Program; Jan De Clercq, World Wide IT Solution Architect in the HP ITAssurance Program, and Luis Buezo, HP IT Assurance Program Lead for EMEA.This is Dana Gardner, Principal Analyst at Interarbor Solutions. Youve been listening to a specialBrieﬁngsDirect presentation, a sponsored podcast created from a recent HP Expert Chatdiscussion on best practices for protecting cloud computing implementations and their use.Thanks again for listening, and come back next time. View the full Expert Chat presentation on cloud adoption best practices.Listen to the podcast. Find it on iTunes/iPod. Sponsor: HPTranscript of a BrieﬁngsDirect podcast on the role of security in moving to the cloud and howsound security practices can make adoption easier. Copyright Interarbor Solutions, LLC,2005-2012. All rights reserved.You may also be interested in: • Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance
• Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments• Continuous Improvement and Flexibility Are Keys to Successful Data Center Transformation, Say HP Experts• HPs Liz Roche on Why Enterprise Technology Strategy Must Move Beyond the Professional and Consumer Split• Well-Planned Data Center Transformation Effort Delivers IT Efﬁciency Paybacks, Green IT Boost for Valero Energy• Hastening Trends Around Cloud, Mobile Push Application Transformation as Priority, Says Research