What should the IT department demand of Cloud Providers?
Mon 6 Jul 2015
Simon Aspinall is the President of Virtustream’s International Software Business. In his role, Simon runs Virtustream’s global business with enterprises, service providers and system integrators and manages Virtustream’s businesses outside the US. Simon brings extensive high tech strategy, sales and business development experience to Virtustream, having spent more than a decade at Cisco Systems, Inc., a cloud innovator and worldwide leader in networking.
For the IT department, moving to the cloud has changed a lot. A team that once had complete control over IT infrastructure has gradually had to loosen its grip. In the first instance virtualisation took management of the IT environment out of its hands to some extent. The next step to cloud computing pushed this even further.
This shift has initiated a material change in the way that assets are managed in IT environments and, as a result, the lines of responsibility between the enterprise and the Cloud Service Provider are no longer as clear as they were in the physical environment. This is particularly critical with regards to the security of cloud operations that many businesses often choose by virtue of cost rather than security. As businesses look to maximise the potential of their cloud deployments, it is critical that they know what to demand from cloud service providers in order to make this transition as smooth as possible. So what is it that enterprises should be prioritising as they look to get the most out of their current cloud providers?
There three core areas that enterprises need to consider, all of which centre around transparency:
The enterprise must begin to look at CSPs in the same manner that they view their supply chain. With cloud computing ceding more control to a third party, IT managers need to know exactly what is happening at every level in their IT environment. From a security standpoint, this is critical. CSPs must be completely transparent around how they manage and report vulnerabilities. Several hundred threats can emerge overnight, which makes it very difficult to identify and evaluate what the real risk is. This threat is multiplied if you do not know the posture of the infrastructure on which your cloud is running.
These supply chain style risks are often underestimated in the industry. Due to the fact that cloud computing sees the IT environment run through a hypervisor, an internal IT department does not actually see the physical layer of the server, which is why transparency is so important. It is for this reason that hardware attestation is another important consideration for internal IT departments.
Hardware attestation and Standards Compliance
Hardware attestation and standards compliance are central pillars in what businesses should be looking for from their cloud provider. Given that the IT department does not have visibility over the security of the Cloud BIOS/HW/processes, it needs guarantees that corporate data is being comprehensively secured. What we are beginning to see is the premise of transparency being applied, but the only way that this will become an industry standard is for businesses to push their cloud providers on the issue.
Continuous Monitoring and Risk Management
Sticking with the theme of transparency, cloud providers and enterprises alike have to be aware that compliance alone will not be enough to build a strong relationship that will get the most out of a cloud deployment. Adhering to compliance regulations is necessary, though this only offers a view of how the cloud environment is performing at one point in time. Enterprises need to know what is happening at all times and be assured of the security of the delivery of cloud services continuously.
By continuously monitoring an IT environment businesses can ensure that threats are prioritised and remediated at the earliest possible moment, limiting the risk to corporate data. This style of continuous monitoring will fix a problem that the cloud industry has had. For many years the industry has been focused on identifying a multitude of threats, often late, and remediating them with less focus than necessary. What it has not excelled at is prioritising these threats. This is a pre-requisite for taking cloud deployments to the next level. This way companies can evaluate the real risk to the business rather than merely counting how many risks are present. This is all about realising the true value of the cloud.
If enterprises continue to push cloud service providers to stay true to these core principles then the industry will go from strength to strength. As businesses become more cognisant of the cloud and how to use it best, this will be crucial.