Join our research – Cloud Assurance in practice

The Dutch CSA chapter has a plan to address the number one concern of organizations using cloud: “can we trust our provider?”.

The CSA (Cloud Security Alliance) has developed a number of tools to address that situation. Our plan is to test these tools in practice, and record the experiences for inclusion in a “best practices” paper.

The main CSA tools are combined in the so-called CSA GRC stack (which stands for Governance, Risk management, and Compliance).

The “Security guidance for critical areas of focus in cloud computing v3.0” is the underlying body of knowledge for the GRC stack. We typically refer to this document as the ‘CSA guidance’.

The first component of the GRC stack is the CSA Cloud Controls Matrix (CCM). These controls are largely based on the recommendations of the CSA guidance.

The CCM is called a matrix, because it cross references other assurance frameworks such as PCI-DSS (payment card industry) and HIPAA (Healthcare).

The CCM can be used as a framework to give assurance to cloud customers. To make this process more efficient, CSA has introduced a number of additional tools. One of them is the CAIQ (Common Assessment Initiative Questionnaire, pronounced ‘cake’) which is a standardized list of questions to use to evaluate cloud providers. Each question in the CAIQ corresponds to exactly one control in the CCM.

Cloud consumers can take the CAIQ as a basis, select questions from it, add their own questions, and submit it to a number of cloud providers.

The smart move for a cloud provider is to pre-answer the CAIQ, and publish the results. This is the ambition of STAR (Security Trust and Assurance Registry), which is also a CSA initiative. And it does not stop there, beyond this there is Cloud Audit and the Cloud Trust Protocol. These products are in development and aim to go further by automating parts of the assurance process.

STAR is planned to have multiple levels:

  • Level 1 is Self-Assesment, based on a provider report following either the CAIQ or the CCM.
  • Level 2 is Third-Party Assessment, where the idea is to use the requirements of the ISO/IEC 27001:2005 management systems standard integrated with the CSA Cloud Control Matrix (CCM) and an organization’s own internal requirements or specifications to assess how mature their systems are.
  • Level 3 is a Continuous Monitoring based certification. This is currently under development.

These three levels are collectively referred to as the Open Certification Framework (OCF).

Our ambition is to do a number of case studies in applying the CCM and CAIQ. These case studies would preferably cover at least a provider and a financial business (bank or insurance firm).  For providers, this could lead to an actual STAR entry with its associated benefits.

Some of the expectations are:

  • The CCM will be a better fit for cloud services than other assurance frameworks
  • Assurance frameworks such as the CCM will lead to lower costs for consumers and providers because audit costs will be lower.

Some of the research questions are:

  • How is the coverage of the CCM in relation to assurance requirements, what else do you need?
  • How much work is it to fill in the CAIQ?
  • How do you experience value in CCM/STAR/CAIQ?

Currently we have started to work with a number of IaaS providers who are interested in exploring better assurance. If you are interested you could still be part of this initial group. Just contact us.

Who needs cloud sales partners? How can they add value?

Cloud computing is supposed to be ‘totally self-service’, or so the naïve reading of the standard NIST definition goes. If it is not self-service, it is not cloud. With self-service, who needs partners standing in the way between the consumer and the cloud provider?

Well, it is a little more complex than that. The 5 NIST essential characteristics of cloud computing (of which self-service is one) should be interpreted in the context of the business value of cloud computing. It is these characteristics that lead to business value, and it is the business value on which to judge the degree to which a certain service offering is actually a cloud offering.

Example. Rapid scalability is an essential characteristic. But how rapid is rapid enough? A sudden surge of web traffic needs a response in seconds; a new development server should be available in a matter of minutes or maybe an hour. But adjusting the number of mailboxes to be paid for on a monthly basis is quite sufficient for most organizations. And moving from one mail provider to another is most certainly something that you would not do overnight on a whim. Such a migration takes planning, proper execution and change management with the users, who would have to learn to work with a new user interface. Think months.

You cannot expect big cloud providers like Google and Microsoft to help everybody in the world with this change management. That is where sales partners (or channel partners as they are often called) come in. They can guide the consumers in this process, show the specific opportunities and pitfalls, and provide training to users. That is value to the consumer that a cloud channel partner is bringing.

Consumers these days have a lot of risk management and compliance obligations to handle, and each consumer has a different set of requirements. They have to work with cloud providers to address these requirements on a continuous basis. If cloud computing is to be scalable at the provider side, the cloud channel partner should work out the mapping between what the consumer needs, and what the provider offers. If not, the provider will be swamped with controls questionnaires. At one of the Cloud Security Alliance (CSA) conferences last year a provider mentioned that those questionnaires can have anywhere between 10 and 1500 questions. They have full time staff dedicated to answering them. That does not scale.

One approach pioneered by the CSA is the GRC stack (Governance, Risk management and Compliance), which can standardize this process (more explanation on http://www.clubcloudcomputing.com/2012/09/can-we-simplify-cloud-security/). GRC is also business value. Rather than forward all risk and compliance questions to the cloud provider, a cloud channel partner can decouple the GRC process between consumer and provider, thus increasing the net value of GRC. That is the value to the cloud provider that a channel partner can bring.

Want to know how this can work for you? Visit www.cloudcomputingundercontrol.com

Why do people buy cloud services?

If you are a developing cloud provider, whether you are pure play or an internal IT department, it is very interesting to know who is buying cloud services, and why.

In a recent survey by PB7 sponsored by EuroCloud Netherlands and others, a group of Dutch companies was interviewed about their motivations and hesitations around cloud computing. The survey’s results were quite a bit more interesting than the usual lot. In this article I have cherry picked a few observations from the larger survey. The full survey is reported on in http://www.slideshare.net/peterthuis/ecm12-ghgg (in Dutch).

The majority of companies are using cloud computing these days, and this includes government organizations by the way. That adoption rate is not growing so fast anymore. The growth is in the number of cloud applications that are being deployed (and presumably also in the number of users of those applications).

How does cloud computing fit business strategy? Companies change for a number of reasons and objectives, and cloud computing as a driver is no different. Some organizations innovate using cloud computing, but from the survey it appears most are just optimizing business process, or even just substituting current solutions.

Substitution happens when an existing solution is replaced by a cheaper one. Examples of these can be seen across the board.  As you can expect from a wide survey, the most common applications are mail, messaging, document processing, sales, marketing, distribution, HR. One striking category though is field service where a lot of adoption is going on. Inhibitors for these types of applications include are the value of current investments (“the server in the closet has not been fully written off”).

Optimization involves process change: doing things differently. This could involve people inside the organization as well as outside the organization. From anecdotal evidence, we know that collaboration tools are on the rise, in particular when they serve to communicate over organizational boundaries.  Think procurement, project collaboration and marketplaces. These are the ‘cloud native’ apps so to say. The other category involves empowering the current workforce, especially if it is mobile already, a trend we see happening in airlines and retail. Cloud productivity solutions allow the inclusion of staff that was not equipped with computers before. This is clearly a big market for horizontal application suites such as Google Docs and Office 365. Vertical applications areas include HR and e-learning.

The less predictable the workload, the bigger the advantage becomes that cloud applications have over non-cloud applications. About a tenth of the researched applications have a ‘rapid growth’ workload pattern, i.e. new applications, new business. For these categories cloud is by far the preferred solution.

These trends align very well with two important cloud characteristics: elastic scalability (especially from a financial perspective), and broad network access (anytime/anywhere/anydevice). Broad network access allows the inclusion of users that are not within the corporate firewall.

Infrastructure as a service (IaaS) is definitely on the rise across the board: small/large enterprises as well as governments. It is expected to increased penetration to 30 percent in 2014, a twofold increase in two years. Still, this is a lot less than the penetration of SaaS.

As the number of cloud applications per organization rises, integration concerns increase. From the survey, it appears cloud consumers are seeing three different avenues to address these concerns. They call for open standards, they turn to cloud brokers to do the integration for them, and they hope to see ecosystems such as app stores providing this integration for them.

Other concerns are security and privacy in general, though it is unclear to what extent these fears are actually translated into action. It is peculiar in this respect that only 40% of cloud users has a clear exit plan.

There are quite a few implications for service providers in these findings. The biggest demand for cloud services is for rationalizing existing IT systems, and if they are internal, expanding their use cases to include mobile employees and business partners. As an extension of these, inclusion of more people and partners can allow business processes to be reengineered. Partnering with consultants to help effect these changes might make sense.

Potential clients are concerned about integration and security risks. Conceivably, adequately addressing these concerns can be a selling proposition. For the mechanics of that, have a look at another article I wrote (see http://www.clubcloudcomputing.com/2012/09/can-we-simplify-cloud-security/). A lot of these concerns (including integration) are expressible in terms of the CSA Cloud Control Matrix (Disclosure: I updated some of these controls recently as a CSA volunteer).

If you are a cloud provider and wonder how to improve your offering, you may be interested in having a look at www.cloudcomputingundercontrol.com

Can we simplify cloud security?

Last week, the Cloud Security Alliance had its EMEA congress in Amsterdam. The day before, I got a chance to be the instructor on a CCSK workshop (Certificate of Cloud Security Knowledge).

The lineup of industry experts at the congress was awesome, it included people directly involved in the security of the biggest cloud computing providers in the world, as well as security officers of their largest consumers. And they talked to one another in the most productive way.

One example of a reassuring statement was from an Amazon security officer: “we don’t have a security budget, our security funds are effectively unlimited”.

The feeling I had after delivering the CCSK training was that people need to know more about how to contract a cloud provider in a professional way. In particular it is important to know how to manage the risks. For example, the customer might need to ensure that data at rest with the provider is encrypted. While evaluating a potential cloud provider, it might be important to check this ‘control’.

Now try to think how this scales from the perspective of the cloud consumer: they need to check this and a few hundred other controls for potentially dozens of cloud providers. Similarly, the cloud providers get these questions from most of their prospective customers. If cloud computing is to deliver on its promise, this is a process that needs structure and automation. If not, it will become too cumbersome.

Just imagine what it would take to audit all your cloud providers on a regular basis. Now think about a few hundred controls for a few dozen cloud providers and doing this every couple of weeks. Think of the paperwork associated with that, for you as well as for the cloud provider. I know of a smallish provider who has somebody full-time dedicated to answering these questions.

There has to be a better way, and I think the Cloud Security Alliance is the best community to develop it with.