What is a Cloud Assurance Framework and is it only about Cloud Security?

In this video Nigel Schmalkuche, Managing Director, Strategic Architects outlines How to Create a Cloud Assurance Framework that provides organisations with the confidence that cloud security and other compliance requirements are in place.


Cloud adoption is increasing at a rapid rate across the globe as organisations require the ability to deliver agile, mobile, feature-rich and scalable digital services cost effectively to customers not possible through traditional ICT environments. However, the increasing use of cloud has escalated the concerns around cloud security and privacy given the possibility that data can be compromised. This is exacerbated by the speed at which news, particularly if it is bad, travels across national and international boundaries and the greater scrutiny cloud providers are faced with due to the public presence.

To counter this there has been an increase in regulations and controls being implemented to ensure that organisations can demonstrate governance around cloud use. Organisations need to do more than meet these compliance regulations and build a comprehensive Cloud Assurance Framework. A strategic and logical cloud assurance framework can provide senior ICT and business leaders with the confidence that cloud assurance has been undertaken.


Cloud security is one of the primary risk factors that organisations have when transitioning to cloud services. As an Enterprise Architect, I often see security architecture as the missing link in the Enterprise Architecture Framework where too much reliance is placed on the application and technology domains. The link between the business, information and data layers with the security layer is paramount when undertaking cloud migrations. Security risk posed by the location of data and how the data is accessed is often overlooked but needs to be a mandatory assessment consideration.  Other risks identified by senior management need to be documented and appropriate mitigations established so they are deemed to be acceptable risks. These risks can be categorised under the subject headings of compliance, strategic, operational, market and finance.

Privacy concerns are real and it is necessary to ensure that information assets are classified to determine if there is any confidential, personal, sensitive or regulated data. Privacy Impact Assessments are necessary when personal information about individuals may be identified and these assessments can assist in the cloud decision-making process.

One of the main aspects to Cloud Computing is the loss of control that the cloud consumer has compared to more traditional implementations and that is at the highest level with SaaS applications. Control and compliance is particularly important and well developed assessment tools can be used to ask all the right questions to ensure data and workload is protected in the cloud. Vendor assessment tools allow the organisation to do the necessary due diligence.

The level of Control that can be applied to your information in the Cloud and the protection required will depend on the cloud delivery model and deployment model. For instance there will be more control available under an IaaS private cloud arrangement than a SaaS public cloud arrangement. This is where the information classification is important as it is logically acceptable to have data classified as public stored in the public cloud but not acceptable for any national and non-national security data to be in the public cloud.

In the government environment, it can become difficult to satisfy customers, auditors and regulators that sensitive data and mission-critical services are sufficiently controlled in a multi-tenanted public cloud environment. The information security classification of the data is important as it can guide the decision-making process in the development or procurement of an application. Organisations need to make sure the correct protection controls are in place to protect their data relative to the information security classification determined. For government documents, protective markers can be used to determine the level of protection required in the use and transfer of information.

The emerging role of Digital Service Providers (DSPs) will continue to place cloud as a vital enabling technology. Organisations will be better placed if they have a robust cloud assurance framework that provides senior management the confidence in migrating to the cloud. 

Cloud Assurance Framework

The Cloud Assurance Framework shown below includes eight main assessment tools that provide senior leaders and business and ICT owners with the additional assurance that the requirements of the organisation and the regulatory compliance has been met. Once developed and agreed to these tools can provide a repeatable and effective assessment methodology that can be used when negotiating contractual arrangements and undertaking cloud migration.

  • Suitability Assessment - ICT sits down with the business to determine if the required solution is cloud fit by considering:
    • What are the business drivers in terms of their goals, requirements, processes and appetite?
    • What is the budget for the project/transformation?
    • What is the scope of the transformation?
    • By what time?

  • Information Classification - becomes vital for cloud assurance to ensure right delivery model and mechanisms are chosen for the solution to ensure security, protection, privacy and control of the assets:
    • What is the classification of information?
    • What is the current architecture of the information, checking data for both at rest and in transit?
    • What does the future information architecture layer look like?

  • Financial Assessment - incorporates using gathered information, this tool will produce financial comparisons illustrating the relative benefits of hosting your own infrastructure, co-locating or moving to the cloud
    • What is the current operating cost of the solution/s?
    • What is the approved budget for the migration?
    • What is the intended Return on Investment?
    • What is the Net Project Value of the project?

  • Readiness Assessment consisting of the four parts including:
    • People including Skills and Training?
    • Process and associated Procedures? 
    • Technology Architecture? 
    • Organisation including the structure?

  • Security Assessment - the fundamental requirements of security for all cloud services and deployment models include:
    • What are the requirements of the solution/s (including mobile security)?
    • What controls are available in-house?
    • What new technologies are required?
    • What security policies must be configured and managed (including for example ports, whitelisting/blacklisting)?

  • Migration Assessment - ICT determines:
    • What does the current portfolio look like?
    • What is the future desired state of the portfolio?
    • Assessment based on least value to high value? i.e. Rehost (lift and shift) to Decommissioning and replacing with a new Software as a Service Application
    • What is the time span between going from least value to high value?

  • Vendor Assessment - helps to perform the objective evaluation of the vendors to assess the credibility of the third-party cloud services and resources
    • What is the current Recovery Period Objective and Response Time Objective?
    • What is the geographical presence for support and security?
    • How qualified are the Datacentre facilities?
    • What security accreditations does the vendor have? (for example ISO and HIPPA)

  • Risk Assessment - helps to gather and rate the risks in migration and operational activities of cloud solutions. It helps ICT to assess the impact and prioritise the mitigation plans:
    • What are the technical gaps that may pose as a vulnerability?
    • What is the impact of the assessment?
    • What are the risk ratings?

Once all questions are answered for the application or group of applications being assessed by the eight tools or the assessments that are applicable at the time it is possible to see where there is non-compliance. The next step is to take each of those non-compliant answers and consider whether they are important and if they are those risks need to be mitigated.