In this video Nigel Schmalkuche, Managing Director, Strategic Architects outlines How to Create a Cloud Assurance Framework
Cloud adoption is increasing at a rapid rate across the globe as organisations require the ability to deliver agile, mobile, feature-rich and scalable digital services cost effectively to customers not possible through traditional ICT environments. However, the increasing use of cloud has escalated the concerns around security and privacy given the possibility that data can be compromised. This is exacerbated by the speed at which news, particularly if it is bad, travels across national and international boundaries and the greater scrutiny cloud providers are faced with due to the public presence.
To counter this there has been an increase in regulations and controls being implemented to ensure that organisations can demonstrate governance around cloud use. Organisations need to do more than meet these compliance regulations and build a comprehensive Cloud Assurance Framework. A strategic and logical cloud assurance framework can provide senior ICT and business leaders with the confidence that cloud assurance has been undertaken.
Security is one of the primary risk factors that organisations have when moving data to the cloud. As an Enterprise Architect, I often see security architecture as the missing link in the Enterprise Architecture Framework where too much reliance is placed on the application and technology domains. The link between the business, information and data layers with the security layer is paramount when undertaking cloud migrations. Security risk posed by the location of data and how the data is accessed is often overlooked but needs to be a mandatory assessment consideration. Other risks identified by senior management need to be documented and appropriate mitigations established so they are deemed to be acceptable risks. These risks can be categorised under the subject headings of compliance, strategic, operational, market and finance.
Privacy concerns are real and it is necessary to ensure that information assets are classified to determine if there is any confidential, personal, sensitive or regulated data. Privacy Impact Assessments are necessary when personal information about individuals may be identified and these assessments can assist in the cloud decision-making process.
One of the main aspects to Cloud Computing is the loss of control that the cloud consumer has compared to more traditional implementations and that is at the highest level with SaaS applications. Control and compliance is particularly important and well developed assessment tools can be used to ask all the right questions to ensure data and workload is protected in the cloud. Vendor assessment tools allow the organisation to do the necessary due diligence.
The level of Control that can be applied to your information in the Cloud and the protection required will depend on the cloud delivery model and deployment model. For instance there will be more control available under an IaaS private cloud arrangement than a SaaS public cloud arrangement. This is where the information classification is important as it is logically acceptable to have data classified as public stored in the public cloud but not acceptable for any national and non-national security data to be in the public cloud.
In the government environment, it can become difficult to satisfy customers, auditors and regulators that sensitive data and mission-critical services are sufficiently controlled in a multi-tenanted public cloud environment. The information security classification of the data is important as it can guide the decision-making process in the development or procurement of an application. Organisations need to make sure the correct protection controls are in place to protect their data relative to the information security classification determined. For government documents, protective markers can be used to determine the level of protection required in the use and transfer of information.
The emerging role of Digital Service Providers (DSPs) will continue to place cloud as a vital enabling technology. Organisations will be better placed if they have a robust cloud assurance framework that provides senior management the confidence in migrating to the cloud.
The Cloud Assurance Framework shown below includes eight main assessment tools that provide senior leaders and business and ICT owners with the additional assurance that the requirements of the organisation and the regulatory compliance has been met. Once developed and agreed to these tools can provide a repeatable and effective assessment methodology that can be used when negotiating contractual arrangements and undertaking cloud migration.
Once all questions are answered for the application or group of applications being assessed by the eight tools or the assessments that are applicable at the time it is possible to see where there is non-compliance. The next step is to take each of those non-compliant answers and consider whether they are important and if they are those risks need to be mitigated.