The perfect storm of an economic recession, the advent of enabling technology in the form of unlimited bandwidth, virtualization, ever-increasing computing and storage power, and goals to variablize IT costs may mean the time for Cloud Computing has come - in one form or another.
Trading Technology for Business Risk
CIOs are faced with trading traditional technology risks and controls for new business and enterprise risks when sourcing strategies move technology infrastructure and responsibilities out of the data center and to the external Cloud. This in essence causes a shift away from traditional enterprise technology control thinking (e.g., access management, change control, data security, infosec, DR) to service provider relationships, capabilities, and accountabilities, or in a nutshell, to business risk management.
For example, if the enterprise can no longer touch the mainframes, servers, or storage devices, in theory it is no longer necessary to maintain datacenter controls for physical access management, environmental protection, and back-up/recovery (see Cloud Solves Security). However, new monitoring, auditing, compliance, and certification requirements are needed to maintain a business relationship with the Cloud service provider and provide the transparency, control, and trust necessary to support the business. Or if the specific Cloud service allows or requires the enterprise to accept digital identities established by end-users in the cloud, there should be a corresponding shift in controls and investments by the enterprise away from identity provisioning capabilities and to methods that allow the enterprise to trust identities provisioned externally. Or finally, if the new virtualized environment requires sensitive information to reside outside the enterprise, new information management controls –business data centric – are necessary to compensate for the lack of physical control.
CIOs and business managements must address the advent of a virtualized technology risk environment when sourcing decisions include external cloud service. To understand the requirements of this new risk environment, the enterprise can start with 4 basic steps for determining the impact of sourcing decisions on its existing technology risks program:
1. Understand the business value of the application or business function being sourced (How to determine which Apps to Source). Determine criticality to the business, the risk inherent in supporting the application or business function, the control environment (e.g., application and data integrity controls, compliance capabilities, service level requirements) and its efficiencies, and the residual risks.
2. Understand the trust model of services providers, and assess the following capabilities from the perspective of transparency, control, and separation:
- Identity vetting, provisioning, and enrollment;
- Data protection, erasure, and retrieval for structured and unstructured content;
- Software assurance, patch and change management;
- Client platform security;
- End-to-end network security;
- Personnel screening;
- Platform hardening, multi-tenancy protections – compartmentalization, security, and performance assurance;
- Service resiliency – failover, recoverability, RPO and RTOs;
- Real-time auditing, monitoring, and compliance reporting;
- Support for forensic and legal investigations;
- Infrastructure provisioning and configuration management;
- Administrative and privileged user access;
- Event and incident management;
- Third-party assessments;
- Security standards compliance.
3. Do the gap analysis. The delta between the risk and control capabilities determined in 1 and 2 above will give the enterprise a clear picture of the activities and investments required to virtualize technology risk management.
4. Focus on transparency, compliance/control, and separation. Capabilities, features, and services for on-demand and continuous visibility in to the virtualized infrastructure and operations, the need to satisfy internal and external compliance and control requirements in real time (not only point-in-time), and the separation and ongoing protection of enterprise resources in the cloud, are top priorities.
Action Item: CIOs must proactively assess technology risks when making sourcing decisions, particularly when considering external cloud services. Understanding the impact of the cloud provider's security and trust models on current risk practices is the most important first step.
Footnotes: