I work with customers of many different sizes across multiple industries but I do tend to focus on the small to mid-size organization that is pressed for time, pressed for budget and pressed for manpower.
The Cloud and its Hydra-like rapid and voracious growth over the past few years has always had one primary concern that kept organizations on the fringe of making the leap. One reason that I equate Cloud Computing with a mythical beast like the hydra is that this is a “Service” that keeps reinventing itself with new iterations and new versions of what it can do…Software-as-a-Service, Infrastructure-as-a-Service, Platform-as-a-Service, IT –as-a-Service and just when you think that one form of “as-a-Service” has run its course…another head creeps up. But regardless of what iteration of the Cloud you are looking at Security always seems to be the biggest reason to not go.
Back in December 2009 the Cloud Security Alliance published the “Security Guidance for Critical Areas of Focus in Cloud Computing v 2.1”. This 70 page document does a very good job of outlining 3 key areas and 13 Domains of concentration.
I really liked how the CSA looks at two key points of “Assets” to move to the Cloud…Data or Applications/Functions/Processes. But I really do feel that they sum up the best definition for “What is this thing they call – THE CLOUD”:
Cloud computing (‘cloud’) is an evolving term that describes the development of many existing technologies and approaches to computing into something different. Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them.
As a Graphics guy I really like to tie in an image to illustrate a point but what the CSA does so well is that they have built their Standard around other recognized standards and when looking at Security…nothing is better than aligning with the NIST (National Institute of Science and Technology) and their top down look at The Cloud.
So back to what the CSA document can do for any company preparing for a dip in the frigid waters of the Cloud. I mentioned the 13 Domains that are covered in the documentation…depending on the Industry, the order in which you would go through them will vary but I can not think of a better way to approach the evaluation of a service…beyond the pure Cost Benefit Analysis realm.
- Cloud Computing Architectural Framework
- Governance and Enterprise Risk Management
- Legal and Electronic Discovery
- Compliance and Audit
- Information Lifecycle Management
- Probability and Interoperability
- Traditional Security, Business Continuity and Disaster Recovery
- Data Center Operations
- Incident Response, Notification and Remediation
- Application Security
- Encryption and Key Management
- Identity and Access Management
The important thing is that for the SMB market almost any reputable Cloud Provider is going to be able to provide a stronger Security posture than you can yourself. Their business model and company depend on doing what is right for their customers where as in the SMB space…Security as important as it is can range from one of 20 areas that an IT professional needs to juggle to a full time gig…but the limits in budget, time and staffing can very quickly outweigh the fact that someone else may be able to do it better and cheaper than you can.
To everyone…have a great day…the weekend is almost upon us.
Chris J Powell