5 Steps to Building a Secure Cloud Strategy

Al Guibord

AUG 25, 2015 

 

Corporate IT has lost the battle with shadow IT, and it’s time to embrace what that means for enterprises. Beyond employees using their favorite productivity apps like Dropbox and Evernote, enterprises rely on the cloud for critical business functions such as customer relationship management, financial planning and everything in between.
Organizations use 730 cloud services on average, according to the latest Netskope Cloud Report. For the first time ever, departments can use cloud apps without consulting their in-house IT department. Individual users are now able (and empowered) to go around IT because their number one goal is to get their jobs done as efficiently as possible.
It’s an exciting -- and equally scary -- time for IT teams to navigate these new challenges, address security concerns, and convince senior leadership that the benefits of cloud outweigh the risks. Take Genomic Health, a leading cancer diagnostics company. In a webinar hosted by Box, Netskope and Okta, the company’s CISO discussed how the organization uses the cloud to create a competitive advantage across its business, ranging from crunching clinical trials data to collaborating with medical researchers worldwide. Without the cloud, the company would not be able to gain a time-to-market advantage over its competitors.


Rather than just looking at cloud through the lens of cyber-risk, IT leaders must take this opportunity to educate corporate leadership about one of the biggest opportunities IT has seen in years. To clearly articulate the benefits of cloud and gain buy-in from executives, take these five steps to build a compelling enterprise cloud strategy.
1. Audit the current state of affairs:To establish credibility, articulate current challenges, and gain buy-in for your strategic plan, IT leaders must provide corporate leadership an accurate assessment of the current state of affairs. For CIOs who haven’t performed an assessment of cloud usage in their environment, there’s no scarier question than “How are we using the cloud today?” Address this by understanding how many and what types of cloud services are in use in the organization, what they are used for, who uses them, how important they are to your business, how enterprise-ready they are based on objective measures, and what that means in terms of cyber-risk.
2. Define the cloud’s role in organizational success: Before laying out a strategic plan, it is important to express the importance of the cloud to the business and the value to be gained by using it. Think broadly across multiple dimensions about the ways the cloud can impact the organization, including top-line growth, cost savings, and risk mitigation. Rather than enumerate, quantify and prioritize these areas of value to help justify the plan.
3. Articulate a cloud vision: After quantifying the ways the cloud can benefit the business, it’s time to put together a clear vision. This should be a collaborative process with line-of-business counterparts, resulting in a shared vision that senior leadership can support. Involve these peers early and turn them into allies, as they will be champions, and ultimately will provide support for any unforeseen bumps in the road along the way. This vision should align closely with overall business strategy and contain quantifiable business results to track and report on over time. For all of its benefits, the cloud is not a silver bullet. Consider many of the costs, roadblocks, and setbacks associated with new software projects, such as purchasing decision-making, implementation time, lack of maturity of some offerings, implementation snafus and bugs, IT and user training, and investment in controls for security and compliance.
4. Develop a safe cloud enablement plan: Safely enabling cloud means IT must find, understand, and secure the cloud services that are in use or under consideration. This goes beyond knowing the number of services their associated risks, but also understanding risky usage of and/or sensitive data in the cloud apps in the environment, both sanctioned or unsanctioned. Be able to answer risk, security, and compliance questions specific to the business – both the current and future state. Some sample questions to ask include “Does any ‘confidential’ content reside in our sanctioned cloud storage, and if so, who has access to it?” or “Do we have any Payment Card Information residing in our cloud Customer Relationship Management apps?” Finally, securing the cloud isn’t about blocking services. It’s about applying policy at the activity- and data level to address real risks. An example of this would be to allow users to access cloud storage services, but block the upload of corporate content to all except for a sanctioned one.
5. Create a strategic roadmap, owners, and resource needs: Create a roadmap with key milestones, timelines, and owners. Make business counterparts key players in the strategy. They need to co-own it, not just in name, but also in shared goals and incentives, proper resourcing, regular meetings, and shared communications. Give those partners partial responsibility for presenting the plan to the executive team and board and for communicating its progress on an ongoing basis. And lavish those partners with praise when things go well so they link their own career success with the success of your project.


Cloud adoption has become pervasive and will continue to grow. The answer is not to stop this growth, but rather, to partner with the business. In driving innovation forward in the enterprise, IT needs to take the lead and work with the business leaders to develop a joint strategy that shares risk and responsibility.
Al Guibord is co-founder of The Advisory Council International (www.tac-int.com), a non-profit organization that advises boards of directors and C-level executives by assessing and testing their cyber security defenses.

Cisco Puts Intercloud In Higher Gear By Adding AWS, Microsoft Azure Functionality

byMark Haranas on June 10, 2015

Cisco Systems Wednesday stepped up its Intercloud offensive with new functionality for Amazon Web Services and Microsoft Azure.
Cisco, which has boasted that its recently launched Cisco OpenStack Private Cloud Bundle is 40 percent cheaper for large workloads than AWS, has now extended its virtual machine on-boarding to support Amazon Virtual Private Cloud as part of its Intercloud strategy, said Nick Earle, senior vice president of global cloud and managed services sales at Cisco, San Jose, Calif.
The AWS functionality enables Intercloud customers to view Amazon workloads directly from Cisco Intercloud and then "seamlessly move workloads" between the AWS cloud and Cisco's Intercloud, Earle told CRN.
[Related: Cisco Partners: OEM Agreement With Nutanix Would Put Pressure On Dell]
"You can see what applications you've got running in Amazon public cloud, then you can do a drag-and-drop if you want that application to run inside your private cloud," he said.
The AWS support comes as the Seattle-based public cloud provider is growing at a breakneck pace. AWS is now a $5.16 billion business that grew 49 percent in its most recent quarter.
Mont Phelps, CEO of Waltham, Mass.-based NWN, No. 70 on the CRN 2015 Solution Provider 500 list and a Cisco Intercloud Partner, said he sees Cisco's support of AWS as a market reality. "Amazon is a player and they will continue to be a player," he said. "We need to embrace it."
Cisco is stepping into the public cloud fray as a market leader providing the heterogeneous network framework to seamlessly move workloads between private and public clouds, said Phelps.
 "This is a valuable service," he said. "Many of these public clouds didn't consider the idea of moving data back and forth between private and public. They were all built initially from the ground up to control and manage data as the sole provider. But it's a heterogeneous world."
In a blog post, Earle pointed to the threat posed by Shadow IT -- public  cloud deployments  such as AWS- not supported by the IT department .
"A year ago it was not unusual for our cloud consumption analysis services to find five to seven times more cloud sites than the CIOs of our clients had authorized (or were aware of) that contained critical company data," wrote Earle in the blog. "Today, just 12 months later, that number is often 15 to 22 times more and growing. On average, our clients are unknowingly using almost 1,000 external cloud services, all of which are storing data and enabling core business processes, especially customer facing ones."
That public cloud proliferation, said Cisco's Earle, is "creating huge, but often invisible, risks for companies. The primary threat is security -- only a small percentage of sites are encrypting data or require stringent access authentication."
To that end, Cisco said it has extended its zone-based firewall services to support Microsoft Azure.
"This is very big as it shows interoperability with non-Cisco networks," said Zeus Kerravala, principal analyst at ZK Research. "There's been criticism that Cisco is trying to build a proprietary cloud network, but that's not the case at all. … The Azure news is a good example of this."
In addition, Intercloud Fabric will now support OpenStack KVM and Microsoft Hyper-V. The fabric previously only supported VMware vSphere, according to Earle.
"We are really trying to push any cloud, any [virtual machine], any security control policy -- not just connectivity," said Earle.
Kerravala said Cisco wants Intercloud to include as many cloud partners as possible. He also pointed to Cisco's recent acquisition of OpenStack specialist Piston Cloud Computing as "opening the door to any OpenStack cloud."
"Cisco is trying to deliver a world where cloud services are connected and workloads and data can migrate easily between private and public clouds or between public clouds," said Kerravala. "I'm starting to see a fair amount of interest from customers. … I believe Cisco's [Intercloud] strategy is working."
Earle said there are 120 customers using Intercloud Fabric with around 35 partners providing services available in the market based on the fabric.
PUBLISHED JUNE 10, 2015

Google Cloud Lowers Prices Again, Raising the Stakes Versus AWS

Erin Moriarty

May 18, 2015

Google Cloud Platform cut prices again today, with Google boasting that the service is now 40 percent cheaper than any other public cloud provider’s.

Google reduced prices of virtual machines by up to 30 percent and lowered the cost of all Google Compute Engine Instance types as well.

So continues the years-long price war between Amazon Web Services (AWS) and Google Cloud. Each has been willing to dig deep into its own margins rather than admitting defeat by losing customers to cheaper competition — although Google has also said that Google Cloud prices will fall in parallel with the advances provided by Moore’s Law.

According to a count by Business Insider, AWS has cut its prices 44 times in the last six years, forcing Google Cloud to reduce prices several times just to keep up. In 2012, Google Cloud announced two storage price cuts, one just a day after Amazon cut its S3 storage prices by 25 percent. Last spring, Google Cloud cut prices across most major services and all regions, stealing the “low-cost provider” title from AWS.

Analysis from RBC Capital says AWS lowered prices 8 percent between October 2013 and December 2014, and Google Cloud came in just behind it at 6 percent.

While cloud providers are still lowering prices, it’s not happening with the same tenacity as it was in the past. At AWS’ most recent re:Invent conference, it didn’t even announce a price cut, which was odd considering that had become a staple of AWS news events.

It looks like the last price reduction from AWS came late last year. The decreased prices for three different types of data transfers became effective Dec. 1.

Cloud compliance, data protection top reasons for encryption

    

Cloud compliance, data protection top reasons for encryption

Date: Apr 23, 2015

Cloud computing has changed many aspects of enterprise operations in recent years, but one thing it should never alter is a company's commitment to data security. The cloud can be a great business resource, but only when proper steps have been taken to ensure that information remains protected.
The most popular way to ensure this security is by using cloud encryption, according to Rich Mogull, founder of Securosis.
"One of the best tools that we have at our disposal to protect our information as it's moving around in the cloud … is encryption," Mogull said during a recent SearchCompliance webcast titled Pragmatic Cloud Encryption.
But in order to use encryption correctly, companies must understand how it benefits their cloud computing model, Mogull explained. The first step is determining how company data is stored in the cloud. This will depend on the cloud provider and whether the cloud computing model is Infrastructure as a Service (IaaS), Platform as a Service, or Software as a Service.
In IaaS, for example, there is physical storage followed by layers of abstraction and management, and then either volume storage or object storage. Mogull describes volume storage as a virtual hard drive, whereas object storage is like "a file system with an API layered on top."
The architecture may change for each cloud computing model, but the need for encryption does not. In part one of this webcast, Mogull discusses the four main reasons for encryption when it comes to IaaS cloud models. The first is to protect snapshots -- these information back-ups become extremely portable once in the cloud and could leave data exposed if not encrypted.
The second reason he gives is to protect against cloud administrators who may be able to see company data. Mogull describes this as a "low risk," but is still a concern for some companies.
The third reason, on the other hand, is one of the most important and obvious reasons for encryption: to achieve compliance. Often, regulations such as HIPAA/HITECH require cloud encryption for a company to be compliant.
Mogull's list of reasons for encryption ends with the discussion of protecting against what he calls "seizure spillage" in IaaS. Since cloud computing has a "shared tenancy" model, company information in the cloud could be exposed if the cloud is seized. Encryption, however, would help protect that information.
Watch part one of this webcast to learn more about the basics of cloud architecture and how encryption is vital to cloud computing security. Then visit SearchCompliance to view part two, where Mogull continues his discussion on pragmatic cloud encryption for the digital age.
Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

More on Enterprise cloud compliance

• 

  How to choose the right volume storage encryption system

  VIDEO - In part two of this webcast series, Securosis founder Rich Mogull discusses the main components of an encryption system and options for encrypting volume storage.
• 

  Five strategies to migrate the e-discovery process to the cloud

  VIDEO - Follow this five-step strategy to ensure your e-discovery process and data management capabilities remain intact when moving operations to the cloud.
• 

  Knowing your exact data needs key to cloud service agreements

  VIDEO - Before developing a cloud service agreement, companies must first determine their unique data management and e-discovery-specific requirements.

• Five key strategies for cloud-based e-discovery management

  Tip - In this tip, learn five strategies to ensure cloud-based information governance processes meet organizations' unique e-discovery management needs.

• Hybrid strategies common as organizations strive for cloud GRC

  Tip - The lack of a common framework makes cloud security and compliance a difficult proposition. In this tip, learn best practices to ensure cloud GRC.

• Cloud computing issues and challenges: The GRC factor

  Tip - In our latest #GRCchat, tweet jammers discussed cloud computing issues and challenges and explained how governance, risk and compliance factor in.

• Cloud-based software: Who is responsible for security in the cloud?

  Tip - When it comes to cloud-based software and services, who is responsible for security and compliance in cloud computing? #GRCchat participants weigh in.

• GRC regulations force cloud services providers and customers to adapt

  Tip - As governance, risk and compliance regulations continue to expand, cloud services providers and customers must be willing to adapt their data management and security processes.

Six must-have features when storing data in the cloud

          By Staff Writer / April 15, 2015

Cloud storage prices are flirting with free, and capacity limits are on the rise. Just this past March, Google announced its Cloud Storage Nearline service that costs a penny a month for 1GB of storage. Service providers are dropping prices mainly because they can; technology advances – particularly for data that doesn’t need to be accessed often or quickly – has significantly increased storage efficiency, making it possible for providers to offer next-to-nothing prices. But if enterprises are going to take public cloud storage services seriously, they’ll need more than vast bins of low-priced storage to make it work.

“I think the biggest misperception we get when we talk to customers about cloud storage in particular is they view it as complete outsourcing,” said Henry Baltazar, senior analyst serving infrastructure and operation professionals with Forrester, in a webinar. “They think of it as `Okay, if I pull out my credit card, my problems are going to go away.’ And there’s really nothing farther from the truth. You still have a lot of things you have to care about.”
As such, many cloud service providers are offering value-add features, while add-on products such as cloud storage gateways, file sync and share, and hybrid backup are also becoming popular. These are the kinds of features and functions that differentiate one cloud from another. And enterprises should carefully evaluate them when making their decisions. Among the most important considerations are:
Security – Managed users access, authentication, and encryption are essential to protecting data regardless of where it’s stored; this is especially true when moving data outside the confines of the corporate data center. Reporting features for compliance are also necessary.
Redundancy – Having data stored at different geographical locations for redundancy just makes good sense, even if that means a hybrid approach where data is stored in the data center and backed up in the cloud.
Disaster recovery – Essential in case of natural, machine, or human-driven events. Enterprises can adjust these features based on their tolerance for downtime and data loss. If that tolerance is close to zero – for, say, financial services firms that execute trades for clients – those companies must be prepared to pay for advanced capabilities.
Collaboration tools – Employees and partners need fast, simple access to files. Tools that let them drag and drop files in folders, share files with simple links, and manage access to files keep them productive.
Administrative tools – For enterprises to maintain control over their data, they’ll want to be able to do things like manage permissions, set policies, and establish expiration dates for files.
Mobile access – With the explosion of mobility in the enterprise, providing fast, secure access to cloud-based storage from a variety of devices is essential.


http://www.thoughtsoncloud.com/2015/04/six-must-have-features-when-storing-data-in-the-cloud/

Find your perfect cloud adoption pattern

March 3, 2015 8:00 am by Javier Barabas

When a company embraces the cloud, it must decide which adoption pattern best fits the workloads it plans to migrate to the cloud. That decision shouldn’t be made lightly—the more informed IT pros are going into the process, the easier it will be.

In this post, I’ll outline how you can find the right cloud adoption pattern for your workloads.

Cloud adoption patterns

An adoption pattern is simply the way a company consumes services from the cloud. There are different boundaries between different adoption patterns, and I will clarify each one here.

Each adoption pattern has its own characteristics, benefits and limitations.

In a traditional (or on premises) way of consuming services or resources, the owner of the infrastructure is responsible for managing every piece of hardware and software he or she uses (the black layers in the above chart). Normally, it takes some time for a user to access a new resource, but it can be configured exactly as needed.

The only limitation a user has when requesting a new resource is the availability and perhaps the quota his department has on the complete infrastructure. Once deployment takes place, the final user has the ability to configure and modify every aspect of the resource he now owns. Depending on the company, central services like patch management, security compliance with corporate rules, software upgrades, monitoring, backup and more can be managed in a centralized way. The costs (capital investments) of the resources are permanent and resources are often sub-utilized.

There are three main off-premises adoption patterns:

• Infastructure as a service (IaaS). Using this pattern, a company can consume infrastructure from the cloud through a contract with a cloud service provider. The provider can supply any requirement of resources (typically CPU, memory and storage) and the company only has to pay per use.

Compared with the on-premises business model, the IaaS pattern provides a flexible way to acquire resources when needed and those services can be terminated any time. The management responsibility for the company starts with the operating system layer and the provider ensures the availability and reliability of the infrastructure provided. Hardware monitoring is usually done by the provider and is transparent to the client company.

Extended services like patch management and backup can be part of the contract or managed directly by the client company. IaaS services are starting to become a commodity and all cloud service providers are trying to provide services with extended capabilities like PaaS and SaaS (see the following paragraphs). For an example of this cloud adoption pattern, check out IBM SoftLayer.

• Platform as a service (PaaS). Using this adoption pattern, a client company can consume platform services while avoiding the need to manage the underlying infrastructure (see the above chart). The PaaS model is related to the “API Economy.” API means application programming interface and using this model, an application can be designed and deployed just by calling on available services instead of creating new ones.

Applications created using those services pay only for the time and services used , making transparent the management process needed to maintain those services as ready and up-to-date. Common services offered in this way are databases, development runtimes, security processes like single-sign-on and more. PaaS providers are growing fast enough to provide a wide range of services, facilities and development tools to make developers’ lives easier.

Small companies and startups find in this adoption pattern an excellent platform to test and develop applications without an initial investment and a way to “fail fast.”  By failing fast, a new application can be tested and evaluated by users, and modified fast enough to avoid the initial implementation costs of on-premises projects. For an example of this cloud adoption pattern, check out IBM Bluemix.

• Software as a service (SaaS). With this cloud adoption pattern, a client company can gain access to an application ready to be used and  only pays for the users for whom the service is contracted. The underlying infrastructure and software needed by the specific application will remain transparent and its management can be done by the provider. This business model is very elastic and grows as needed. Compared with an on-premises model,  installation and initial configuration are not needed, nor is the hardware to run the application. There is  just an onboarding process. Configuration and customization for SaaS applications are minimal compared with the on-premises equivalent. The application consumed as SaaS is always up-to-date and available, and its health is monitored by the provider. For an example of an actual SaaS marketplace, check out the IBM Cloud marketplace.

There is no one size fits all for cloud adoption. Companies should consider their own cost and benefit equation and then decide on the best model. Each application and process needed is a workload and a deep workload assessment is normally performed by companies that have decided to move to the cloud.

Where are you and your company in the cloud adoption process now?

Comments (0)

About Javier Barabas

For the last four years Javier has been working as a SWG Cloud Architect for the Spanish South America region conducting several Cloud Adoption & Roadmap workshops in different industry customers and planning SCP/SCO solutions. He has published many assets in iRAM and the most popular was the "ISDM 7.2.1 Installation and Configuration Guide" with more than 600 downloads. He is a member of the IBM Academy of Technology and Chair of the Technical Council of Argentina.

View all posts by Javier Barabas →