cloud industry forum report: cloud for business, why security is no longer a dirty word
TRANSCRIPT
WINTER 2014
CLOUD FOR BUSINESS
Where are we now with
cloud data governance
and where are we headed?
WHY SECURITY IS NO LONGER A DIRTY WORD
12
Cloud computing is here to stay.
According to the latest CIF survey,
some 78 per cent of UK
organisations are now using at least one form
of cloud service and, perhaps more
remarkably, 11 per cent of British businesses
are now using four or more services. That’s
definitely a sign that it’s no longer a few test
sites that are being deployed.
The trend is ever upwards: this is the fifth
year of the survey and, since the first one in
2010, the growth has been 61.5 per cent: a
healthy growth indeed. That’s not to say that
cloud is taking over these organisations: the
CIF survey found that 85 per cent of
organisations still operate on-premise
datacentres, so most firms are looking for a
way for the systems to co-exist – the hybrid
model of IT.
There’s a structure to CIOs’ choice with
certain services becoming an obvious fit for
cloud: web hosting, email, CRM, data
back-up and disaster recovery are prime
choices. +++++Anything that involves any
confidential client data tends to be kept well
away.That reflects a seeming paradox among
companies. Yes, there is greater acceptance
of the cloud and more businesses want to use
it, but such attitude goes hand-in-hand with
How to get the most out of
different cloud models
Public, private and hybrid cloud all have their own security challenges. What are
the options for the CIO?
Different cloud models
If you want total data security,
you can put all your data on a drive,
lock it in a safe and drop it at the bottom
of the sea.
CLOUD SECURITY
www.cloudindustryforum.org
02
Contents
www.cloudindustryforum.org
About the Cloud Industry Forum
The Cloud Industry Forum (CIF) was established in
2009 to provide transparency through certification
to a Code of Practice for credible online service
providers and to assist end users in determining
core information necessary to enable them to adopt
these services.
CIF’s Goals:
• Help end users make informed business
decisions about the adoption of cloud services
and the governance of hybrid IT environments
• Provide vendor independent market research
and outlook of cloud adoption trends,
opportunities and inhibitors to offer qualitative
guidance to businesses
• Raise industry standards and bring greater
transparency and trust to doing business in the
cloud with its Code of Practice for Cloud Service
Providers
• Champion and advocate the adoption of cloud
services by businesses and individuals
• For more information, visit: http://www.
cloudindustryforum.org
CONTENTS
Introduction 4A foreword by Maxwell Cooter, founding and contributing editor,
Cloud Pro
Cloud and data governance 5Is data governance a legal or technical problem? What should cloud
customers be thinking about when they make the move?
Hybrid, private or public: Which way to go? 12There’s plenty of choice when bringing cloud on board, but which is
the best option for you?
Cloud in regulated industries 19Certain companies have a real problem with cloud when trying to
keep up with regulatory demands. Are there ways around this?
Drawing up a security policy 27Moving to the cloud should mean a brand new security policy as the
old one won’t do. What should be included and removed?
Keeping customer data safe 29Customer data has become gold dust to organisations. How can
these assets be protected?
Mobile and flexible working 31BYOD is the name of the game, but what challenges does this route
bring to a company?
Current legal situation state of play 36We speak to Conor Ward, consultant with international law firm
Hogan Lovells and CIF Legal Forum chair, about the issues as they
stand now.
The European legal framework 38A new EU Regulation is set to change the way data is protected: what
does this mean for companies and their customers?
31
T here used to be a clear split between your technology at home and your technology at work. In the office,
you had access to a powerful desktop, wide-reaching business software and fast connections while, at home, you had some simple programs running on a cheap PC using a dial-up modem.
That’s the way that things were because there was no need for it to be otherwise. The notion that home technology was more powerful than commercial offerings would have been deemed nonsense. In the last decade, however, all that has changed. There wasn’t a single revolution that changed this but many smaller steps: the provision of broadband to homes (especially when accompanied by an upgrade to fibre); the
development of the smartphone market and, connected to this, the decision by Apple to see mobile phones as a means of disseminating applications. Put that all together and you have the perfect storm for a revolution in how devices are viewed and used.
There’s been an about-turn though as the sexy devices are now in employees’ pockets and not on their desktops. What has this meant for the CIO? The former gatekeeper for company technology is now relegated to a bit-part role as companies look to adopt bring your own device (BYOD) strategies.
This change has massive implications for the way that a business operates, with CIOs having to completely rethink all aspects of their IT infrastructure.
BYOD vs cloudOne of the first things to look at is whether a move to BYOD means a move to cloud. In some ways, says Richard Archdeacon from HP Enterprise Services’ CTO office and IS strategy, there are similarities. “Look at the drivers for the move to cloud,” he says. “It’s driven by a need for greater flexibility and better management. He says that BYOD has brought a similar level of flexibility to the part.”
The 451 Group security analyst Javvad Malik also sees advantages of moving to the cloud. “Cloud providers are often in ideal positions to offer BYOD-specific features, and many have. Though a large market exists as ‘middlemen’ to provide BYOD features in what I like to call ‘missing feature’
Does BYOD mean bring your own disaster?BYOD could be a recipe for disaster as the IT department relaxes control, but it doesn’t need to be a big problem…
BYOD disaster
CLOUD SECURITY www.cloudindustryforum.org
WINTER 2014CLOUD FOR BUSINESSWhere are we now with cloud data governance and where are we headed?
WHY SECURITY IS NO LONGER A DIRTY WORD
CLOUD FOR BUSINESS
HP is on a multi-year
journey to turn HP around,
and has put in place a plan to
restore the company to
growth. It knows where it
needs to go, and is making
progress. It continues to drive
product innovation in its core
markets, with a focus on cloud,
security, and big data.
HP sees big opportunities
ahead, and is well positioned
to take advantage of these
opportunities with its
remarkable set of assets and
strengths. It has the people,
the plan, and the foundation
in place to help it succeed on
the next phase of the journey.
HP Helion Cloud helps
you transform your
enterprise with the most
comprehensive cloud
computing solutions in the
industry.
Cloud is not a destination,
it is part of the journey to the
New Style of IT. For more
information, visit: www.
hp.com/uk/helion
03
About our sponsors
www.cloudindustryforum.org
About our sponsorsConcorde’s breadth and depth
of industry knowledge is
recognised by top software
vendors such as Adobe, IBM,
Microsoft, Oracle, and
Symantec. Its knowledge
extends from the desktop and
datacentre to complex
multi-vendor environments. It
has experience and references
across a variety of market
sectors and industries, and
clients include members of the
Global Fortune 1,000 as well as
investment banks, mid-
market companies, public
sector organisations and
charities.
Concorde’s specialists
bring with them many years
of licensing and software
expertise, from their
experience within end-user
organisations, the software
industry, or from running
SAM teams themselves.
With the emphasis on
creating sustainable solutions
rather than one- off
engagements, Concorde has
helped customers save and
mitigate over £50 million in
the last four years by
providing the tools, processes
and knowledge to better
manage their software.
Concorde does not re-sell
software or licensing, and its
reputation is one of complete
vendor-independence. It can
therefore offer impartial advice
and support and truly
represent the best interests of
clients. Concorde’s practices
are aligned with the IT
Infrastructure Library (ITIL)
SAM best practice and ISO
Standard 19770-1 for SAM.
At the heart of its solution is
Core Control, a platform for
presenting critical business
intelligence from across your
entire (global) software estate,
enabling powerful analytics,
scenario modeling and decision
making support. For more
information, visit: www.
concordeuk.com
Databarracks provides the
most secure and supported
cloud services in the UK.
In 2003, it launched one
of the world’s first true
managed backup services to
bring indestructible resilience
to mission-critical data.
Since then, it has
developed a suite of services
built with superior
technology, support and
security at their core.
Today, it delivers
Infrastructure as a Service,
Disaster Recovery as a
Service and Backup as a
Service from some of the
most secure datacentres in
the world, 30 metres below
ground in ex-military
nuclear bunkers.
The company backs this
up with unbeatable support
from a team of handpicked
experts. There’s no such
thing as ‘above and beyond’
for the firm’s engineers
because they only work to
one standard: to keep your
systems running perfectly.
Databarracks is certified
by the Cloud Industry
Forum, ISO 27001 certified
for Information Security and
has been selected as a
provider for the G-Cloud
framework.
For more information, visit:
www.databarracks.com
CLOUD FOR BUSINESS
Ingram Micro Cloud is a
master cloud service
provider (mCSP), offering
channel partners and
professionals access to a
global marketplace,
expertise, solutions and
enablement programs that
empower organisations to
configure, provision and
manage cloud
technologies with
confidence and ease.
Ingram Micro Cloud is
part of Ingram Micro,
which helps businesses
Realise the Promise of
Technology. It delivers a
full spectrum of global
technology and supply
chain services to
businesses around the
world.
Deep expertise in
technology solutions,
mobility, cloud, and
supply chain solutions
enables its business
partners to operate
efficiently and successfully
in the markets they serve.
Unrivaled agility,
deep market insights and
the trust and dependability
that come from decades
of proven relationships,
set Ingram Micro Cloud
apart and ahead.
Discover how Ingram
Micro Cloud can help you
Realise the Promise of
Technology.
For more information
on Ingram Micro Cloud,
please visit: www.
ingrammicrocloud.com
S ecurity is often held up as one of the main concerns for not going down the cloud route: it seems to set
off all manner of nervous reactions in even the most sensible of organisations.
In some ways this is a natural reaction. After all, by definition, cloud means losing some sort of control. But security is too much of a catch-all term: what does it actually mean? Do we mean perimeter security? (something that becomes harder in an era of flexible and remote working) Do we mean device security? (something that’s harder in the age of BYOD)
Do we mean data governance? (That’s a serious issue but are we talking legal concerns or technical ones?)
In the midst of all this confusion, there’s also a greater drive towards letting lines of business choose software and run services themselves. But can we really trust non-IT people with data security?
There are so many questions to ask and that’s before we decide whether we’re talking about threats from cyber criminals or the rather more commonplace array of spam or bloatware.
This special report, produced by the experts at Cloud Pro in association with The Cloud Industry Forum (CIF), aims to explore the key issues. We will examine the techniques that some CIOs can employ to ensure cloud implementations are running smoothly and with little risk. We believe that cloud in itself can be a secure option and that if you choose the right provider, it can be even more secure than what’s possible on-premise.
The interesting challenge for CIOs is to make their systems more secure at a time of greater openness. The prevailing philosophy
is towards more sharing and greater collaboration, but the demand for cloud security could make actioning that more difficult. However, there are ways to ensure that the modern company can be more open and accessible while still ensuring secure access - the ideal approach for all organisations.
Cloud is here to stay and more businesses are going down that route. The key, then, is to try to stay secure while doing so. We hope this report provides plenty of food for thought.
04
Introduction
Cloud is here to stay and more businesses are going down that route. The key, then, is to try to stay secure while doing so.
www.cloudindustryforum.org
Welcome!
Editor, Cloud Pro
For further information please visit www.cloudpro.co.uk
CLOUD FOR BUSINESS
05
T he arrival of cloud has shaken up many IT departments and long-held ways of doing business have been
shoved aside. For example, the idea that business expansion could only occur by provisioning new servers has all but
disappeared. Even more radically, the notion that IT departments are solely in charge of buying software has also stepped to one side. Indeed, business departments are assessing and even purchasing applications, and that’s a situation that is not going away any time soon.
Cloud touches every aspect of a business. This can be demonstrated by the way that it impacts on data governance. The arrival of a cloud provider changes everything. If you look at the definition of data governance from the Data Governance Institute (DGI), you can see where some of the sticking points are: “Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”
There are some obvious hot points here: “accountabilities” and “who can take what actions” are areas where meanings can be interpreted very differently.
Data governance in the cloudMoving to the cloud has plenty of implications for the way that data governance is handled within organisations. How should firms approach this?
Data governance in the cloud
Data governance is a big problem for CIOs, particularly people who have been a long time in the industry, ones who started off as more akin to CTOs looking after hardware and wires. They don’t really understand the business issues.
CLOUD FOR BUSINESS www.cloudindustryforum.org
06
Business issueAccording to HP fellow Mateen Greenway, there’s a more fundamental problem. It’s one that’s to do with the way that CIOs operate. “Data governance is a big problem for CIOs, particularly people who have been a long time in the industry, ones who started off as more akin to CTOs looking after hardware and wires. They don’t really understand the business issues,” he says.
In this world where lines of business have a big impact on the way that software is chosen, this can really matter. CIO thinking has to change, according to Greenway. “They’re still thinking in bits. They need to start thinking at the opposite end. ‘Who are the people who want this information and who gets value from it?’. Data governance becomes how to meet that need too,” he adds. “CIOs are used to worrying about the storage of data, now it needs to be about getting that data to the right people.”
There’s also the concern about what else happens to that data. Individuals have been considerably more agitated about threats to data security and privacy since the revelations by Edward Snowden that NSA agents were looking into Europeans’ data. The news made many businesses extremely
jumpy about putting their data (or customer data) in multi-tenanted cloud providers.
According to Clive Longbottom, founder of analyst firm Quocirca, companies are certainly questioning who’s looking at their data – whether that be the NSA, GCHQ or whoever – but he says that much of this is overstated. “For the average company, there’s going to be little interest from the security forces. It’s only in industries like defence, petrochemical or aerospace that they’re going
to be interested,” he says. “Your main worry is going to be the black hats, who certainly will be interested in things of financial value that you have.”
TrustTrust is at the heart of the problem when it comes to moving to cloud. Do you trust your provider? It’s a problem that’s particularly acute for small businesses, as they may not have security resources on hand in-house. According to a recent survey from the University of Bournemouth, just over half (54.6 per cent) of small businesses cited data protection and privacy as the main reasons for shying away from cloud services. The ironic thing is that it is precisely these companies who would most benefit from the cloud – it’s a way to bring enterprise-class security to SMBs.
Some SMBs are worried that cloud service providers will not bring industry best practice to the table. There are also concerns that companies will not know where their data is being held. Any company that has dealings internationally or sends data across borders has such worries. All cloud users need to have an idea of national laws and regulations from the outset.
CIOs should start off by asking cloud providers some basic questions, advises Longbottom. “For a start, you should ask whether their datacentres are ISO 27001 compliant and then you should be asking them how they deal with data sovereignty: you want them to say where the data is,” he says.
Some of the low-cost providers may try to
Data governance in the cloud
CLOUD FOR BUSINESS www.cloudindustryforum.org
Cloud covers a multitude of sins and you have to realise that not all cloud providers are the same: some clouds have high SLAs, some have none. You can only select the right tool if you understand the needs. For example, you wouldn’t treat a Porsche and a truck the same. The Porsche has a lot going for it, but you can’t deliver a piano with a Porsche.
07 CLOUD SECURITY
blur the issue of where data is being held by using content delivery networks (CDNs) or wide area data accelerators but, as Longbottom explains, this is little comfort to customers. “The best service providers don’t do this – the low cost do and will shift everything to Akamai or Limelight. You have to understand that you’ll have to pay to get the best solution,” he adds.
HP’s Greenway concurs, saying: “Cloud covers a multitude of sins and you have to realise that not all cloud providers are the same: some clouds have high SLAs, some have none. You can only select the right tool if you understand the needs. For example,
you wouldn’t treat a Porsche and a truck the same. The Porsche has a lot going for it, but you can’t deliver a piano with a Porsche.”
If a company has a data governance professional, it’s key that they are involved in the decision to move to the cloud from the outset.
Only a data governance professional can address all the regulatory concerns: CIOs
don’t have that expertise or that level of experience.
So, what should a CIO be doing? They need to make sure they address all these concerns up front, then work out what data could be stored in the cloud. Active customer data must be treated very differently from archived data, for example. Policies should be defined and then also strictly adhered to.
Longbottom advises a slightly different order to proceedings,
adding: “The first thing a CIO should be doing is
taking a look at the existing internal infrastructure, as it’s probably pretty bad. You can’t look to external suppliers if your internal structure
is a mess.”There’s an old adage
that one shouldn’t outsource chaos because the end result
will be chaos. It’s a similar story with data governance. Cloud won’t solve a problem if you haven’t got the principles right in the first place.
www.cloudindustryforum.org
• Enable much more effective decision-
making within firms
• Reduce operational friction
• Protect needs of data stakeholders
• Train management and staff to adopt
common approaches to data issues
• Build standard, repeatable processes
• Reduce costs and increase
effectiveness through coordination
of efforts
• Ensure transparent
processes
DATA GOVERNANCE INSTITUTE GOALS FOR A DATA GOVERNANCE PROGRAMME
Pull quote hea dvadva dre ishgio fvhso i hisha va vdvio hisa vadvad fhip hvihspivh sijvj b ua dvadvaghva dvadvlk mkl;cmavbadoicn kamdckba va dvadv adv iandvlkn nadv ;n;oamdva dvadvadvaa dvad advad vadv adv dcuadhiadmcklmnnvajkhviaj.
Data governance in the cloud
www.concordesoluti ons.com
Soft ware Clarity and Control in a changing world
Core Control simplifying soft ware asset management• Using data from any source• Automated Vendor Logic and
Licensing rules for all major Vendors• Easy to use - complete SAM
functi onality• What-if Scenario Modeling • Trend analysis and variance alerti ng
Concorde’s fl exible service and support empowers organisati ons to embrace new technology and drive value from their IT investment.
Call today to see how Concorde can help you deliver clarity and control to your Hybrid IT Environment.
Enabling complex global organisati ons to: • Control Contracts• Reduce Cost • Plan for the future based
on fact• Measure vendor
performance
Our services provide: • Independent knowledge
and experti se• On demand or as a
service support• Pre-audit assessment support• Compliance reporti ng
+44 (0) 1491 870 250
Concorde delivers best practi ce SAM platf orm and services for complex hybrid IT environments
08
Concorde Q&A
CLOUD FOR BUSINESS www.cloudindustryforum.org
How is cloud computing changing software asset management? The difference with cloud
computing when it comes to license
management is that your software
is now being delivered as a service.
Updates and security patches are
instant and can happen undetected,
with your software estate
constantly changing.
This is presenting a visibility
challenge for businesses, especially
in enterprises that often deal with
the management of much bigger
and much more complex
infrastructure.
Trends like BYOD are also further
complicating this; with employers
also having to take licences
employees have downloaded onto
mobile devices into consideration.
How have vendors changed their approach to software licensing in light of the emergence of cloud? In many cases, vendors are taking
the perceived weakness of end-
users, which is their lack of
software licensing visibility, and
turning it into their strength, by
treating it as a revenue generating
opportunity.
While the typical vendor audit
selection process was usually at
random and every few years, audits
are becoming more frequent and
many high profile vendors now
have special software compliance
teams in place to specifically target
organisations that may be under-
licensed.
Vendors have a lot to gain from
this process. Take, for example, the
recent situation with CommVault
where it revealed that it had only
met its revenue growth target
because of its recognition of deferred
licensing revenue.
In some cases, vendors are
making strides to cut down the
complexity of licensing brought on
by cloud by changing the licensing
structure. One example is Microsoft,
who recently implemented Server
and Cloud Enrolment (SCE), a
licensing model that enables
customers to standardise on several
Microsoft Server and Cloud
technologies.
Martin Prendergast, CEO & co-founder, Concorde
We speak to Martin Prendergast, CEO and co-founder of Concorde, about the changing nature of software asset management and the role cloud plays here
ProfileMartin brings 10 years-plus of domain and industry
experience to Concorde. He has held senior management
roles at Unitrans and Morse and a number of operational
roles at Peregrine Systems. Martin has worked with a large
number of companies around the world and has helped
architect, sell and deliver solutions for market leaders such
as Computacenter, CSC, EDS and HP. He also sits on the
Governance Board of the Cloud Industry Forum and, prior
to moving into business, served as an army officer.
If you have an in-house IT team, you may be paying for a service that isn’t needed, so it’s a good idea to check in order to skim off additional (unnecessary) costs.
09
How should end-users now be handing their software licensing?Many enterprises are changing the
way they look at software asset
management to adapt to the
changes happening in the industry,
and this is through the
consideration of software value
management (SVM). It’s not about
simply counting licences anymore.
Instead, the focus should be on
obtaining and maintaining
visibility of your entire software
estate at all times.
Governance is an ongoing
effort rather than a tick box
exercise and many organisations
are seeing the benefits of using
real-time business intelligence to
help facilitate this. Scenario
modelling and comparing historic
estate software values is a good way
to keep track of software licensing
as it continues to change.
Furthermore, keeping track of
software on mobile devices and
having usage policies in place
will help provide a clearer picture
to help avoid compliance risk.
What should end-users specifically pay attention to in their cloud contracts to keep on top of SVM? Audit and maintenance clauses
are the main ones here. If you have
an in-house IT team, you may be
paying for a service that isn’t
needed, so it’s a good idea to check
in order to skim off additional
(unnecessary) costs.
When it comes to audit clauses,
make sure that you understand
your contractual obligations and
have a clear understanding of what
information you will need
to provide in the event of a
licence audit.
The majority (94 per cent) of
vendors have audit clauses in their
contracts, and the notice period for
an audit can range from a few
weeks to a few days, so it’s important
to be aware of exactly what
information needs to be provided
before it happens.
What changes should we expect for the IT department in the coming months? The role of the IT department has
changed dramatically with the
emergence of cloud computing.
We’ll soon see more organisations
take action to get to grips with the
complexity in order to gain
complete visibility of their estate.
Some companies have already
taken steps by using business
intelligence tools to achieve this
and we’re likely to see more IT
departments making use of these
to be in a better position to
negotiate pricing with vendors
and avoid being fined for non-
compliance.
Transparency, compliance and
governance will be key
considerations for software asset
managers especially, as the risk of
audits and, equally, paying over the
odds for software licensing
continues to grow.
Concorde Q&A
CLOUD FOR BUSINESS www.cloudindustryforum.org
The role of the IT department has changed dramatically with the emergence of cloud computing. We’ll soon see more organisations take action to get to grips with the complexity to gain complete visibility of their estate.
10
Concorde
CLOUD FOR BUSINESS www.cloudindustryforum.org
Contact us today on +44 (0)1491 870 250
Understanding what software a business is using has never been a straightforward task.
Concorde delivers intelligent solutions for managing software assets across the hybrid IT infrastructure, enabling end-users across a range of sectors to take control of their software estates, by optimising IT investment through measuring, planning, and implementing change. For one enterprise client in the manufacturing sector, the increased need for license and software transparency was becoming a key priority that could no longer be ignored.
Working alongside the client’s software asset management team, Concorde’s licencing and technology experts gathered data from across the IT landscape, hardware information, software usage data, contracts and entitlement. By increasing the range and type of data – ADDM, SCCM, LANDesk and existing discovery tools, the team could start to identify how the organisation’s IT functioned.
Using Concorde’s Core Control Software Asset Management (SAM) solution, the client’s team mapped the IT environment and identified those programmes, applications and systems that were used for business, easily identifying the common software types using the Core Control Definitive Software Library (DSL). This enabled the client to visualise the relationship between users and their specific software requirements. In addition to identifying what software was used for business, Core Control also identified those consumer applications that were installed but not approved or relevant to the organisation. With this detailed and
transparent intelligence, the client was able to initiate their IT governance policy.
With the client driving the SAM programme across the global IT estate, Core Control had links to data from every device connected to the network, enabling accurate measurement of software usage, where it was located and at any given time. This real-time data enabled the client to rationalise its IT strategy, to identify if and where cloud applications were relevant and make informed decisions on the contract types that best suited their needs.
This programme has brought considerable benefits to the client, driving governance alongside flexibility and increasing data security throughout the business.
Defining a strategy for governanceFigures from the latest Cloud Industry Forum (CIF) white paper ‘The Normalisation of Cloud in a Hybrid IT market’ tell us that despite the fact that most UK organisations have adopted some sort of cloud solution, 92 per cent of UK businesses don’t intend on placing everything in the cloud just yet. Many resellers have largely adapted to this model, and are now in a more confident position to be able to offer this. However, while some businesses are finding the best models that work for them and resellers are becoming more accustomed to delivering this, many end-users are leaving themselves vulnerable to exploitation by vendors.
The CIF results also revealed that private enterprises had the highest rate
of cloud adoption in the last year at just over 80 per cent. Considering that larger companies have the hardest job keeping track of licenses due to the sheer volume of users, visibility of an entire software estate is progressively becoming an issue.
The tables are turning from the world of traditional IT with its limited choice and risk of vendor audit. Now the challenge is to make sure you know what you’re being billed for and whether your vendor is meeting their SLAs.
Without proper governance policies and a system for identifying non-approved applications on business devices, it is difficult for an organisation to accurately identify the risks. This leaves them open to hidden costs and obscure licensing rules or tricky exit clauses and undefined data ownership. Cloud contracts are a whole new breed of agreement, and it is evolving very quickly.
Concorde delivers accurate insight into software usage, the ability to drive governance and maintain security of data across an entire IT landscape, whether it is cloud-based, on-premises or a hybrid model, providing visibility of software and service usage down to the device level. Concorde has built performance measures into vendor contracts, and can track usage or utilisation against plan, and above all, it has established global enterprise governance.
See how you can use SAM to help your business adapt to the changing IT Environment
Best Practice- the driving force behind governanceSAM
Using accurate software business intelligence,
the client is now driving governance alongside
flexibility and increasing data security throughout
the business.
CS050_advertA_v2.indd 1 24/11/2014 22:34
11
Concorde
CLOUD FOR BUSINESS www.cloudindustryforum.org
Cloud—software, infrastructure or platform-as-a-service, has radically changed the traditional role of software procurement, software asset managers and vendor managers.
With cloud adoption rates growing, the issues of cloud governance and vendor performance are becoming a real concern for businesses. Those adopting hybrid infrastructures and using cloud applications need to consider their overall IT strategy in order to manage the services they access in the cloud and to ensure that they are both compliant and getting value for money.
It is understandable that cloud brings with it a host of new concerns for managing the needs of end users and in particular controlling the applications they use for business. The ease at which individuals can find, download and access applications that satisfy their immediate need is astounding and there are a host of ‘quick apps’ available that offer a wide range of productivity benefits, all you need is internet access and a credit card.
The complexity of having both cloud and on-premises solutions as part of an IT infrastructure means that it can become even harder to have visibility of exactly how software is licensed across an organisation. This issue is further aggravated by the emergence of consumerisation of IT trends like BYOA (Bring Your Own Apps) which is increasingly becoming a compliance problem, especially when employees begin to download unlicensed software onto company devices.
Achieving a strong governance position is a real challenge as organisations become reliant on an increasing number of suppliers and service providers, each with their own SLAs and license agreements. As a result, it is critical for businesses to maintain a clear picture of what software they have, where they have it and how they are using it in order to demonstrate good cloud governance, maintain compliance and ensure their providers are maintaining similar due diligence for their end of the bargain.
For example, one of Concorde’s clients recently considered replacing their CRM system. They had a number of options – an entirely new cloud-based solution or a traditional on-premises
platform. Cloud offers a great deal of advantages around new ways of working, including greater flexibility of business and reduced costs through user based charging rather than capital expenditure. The client considered the risk to data security increased, as users had the ability to access data and systems on any device as well as downloading data to any device.
However, opting for a traditional on-premises platform brought its own risks, defining strict ways of working; poor access to information and tightly controlled security would make users source their own solutions in order to increase their productivity. With a tranche of quick apps being available to download, both data security and governance were completely ignored and their users could download their application of choice and input their client data within minutes.
Success or failure in the ‘as a service’ environment brings new challenges, difficult decisions for finance and greater complexity for procurement and contract negotiation.
The biggest single risk to governance and data security is the host of ‘apps’ that offer business applications and productivity tools – all your users need is internet access and a credit card.
Call today to see how Concorde can help you deliver clarity and control to your Hybrid IT Environment.
+44 (0) 1491 870 250
Building Governance ‘as-a-service’ Environment
into the
Contact us today on +44 (0)1491 870 250
CS050_advertB_v2.indd 1 24/11/2014 22:32
12
C loud computing is here to stay. According to the latest CIF survey, some 78 per cent of UK
organisations are now using at least one form of cloud service and, perhaps more remarkably, 11 per cent of British businesses are now using four or more services. That’s
definitely a sign that it’s no longer a few test sites that are being deployed.
The trend is ever upwards: this is the fifth year of the survey and, since the first one in 2010, the growth has been 61.5 per cent: a healthy growth indeed. That’s not to say that cloud is taking over these organisations: the
CIF survey found that 85 per cent of organisations still operate on-premise datacentres, so most firms are looking for a way for the systems to co-exist – the hybrid model of IT.
There’s a structure to CIOs’ choice, with certain services becoming an obvious fit for cloud: web hosting, email, CRM, data back-up and disaster recovery are prime choices. Anything that involves any confidential client data tends to be kept well away.
That reflects a seeming paradox among companies. Yes, there is greater acceptance of the cloud and more businesses want to use it, but such an attitude goes hand-in-hand
How to get the most out of different cloud modelsPublic, private and hybrid cloud all have their own security challenges. What are the options for the CIO?
Different cloud models
If you want total data security, you can put all your data on a drive, lock it in a safe and drop it at the bottom of the sea.
CLOUD FOR BUSINESS www.cloudindustryforum.org
13
with a distrust of cloud providers. According to research published in September 2014, 70 per cent of businesses accused cloud providers of failing to comply with laws and regulations on data protection and privacy.
The survey, which was commissioned by Netskope and The Ponemon Institute, also found that businesses thought a data breach was more likely when data was stored in the cloud – 53 per cent of respondents said the likelihood of a data breach increases due to the cloud. But that’s not the worst of it. The study also found that data breaches were likely to be more expensive when they involved the cloud.
This does seem to be unnecessary paranoia though. There are certain items that shouldn’t be placed in the cloud and there are some regulated industries that do have restrictions of what can and can’t be done in the cloud (more of this in another article).
Mixing things upIn fact, there’s a rather unholy mix dominating IT departments. On the one hand, there is this heightened security but, on the other, there’s been a change in business culture. The CIO has to think like a service provider and deliver services – whether they are from public cloud or private datacentres, according to HP fellow Mateen Greenway.
Unfortunately, too often the CIO comes from a culture where he or she has tried to control what’s being offered, rather than thinking about what the business wants, Greenway adds. “The CIO has the reputation of being the person who says no, but the business is there to get the job done,” he says. “That’s why we’re seeing the emergence of shadow IT, because it’s the quickest way to get the job done.”
Greenway sees a contrast between the way that start-ups operate and the way that
enterprises work. “New companies behave differently. They take the shadow IT route and explore the public cloud option,” he says. “It’s when they get bigger, they look to take things more private because, for some organisations, public cloud is not enough even if you encrypt the data.”
The current thought seems to be that information such as confidential customer data can’t be put in the public cloud and private cloud is the answer, but this is a little bit too simplistic. One of the problems faced by organisations is that many of them aren’t aware of what they actually have. So the tendency has been to treat everything as highly secure and, instead, the starting point should be to assess what data a company holds.
Different cloud models
CLOUD FOR BUSINESS www.cloudindustryforum.org
The CIO has the reputation of being the person who says no, but the business is there to get the job done. That’s why we’re seeing the emergence of shadow IT, because it’s the quickest way to get the job done.
✓ Organise your data in a taxonomy
according to its confidentiality
✓ Ensure you use 256-bit encryption at
rest and on the move
✓ Ensure that your organisation has a
clear security policy
✓ Ask the right questions of your cloud
service provider – is it
27001-compliant? Who has access to
your data?
Assume that if it’s not in the public
cloud it will be safe
Go for the cheapest cloud provider
– look at the levels of security
Shut end users out. There has to be a
mix of openness and security
DOS AND DON’TS OF SECURING DATA IN THE CLOUD
14 CLOUD SECURITY www.cloudindustryforum.org
Different cloud models
Now cloud teaches old apps new tricks.
Technology is a constant, forward march. And HP Helion keeps businesses from missing a beat. An open, hybrid cloud brings traditional IT up to speed and gives your developers the power to build new applications faster than ever. Built on OpenStack® technology, HP Helion boosts business productivity while making the most of your IT budget. All while keeping your data as available and secure as it should be. See how cloud lives up to its promise at hp.com/uk/helion
© Copyright 2014 Hewlett-Packard Development Company, L.P. The OpenStack Word Mark is either a registered trademark/service mark or trademark/service mark of the OpenStack Foundation, in the United States and other countries and is used with the OpenStack Foundation’s permission. We are not aff iliated with, endorsed by or sponsored by the OpenStack Foundation, or the OpenStack community.
Starting with the basicsGetting a handle on the data you have should be your first port of call, according to Quocirca analyst Clive Longbottom. “First of all you should establish a taxonomy of data, then sort out what should be open, commercially confidential and top secret. Then you need to make sure everything in the top two categories is encrypted at rest and on the move. And that it’s the same level of encryption throughout - something sensible like 256-bit,” he says. “Once you start encrypting, you don’t want to have multiple keys.” This move to encryption is something that needs to be sorted out whether data is being held on-premise or in the cloud.
That’s a point of view shared by Databarracks’ solutions architect Mark Thomas. “Generally, do companies know what they have? Nine times out of 10 they don’t,” he says. But, he adds, the problem with companies getting to grips with the data they store is that it’s very time-consuming. “It takes a lot of time to sift through and classify that data: many companies just won’t do that. If they don’t have time to segregate and classify data they
will assume that it has to be secure.”However, this classification is just one
stage. According to HP’s Greenway, there needs to be greater sophistication in the way that companies operate – the simple paradigm of public cloud being unsafe and private cloud being safe is not enough. “How do you securely move across a hybrid cloud environment? We need security that propagates across the infrastructure,” he says.
Greenway thinks that present day discussions about security provision don’t go far enough. “What should happen is that the security travels with the data itself. It should be the platform that should say ‘This is a document I need to secure.’ When we get to those levels, then we can start treating hybrid cloud as a secure option,” he says.
In the meantime, we have a host of different efforts to secure cloud.
We’ll still get companies moving
confidential data into private cloud but it’s doubtful whether this is a situation that will last forever.
Public cloud is not the insecure option that many people take it for, according to
CIF chairman Richard Sykes, who says: “When you look at
companies like Amazon, you effectively have
people running datacentres as a manufacturing process, so there’s a state of continual progress. Big cloud
players offer so much in servers, in security and so
on that companies who run their own datacentres will
constantly be slipping behind.” Sykes believes that, sooner or later, public
cloud providers will offer so much more in terms of security that private cloud will be left behind. Although some concerns will linger. Greenway concludes: “If you want total data security, you can put all your data on a drive, lock it in a safe and drop it at the bottom of the sea.”
15
HP Q&A
CLOUD FOR BUSINESS www.cloudindustryforum.org
What reassurances can you provide CIOs who want to move to the cloud? Assurances on the use of HP Helion OpenStack components for enterprise use include the portability of workloads. In addition, there is the integration between different cloud services using HP’s CloudSystem Automation software and strong solutions to meet regulatory, security and privacy requirements.
Within a hybrid environment, is there a difference between the way you look after data on-premise and data in a cloud? Yes. On-premise, the legal and regulatory frameworks are clear. For cloud services, the geographical boundaries of the cloud and, in some cases, support services needs to be taken into account for government and regulated businesses. Who should have responsibility for data governance? The business owner of the data is a
Peter Schofield, HP’s cloud & mobility director of advisory services
We speak to Peter Schofield, cloud and mobility director of advisory services at HP, about how cloud is changing the nature of business
ProfilePeter is the global portfolio lead for HP’s applications
transformation, cloud and integration. In this role Peter is
responsible for HP’s investments in cloud applications and for
the global and EMEA cloud applications portfolio and sales
enablement teams.
Peter is currently also leading HP’s Helion Professional
Services initiative for application transformation to cloud,
launched at HP Discover in Las Vegas.
Peter has experience in implementing major applications modernisation programmes in the
UK Government and financial services in the private sector .
He has also worked with HP’s strategic clients and carried out financial services and government
strategy work, in addition to his role as EMEA consulting CTO during his 12 years with HP.
The business owner of the data is a core part of the business. In my opinion, this should never be delegated. But, it can be assisted and enabled by the supporting functions listed.
core part of the business. In my opinion, this should never be delegated. But, it can be assisted and enabled by the supporting functions listed. What particular reassurances can you offer to CIOs within highly regulated industries? HP has a range of hardened enterprise-grade cloud services tailored to meet regulatory needs with military-spec security built-in, while HP Enterprise Security Services provides independent validation and assurance for HP and any other cloud offerings. The rise of big data has meant that data needs to be more readily accessible from a variety of different endpoints. How can you marry accessibility with security? Big data can be aggregated for consumption so that the
16
core data remains highly secure on-premise or in a private cloud. Where data needs to be made more accessible, existing trusted authentication processes and technologies should be used to ensure the correct level of security on the full range from public through to private cloud. Following on from that, what preparations should a CIO be making to prepare for a culture where mobile communication is the norm? In many countries, mobile communication is already the norm. Some government departments are already switching to mobile as the primary channel and many enterprises are already finding that ‘digital natives’ are spurning traditional channels.
In addition to the well-trailed technology enablement for mobile communications and managing the apps ecosystems springing up, there are two key areas that CIOs need to grasp with the support of their marketing colleagues.
These are focused on the whole area of digital customer experience and bringing service-design thinking to the fore. Both of these disciplines are aimed at making digital services infinitely much more attractive and consumable by today’s consumers, customers and citizens whose expectations have been fundamentally changed by the new generation of business. Do you see a difference in the way that the public sector and private sector handle data? Interestingly, I see a huge convergence between commercial and public sector organisations in the care needed for data whether it be patient healthcare records, the delivery of digital content for a cinema chain or the integration of risk and
regulatory data for a bank. The issues and solutions are
increasingly the same. Is there a difference in the way that HP tackles security and cloud security? HP Enterprise Security Services provides an integrated
set of security consulting and management services.
These services are underpinned by a network of eight security operations centres to effectively cover all aspects of information security, including issues related to cloud computing.
HP Q&A
CLOUD FOR BUSINESS www.cloudindustryforum.org
I see a huge convergence between commercial and public sector organisations in the care needed for data.
17
HP Case study
CLOUD FOR BUSINESS www.cloudindustryforum.org
At-a-glance
Secure protection in a world of complex threats HP Vulnerability Management Identify vulnerabilities and learn from gathered intelligence. Get current state knowledge from constant assessment of your IT systems’ vulnerabilities.
See your vulnerabilities
IT vulnerabilities can be tremendously expensive to companies in terms of brand and reputation damage, lost IP, fines, and remediation costs.
In a large environment, it is always challenging to validate that proper patches or correct configuration settings have been applied. You need regular vulnerability assessments of computer systems, networks, or applications for weaknesses, along with criticality prioritization and remediation advices.
On the other hand, applying patches to avoid vulnerabilities also can be tremendously expensive due to the system downtime, testing, and disruption inherent to the patching process.
Since many vulnerabilities may pose minimal or no risk to your particular IT environment, it is important to judge carefully the relevance and seriousness of vulnerabilities versus the cost of patching.
Know the value
HP Vulnerability Management Services provides capabilities for proactive and periodic scanning of the corporate IT infrastructure to discover vulnerabilities. It also provides threat intelligence information correlated and focused on your critical technologies.
This enables you to stay a step ahead of hackers and make sure your critical infrastructure is patched and protected. At the same time, you avoid the effort and cost of emergency remediation for vulnerabilities that are less important or even irrelevant to your specific IT environment.
Realize the benefits
• Risk-prioritized approach to managing vulnerabilities
• Threat intelligence and insight focused on your corporate IT infrastructure
• Cost-effective approach to meet regulatory compliance requirements
• On-demand access to service without capital expenditures
Insights • You need to protect and
defend your IT systems.
• An integrated approach is necessary.
• HP Vulnerability Management Services can help.
18
HP Case study
CLOUD FOR BUSINESS www.cloudindustryforum.org
Rate this documentShare with colleagues
Sign up for updates hp.com/go/getupdated
At-a-glance | HP Vulnerability Management
Manage your threats, exposure
HP provides a variety of options for scan coverage and integration of data into other outsourced services. We provide input into the prioritization of security alerts and investigations. It follows this approach:
• Implement plan with technical facts survey—ensuring relevant information is captured and considered.
• Assign and track remediation activities and approved exceptions, using the HP Implementation Plan Builder.
• Provide an historical record of scanning for at least one year, using a scan manager.
• Implement an automated preinstallation scan to minimize the build time of a new server by enabling automated scanning and rescanning of new servers.
• Integrate existing vulnerability scanning information into an HP Security Information Event Management solution to prioritize other types of alerts and enable HP Security Operations Center staff to quickly investigate issues.
• Correlate scanning information with vulnerability and threat information from hundreds of vendors and thousands of specific versions of products 24x7x365— further prioritizing incoming threat and alert data and enabling the semi-automation of alert investigation.
Scan for vulnerabilities
Three types of vulnerability scanning services are available:
Scheduled scans—You can request the scan, based on contracts and subscription for regular reoccurring, periodic scans. Frequency is based on your needs.
Preinstall scans—These scans are performed before system deployment as part of the system provisioning process.
Ad hoc scans—You can request these scans separate from contracted periodic scheduled or preinstall scans.
Our best practice recommendation is that all servers be scanned a minimum of once per year but a variety of options are available.
This minimum level of scanning is considered a required service. Many organizations opt for quarterly, monthly, weekly, or continuous scanning. We work in smaller or shared environments to validate inventory and blacklists of devices and applications that should not be scanned.
Organizations in larger environments can work with an inventory list or use discovery scans to gather and validate inventory information.
HP tracks the quality of the network vulnerability scanning service through three key measures:
• Scan coverage—This is the percentage of inventory Internet protocols (IPs) successfully scanned. This metric provides visibility into the coverage quality for each scan so issues can be addressed, and any network changes affecting coverage can be remediated.
• Serious vulnerabilities per scanned IP—This is the number of high vulnerabilities per IP scanned. HP works with your organization to prioritize remediation activities and track overall issues and improvement.
• Number of repeat vulnerabilities—If issues cannot or have not been remediated between scans, identified stakeholders and remediation teams can be alerted so remediation barriers can be investigated, reviewed, and resolved.
Get vulnerability intelligence
The HP Vulnerability Intelligence Service is an optional capability if additional awareness of
threats and vulnerabilities is warranted within your environment. It includes:
• Assessment and customization—Evaluation of your in-scope environment and written recommendations on technology prioritization for monitoring
• Instant notification—Real-time notification provided for publicly known vulnerabilities, based on your criteria—severity of vulnerability and other risk criteria
• Daily and monthly summary reports—Consolidation of all publicly known vulnerabilities, based on your criteria
Other optional features include:
• Monthly, live, and interactive Adobe and Microsoft Patch Tuesday briefings, with question-and-answer period
• Quarterly, live, and interactive Oracle briefings, with question-and-answer-session
• 24x7 hotline access to HP experts for additional consultation
Why HP?
• We offer an integrated framework for the discovery, tracking, remediation, and analysis of vulnerabilities—at an attractive price.
• Through our Tipping Point team, NMCI security team, and other groups, HP is actually the source of many of the vulnerability discoveries that are fed to Microsoft, VeriSign, and others. HP discovers four times the critical vulnerabilities found by the rest of the market combined.
• HP monitors thousands of technologies from 200-plus vendors for system vulnerabilities. We publish more than 8,500 bulletins per year.
• HP has more than 40 years of experience delivering security services, with thousands of certified security professionals worldwide.
Learn more at hp.com/go/security
© Copyright 2012-2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Adobe is a registered trademark of Adobe Systems, Inc. Microsoft is a U.S. registered trademark of the Microsoft group of companies. Oracle is a registered trademark of Oracle and/or its affiliates.
4AA4-0828ENW, August 2014, Rev. 3
19
W hile there have been huge advances in the take-up of cloud thus far, certain
industries have been reluctant to commit. Organisations in the finance, insurance, pharmaceutical sectors or any industry that is
subject to a certain degree of regulatory control, have been loath to put too many assets into the cloud.
Compliance regulators have laid down a lot of demands on enterprises, who are forced to jump through multiple regulatory hoops.
Although there have been some exceptions to this - a couple of banks in Australia, for example, have been moving sections of their infrastructure (and, in one case, the entire IT set-up) to Amazon - it’s fair to say that highly regulated industries have historically been suspicious of the cloud.
It has been very difficult for these industries to embrace cloud as not every service provider is very transparent as to how data is protected, according to Mark Thomas, solutions architect at Databarracks. “That’s not to say it can’t be done. Regulatory bodies can set guidelines to follow and credit card regulatory body, the PCI, does this well,” he says.
“The PCI has been doing this a lot. And
Regulated industries can benefit from cloud computingThe idea cloud can’t be used by regulated industries doesn’t stand up to scrutiny. Indeed, there are many ways in which the technology can be deployed...
Regulated industries
The laws are lagging behind what’s happening in the industry. Politicians are not very good at keeping up to date. They don’t realise that the world doesn’t pay attention to lines drawn on a map.
CLOUD FOR BUSINESS www.cloudindustryforum.org
20
you can meet PCI, as long as you follow best practice,” he adds.
PCI is just one example of a guideline that can be followed by a company going down the cloud route. Not all regulatory bodies are so open-minded, however. But this should not be a barrier; thousands of companies are moving to some form of cloud computing and there are advantages for financial institutions to move to the cloud too.
That includes all the usual benefits (greater flexibility, cheaper software, easier disaster recovery and so on) but also the ability to modernise their infrastructures. This is particularly problematic for banks, many of which are built on legacy IT.
Old-fashioned and out of date?Quocirca analyst Clive Longbottom says that the main issue with regulatory bodies is that they’re based on old-fashioned technologies. “Compliance standards are based on physical paper,” he says. “BASEL and DCA, for example, are still very much based on paper and are yet to take on board electronic delivery.”
Politicians have been slow to react to global changes, which has exacerbated the problem, according to Longbottom. “The laws are lagging behind what’s happening in the industry,” he says. “Politicians are not very good at keeping up to date. They don’t realise that the world doesn’t pay attention to lines drawn on a map.”
According to Longbottom, there’s one exception to this. “The only regulatory body that I’ve seen that really takes cloud on board is the Capital Requirement Directive with its external reporting markup language,” he says, stressing it stands alone amidst a herd of paper-based dinosaurs.
But this idea of slow-moving regulatory bodies is not a fair one, according to Marc Vael, chairman of the cloud computing task force with IT auditing body ISACA. “Maybe it’s true [of some], but I don’t think it’s true of other bodies,” he says. “Yes, the financial regulators are a little behind, but they’re aware of digital and are investing in digitisation.”
So, if the regulatory bodies are doing their best to catch up with the 21st century how should CIOs work with them? Vael says that the first thing that CIOs should be doing is asking the same questions of providers as they would of their own company. But, most of all, he says, CIOs should not treat all cloud providers as the same. “There’s a huge difference between the global players, then the marketing people who changed everything to the cloud and small and niche players,” he says.
Vael points out that much of the discussion on cloud focuses on the major providers, but it doesn’t have to be that way. “Everyone’s staring at the big ones, but they’re not the only ones,” he says, pointing out that where he is based, in Belgium, he has other choices. “There are four big
Regulated industries
CLOUD FOR BUSINESS www.cloudindustryforum.org
One of the ways in which regulated
industries can explore cloud safely is the
community cloud option, a multi-tenant
cloud infrastructure providing cloud
services to organisations with similar
requirements and shared objectives.
For example, it may be the best-fit for
utility companies, for public sector
groups with shared interests or among
banks. By combining resources, the
members of the community cloud will
benefit from sharing compute power,
software and storage, using economies
of scale to drive costs down.
There will be some data held in private
datacentres, as companies will be
unwilling to share everything with close
competitors, but not all data is that
confidential and the community cloud
could provide a way forward.
There are difficulties with the concept
though. Security, obviously, but there are
also issues with software licences,
allocation of costs and data governance
(among others). That said, the concept of
the community cloud is clearly an option
for some. In time, we can expect to see
certain service providers specialising in
particular sectors, offering a customised
service.
We’re some way from community clouds
becoming mainstream, but they do offer
a further option to regulated sectors.
THE COMMUNITY CLOUD OPTION
domestic providers in Belgium who say that data is going to stay in Belgium and is not going to go anywhere else,” he adds.
That provides a choice, one that is replicated in other countries, according to Vael. Customers should look to domestic models, ones which provide an outlet that may have more of a focus on privacy,” he suggests.
There certainly seems to be a clash between service providers, national regulators and, in Europe, the EU. At present, governments are lagging behind, according to Longbottom. “National and regional laws are trailing what’s happening in technology. For example, Germany says
14 CLOUD SECURITY
information on German citizens can’t be held outside German borders – I’m not sure that it’s enforceable,” he says.
“That’s before we mention the question of where the data’s being distributed. It’s no longer subject just to national regulation, but could be held on a variety of different appliances around the world.”
Private: Do not enterThere are also other forces at play. While a company has to follow guidelines laid down by an industry regulator, there are other bodies involved, namely privacy bodies. “Privacy is important too. Personal identification information (PII) is regulated by industry regulators and privacy regulators,” Vael adds. This is yet another issue to throw into the mix.
There’s also the ever-shifting pattern of regulation. Rules that were once sacrosanct are now being reworked. “Healthcare data used to be held within the hospital, now it’s within the borders of the country,” adds Vael, who calls for an approach towards privacy that would be immediately effective in all countries in the EU. He points out some of the drawbacks: “It won’t help
companies who are global and companies outside the EU see that as a trade barrier,” he says, adding he believes such challenges can be overcome.
It’s not just about national or EU regulation though, according to Vael. Firms should be asking cloud service providers whether they follow ISAE 3472, he suggests. “This is an international standard of audit – replacing SAS79,” Vael says. “It’s a mark to a customer that I’m guaranteed to follow all the rules and saves them having to check everything – otherwise it’s a big task to get that done.”
But details about the standard are not easily found. And, as Vael points out: “Other people - the bad guys - would really like that information.”
There’s nothing wrong with any industry
– even a regulated one – exploring the potential of cloud. There are the usual questions to ask, ones you would ask any provider, but there are also other areas to explore. These are based on auditing standards and ensuring you know where your data is at all times. It’s important not to treat all cloud providers the same – some will provide detailed information about where data is being held, some won’t.
It’s also important not to treat all data the same: sensitive customer information cannot be treated in the same way as system data.
And there shouldn’t be too much pressure placed on the service provider. “Not all the emphasis should be on the service provider,” Thomas says.
“The customer has to do as much digging and analyse what it has in its environment.”
www.cloudindustryforum.org
Regulated industries
Disaster Recovery as a Service ULTRA SECURE PEACE OF MIND
Databarracks has been providing the most secure cloud services in the UK for 10 years.
Since launching one of the world’s first managed backup services in 2003, we’ve been bringing unbeatable performance and resilience to mission critical data with our disaster recovery and infrastructure services.
Housed 30 metres below ground in ex-military nuclear bunkers, our DRaaS platform was recently benchmarked as running 1,702% faster than a leading competitor.
That means faster recoveries, better testing and guaranteed availability when you need it most.
This is all backed up by unparalleled support. Our hand-picked engineers are dedicated to keeping your public and private clouds running in perfect harmony, 24/7/365. Consistent performance, constantly supported.
To find our more visit us online at www.databarracks.com or call 0800 033 66 33
Not all the emphasis should be on the service provider. The customer has to do as much digging and analyse what it has in its environment.
22
Databarracks Q&A
CLOUD FOR BUSINESS www.cloudindustryforum.org
What reassurances can you provide
CIOs who want to move to the cloud
and are concerned about the
regulatory environment?
They are not on their own. This is a very
common concern. I would suggest that
they engage with their regulators. If
there is not any specific guidance
published on the use of cloud services,
ask why.
There are different types of regulators
with different approaches to how they
govern. Payment card regulations for
instance are very prescriptive – you
know exactly what needs to be done to be
compliant. Industry-specific regulations
are often less specific and more like
guidelines for the use of cloud computing. It
is that sort of regulatory environment
that can cause the most difficulties,
because there is a lack of clarity.
If you have a good understanding of
your regulatory environment, there is a
lot that can be transferred from on-
premise computing to cloud services.
Access, encryption and data retention
are all issues that can be tackled in
similar ways. If regulators are not clear
about how to address cloud-specific
issues like location of datacentres and
multi-tenancy then push them for
clarification.
Peter Groucutt, managing director, Databarracks
We discuss cloud security concerns and why businesses needn’t worry so much with Peter Groucutt, managing director of Databaracks
How aware are CIOs of where their
data is stored?
Very aware….mostly. Major IT decisions
and infrastructure moves will be very
well scrutinised. If a business wants to
move all of their systems to an IaaS
provider, those projects will involve not
just the CIO, but the IT team, legal and
compliance departments and probably
the board.
The problem for CIOs is what we are
now calling ‘Shadow IT.’ These are the
smaller projects that aren’t authorised
and approved by the IT department.
As more technology products target
‘line-of-business’ owners rather than the
IT department, it is a trend that is likely
to continue. Often the first time that IT
will hear about these projects is after the
purchase when someone wants to
integrate the service with another
system and needs some help.
This issue is fixed by communication
and by making sure that departments
actually engage with the IT team rather
than work around them.
The better CIOs are the ones who are
thought of as enablers by the rest of the
business, not just compliance-fiends
who are defending their empires.
Within a hybrid environment, is there
a difference between the way you look
after data on-premise and data in a
cloud?
There can be. For some people that is
the point of having a hybrid cloud,
keeping sensitive systems on premise
and pushing less sensitive data out into
the cloud.
On the other hand, one of the other
key reasons businesses use hybrid cloud
is that they can use it for ‘cloud
bursting.’ This can be sensible if you
usually have very stable resource
consumption, then periods when you
ProfilePeter has a history in understanding and mitigating risk,
having spent many years working in risk management
roles within the banking sector – particularly developing
applications to monitor value-at-risk across the banks’
treasury and hedged products. In 2000, Peter combined his
skills in application development with his love of sailing to
set up his own company building ship monitoring and
harbour management software, integrating search and
rescue using GPS and Radar. Peter has been the managing director of Databarracks for the
past 12 years, growing it from one of the first online backup companies in 2002 to one of
the UK’s leading cloud service providers.
One of the other key reasons businesses use hybrid cloud is that they can use it for ‘cloud bursting.’ This can be sensible if you usually have very stable resource consumption, then periods when you need to scale up.
23
need to scale up.
For those use cases, you actually want
exactly the same data management for
your on premise systems as in the cloud.
The best platforms in those instances
are the ones that allow for good
integration to keep the process simple.
Who should have responsibility
for data governance?
A combination of people. This is really
about responsibility and accountability.
In organisations large enough to have a
CIO or a CSO then, yes, this obviously
becomes something they would have
overall accountability for. However, they
won’t have the direct interaction
with systems to make plans a reality, so a
lot of responsibility is pushed down to
the systems teams to make sure it is
enacted.
This also depends on the type of
organisation and the regulations you
need to comply with. Individual
departments will have responsibility for
certain regulations. The Data Protection
Act is concerned with personal data so
there needs to be an element of
ownership from marketing departments
and the accounts department will
primarily be responsible for HMRC
compliance.
What particular reassurances can you
offer CIOs within highly regulated
industries?
The most highly regulated industries like
finance, healthcare and legal actually
tend to be very well informed.
Often we find that regulation isn’t
actually preventing uptake of cloud
services. In some cases, it is just a case of
not wanting to be the first to stick their
neck out and use a service no-one else is.
It is a case of waiting and watching
the early adopters. Once these first
companies have taken the risk - and
then reported the benefits - it is easy for
others to start using cloud services.
Vendors can provide assurances about
data security in the form of accreditations.
Vendors can also be transparent about
their infrastructure and processes.
Again, it tends to show potential
customers the service providers invest
far more in security than customers can.
The lesson we have learned taking
‘online’ or ‘cloud’ backup to market over
the last 12 years is that, ultimately, the
best reassurance won’t come from the
service providers. Such reassurance will
come from other businesses in the same
industry with similar compliance
challenges who are willing to share their
success stories.
Do you see a difference in the way that
the public sector and private sector
handle data?
Yes. Public sector data management is
changing. They are moving from seven
classifications in the ‘Business Impact
Level’ system of data down to just three.
Data would be classified IL0, IL1, up to
IL6. Now it is just ‘Official’, ‘Secret’ and
‘Top Secret’.
It is a slight oversimplification but, in
the private sector, businesses often have
just two broad categories of data. Their
‘compliance data’ and ‘everything else’.
They manage the ‘everything else’
according to their own principles but
keep it separate from ‘compliance data’
because they know they have to follow
specific rules for that data.
The problem for the public sector is
that firms often have a mix of different
classifications of data all together. This
means they have to manage all the data
at the highest level of security. The
changes in public sector data
classification mean that now the
majority of that data is at the lower level.
This makes it far easier to manage that
data and to use cloud services through
G-Cloud.
In terms of procuring cloud services,
this actually makes the public sector
more like the private sector When
G-Cloud started, public sector buyers
could just pick a supplier based on a
security level, for example an IL2 backup
service.
G-Cloud buyers now have far more
freedom of choice, but they also have the
responsibility for choosing a service
suitable for their needs.
Is there a difference in the way that
Databarracks tackles security and
cloud security?
No. We have technically always been a
cloud service provider, even before we all
used the term ‘cloud’. Since we began in
2003, we have always provided multi-
tenant services over the internet. For us
‘cloud security’ is ‘security’.
Do you think legal requirements
and regulatory issues are a barrier
to cloud adoption?
They can be. How regulation
impacts the adoption of cloud
depends on the specifics of the
regulator. If the responsibility is
pushed onto users of those services,
like for instance how the Solicitors
Regulation Authority (SRA) governs,
then users are free to make their own
decisions.
I think most organisations prefer
this method of governance to overly
specific and prescriptive guidance.
Databarracks Q&A
CLOUD FOR BUSINESS www.cloudindustryforum.org
The lesson we have learned taking ‘online’ or ‘cloud’ backup to market over the last 12 years is that, ultimately, the best reassurance won’t come from the service providers. Such reassurance will come from other businesses in the same industry with similar compliance challenges who are willing to share their success stories.
24
Databarracks
CLOUD FOR BUSINESS www.cloudindustryforum.orgwww.databarracks.com
Data Health Check
The Databarracks annual Data Health Check surveys hundreds of IT professionals across 19 different fields to capture a snapshot of the way businesses use and think about IT. Here are the highlights from 2014.
Key findingsSurvey reSultS
1.
49%
of organisations do not distinguish between old and
new data
48%
of organisations have not tested their
disaster recovery plan in the last 12 months
18%
“Human error” was the 3rd largest
cause of data loss
large organisations Small organisations
22% listed ‘human error’ as the main cause of data loss over the last 12 months ...
... compared to just 6% listed human error as main cause of data loss
10% of larger organisations lost data as a direct consequence of an external security breach ...
... compared to just 1% of small organisations and 7% of mid-size organisations
Only 3% of large organisations have no data retention policy ...
... compared to 23% of small organisations
vs
How did small and large organisations compare in this survey?
BACKuP And dAtA retention
25
Databarracks
CLOUD FOR BUSINESS www.cloudindustryforum.org
www.databarracks.com
9% of Consumer, Retail and Leisure businesses experienced data loss because of human error, compared to 23% in Technology and 29% in Finance.
On the other hand, as one of the most tightly regulated industries, none of the financial organisations surveyed reported experiencing data loss as a consequence of an internal security breach (such as employee theft).
What is your data retention policy?
Which factors do you consider to be most important when selecting a cloud provider?
2. tHe StAte oF Cloud CoMPutinG
5%
11%
18%
18%
49%
I don’t know
We don’t have one
We have an internally set policy
We keep all data forever
We keep data for a
period specified for
regulatory compliance
62%
38%
33%21%
19%
18%
13%
10%
5%
11%
17%
SecurityFunctionality of serviceReputationStandard of SLA (service level agreement)
Hardw
areD
ata centresSize of com
pany
Location of cloud service provider HQ
Other
Hypervisor
Location of hosting
The majority of respondents from every industry rated security as the most important quality when selecting a cloud provider.
However, those who had adopted fewer cloud services tended to rate security more highly, indicating a disparity between expectation and reality.
Percentage of respondents who rate security highly:
78%
48%
74%
49%
Small organisations
Large organisations
Respondents who’ve adopted 1 or 0 cloud services
Respondents who’ve adopted 2+ cloud services
Medium organisations
59%
36%
26
Databarracks
CLOUD FOR BUSINESS www.cloudindustryforum.org
www.databarracks.com
3. CoMPliAnCe And dAtA SeCurity
Of the 106 respondents who reported they had not reviewed their security policies in the last year, an astounding 21 chose not to despite having experienced significant cyber-attacks in the last 12 months. CryptoLocker, Heartbleed and Keyloggers were the most common cyber threats experienced.
Respondents that have been affected by cyber threats in the last 12 months:
Have you reviewed your security policies in the last 12 months in response to a cyber-threat?
yes, we have reviewed our security policies:
32%
29%
26%
13%
yes, we have reviewed our security policies and made no changes
no, we have not reviewed our security policies
i don’t know
yes, we have reviewed our security policies and have made changes
Small organisations
48%
Medium organisations
70%
Large organisations
63%39
%
Industrial
37%
Consumer, Retail & Leisure
42%
Finance
46%
Public Services
30%
Technology
30%
Professional Services
Want to know more?Download the full report at info.databarracks.com/DataHealthCheck2014.html or take a look the interactive infographic at datahealthcheck.databarracks.com
27
A formal information security policy is not an optional item for your business. Yet, when your company
migrates to the cloud, in any capacity from data storage through to application delivery, it’s often mistakenly accepted that the existing policy will cover this new ground.
Many say that data is data wherever it is stored and the same security policies should apply. While there is some logic to this, it’s rather flawed and has the potential to leave your enterprise exposed to unnecessary risk. An information security policy needs to be a dynamic thing that changes to meet the security demands of the enterprise, and the data it deals with, as new technologies become part of the business landscape.
When it comes to the cloud, the single biggest benefit of having a relevant policy is that the process of creating it requires in-depth thought about what security in the cloud really means to your business and to your data. This necessity to think out loud, to determine a structured response to your needs from top to bottom, is often an eye-opener for the entire team working on it.
Making the commitment to your dataWriting such a document for the cloud is actually little different from any other security policy. It’s just a formal commitment to protect all the data your business uses, which then necessitates a strategy to determine the levels of required protection and the process needed to both achieve and
maintain that. Delegating this policy building process to
a third party such as, for example, your cloud service provider is security suicide. Your cloud security policy, like your broader data security policy, must be your responsibility. To be sustainable and effective it has to be written from the ground up, and contain input from the top down.
Whether that means the director of a small business working with an external consultant or the board working with the IT, legal and HR departments will depend entirely upon the size and structure (and to some degree the market sector) of your organisation. However, there are some constants which remain no matter how big or small the business, or what sector you are working in.
No policy document is an islandYour cloud security policy should form a
coherent part of your organisation’s Written Information Security Programme (WISP).
So, while it has to be able to stand tall in addressing the specific needs of data security within the cloud environment, it cannot be totally separate from - and at odds with - the data security policies that are in place elsewhere. A WISP should be seen as a collection of policy documents that provide the steps needed to enforce the security measures they demand. Be aware of this need to co-exist from the get-go.
Don’t reinvent the wheel Although your existing data security policy isn’t going to be a shoo-in to a cloud-based document, parts of it will fit without too much adaptation. Don’t be afraid to re-use them if they are fit for purpose. Existing policies are there for a reason, and if it can apply to cloudy data then apply it. Equally, look to what others have done and draw from
How to draw up a comprehensive cloud security policyWhat should your first steps be when formulating a security policy for cloud use? Davey Winder has been talking to the experts about this very subject. Read on to find out more...
Cloud security policy
A policy which has no legal standing is as good as useless.
CLOUD FOR BUSINESS www.cloudindustryforum.org
28
that; ask affiliates or peers within your market sector who have migrated to the cloud for their thoughts, and draw on their experience when it comes to considering your own policy.
Understand your needs before you start writing policies to address them This might sound obvious, but putting the cart before the horse is not as uncommon as you might imagine.
You need to determine how you will be using the cloud; will it be for data or applications, or maybe a combination of the two? This determination will then allow you to focus on which criteria are required in terms of security policy. It’s that ‘thinking out loud’ process mentioned earlier in action.
For example, when looking at data handling in the cloud from a policy perspective, you will first need to think about how you classify data and how that determines which data is considered ‘cloudable’ by your policy. If you don’t already have a data classification policy then you will need to create one, and the processes required to put that into place.
Your cloud security policy should be readily accessible Your policy must be both available to and understood by all your employees. No exceptions. You should also bear this in mind when writing the policy in the first place. What’s more, if you want to keep training costs down, it’s best to avoid over-
complication and technical complexity. The best security policy will be one that is clear and concise. Don’t be afraid to state the obvious, as that way nobody can claim to have missed the point. Every cloud security policy should start with a definition of intent, which clearly outlines the whole point of the policy. For most organisations, this is likely to be ‘to mitigate the risk to data when using cloud-based services’.
Include worst case scenarios as well as rose-tinted best practice specsYour policy should not just be about protection, but also about reaction too. Consider how any cloud data breach would be dealt with, including logging and reporting processes, forensic functions and cloud provider cooperation. There are also disaster recovery issues to be considered. You must ensure continuity of operations and not forget ‘end of life’ procedures relating to data transfer and secure wiping if you wish to change cloud providers at any point.
Finally, always involve your legal departmentIf you don’t have an in-house legal team you should instruct a suitably qualified lawyer. A policy which has no legal standing is as good as useless.
This point is particularly pertinent when it comes to the cloud, not least as subjects such as physical location of data storage and transit can have legal implications upon privacy and security compliance issues.
Cloud security policy
CLOUD FOR BUSINESS www.cloudindustryforum.org
The single biggest benefit of having a relevant policy is that the process of creating it requires in-depth thought about what security in the cloud really means to your business and to your data.
One policy should take pride of place:
make it mandatory that non-supported
devices cannot be used to access or
store corporate data. And that means
being wary about consumer (i.e.
non-business) devices.
Your security policy should also
address the fact that, if the device has
access to corporate information, then
company policy applies. If it can access
the corporate network via VPN, then it’s
part of the same network and subject
to the same rules.
Use a real-time approach to malware
detection to ensure that any threats are
detected in the shortest possible time.
Access to non-business cloud
services should be carefully monitored
and controlled. Why are employees
doing this? Ascertain what they’re
using it for and offer secure
alternatives.
Ensure that devices and cloud-based
applications adhere to any appropriate
regulatory compliance schemes.
DEVELOPING A BYOD-FRIENDLY SECURITY POLICY
29
I n the past couple of years, companies have been waking up to the idea that the data they hold can bring commercial
success. We’re now seeing companies looking to assess social media feeds and video in an attempt to become better informed about their customers.
It’s here that cloud comes into being. It provides businesses with faster analytics, which leads to greater agility. In a competitive market, having such flexibility could lead to real business advantage.
However, there’s still some resistance to this. A US survey from analyst firm Forrester Research, published earlier this year, found that about a third of companies had no plans to move BI systems to the cloud at any point. It’s true though that this means about two-thirds have either done so already or are about to move. Because cloud offers fantastic advantages for companies wanting advanced analytics, it was only to be expected that such large numbers would opt for the benefits that it could bring.
The European ethos is somewhat different. The need for privacy is more deeply ingrained and this goes hand-in-hand with concerns. The Forrester survey was a stark reminder of the difference: so concerned are Europeans about cloud security, there would have been far fewer companies if Forrester
had carried out a similar piece of research over this side of the pond.
This is because there is much more concern about the perceived lack of security about cloud. Service providers can talk up their credentials as secure providers but it’s often to little avail.
Couple this with an almost philosophical belief that all data should be held securely, regardless of its importance and level of confidentiality, and you can see some of the difficulties in using cloud within Europe.
And there lies the problem for companies. To make best use of the data, there needs to be a degree of openness and an ability to share, but many businesses are reluctant to make the move – often the barriers are cultural rather than technical.
Some companies do get it though. According to Radek Dymacz, Databarracks’ head of R&D, there are two different approaches to openness and sharing: modern IT and old-school enterprises. “The old-school enterprises have struggled because they have data management baggage,” he says. “They tend to keep more data private than is actually necessary. Their challenge is to rethink what they classify as private to just not shareable information,” he says.
Modern enterprises don’t have the same problem, according to Dymacz. “That’s because they exist in the era of data sharing,” he adds. “I would say that these organisations have a much smaller proportion of their data overall that they consider to be private, but they also have a good grasp of the distinction over what can be shared,” he adds.
“They also tend to have a better grasp over
Concerns over customer data still holding businesses backBusinesses are beginning to make the most of their data, but they to need to ensure security issues are sorted out first...
Customer data concerns
CLOUD FOR BUSINESS www.cloudindustryforum.org
The old-school enterprises have struggled because they have data management baggage. They tend to keep more data private than is actually necessary. Their challenge is to rethink what they classify as private to just not shareable information.
30
the methods to share data effectively. These are the organisations who understand how important speed of access to data is.”
Private vs publicMany companies do not have a sufficiently granular taxonomy for dealing with information and are inclined to treat all data as private. This has led to companies spending more on security than they need to and also leads to the idea that the cloud is the only place to put confidential data. That’s not necessarily true but is widely accepted as the case.
It’s time to think again. What’s needed, suggests Dymacz, is to re-evaluate what private data actually means.
“By old standards, contracts are private information, but if your company pricing is transparent and you have nothing to hide is the contract really private information?” he says.
“The only way to manage the sharing vs privacy issue is to be able to understand your data so you can make informed decisions. For instance, if you know exactly what your private data is, you can do things to secure it like encryption-at-rest, which is something we don’t see enough organisations doing.”
Companies have a very traditional approach to data management, according to Dymacz. “Businesses usually have a good grasp on their structured data systems. They will have security policies in place for their finance and their CRM systems,” he says.
“There is usually good management of a small set of other documents like HR records and internal company reports. The big challenge is everything else. Businesses have masses of file data that they don’t know how to classify.”
There are other issues too. Richard Archdeacon from the HP Enterprise Service CTO Office says that just storing data in the cloud is not enough. “You then have to look at the whole lifecycle. How will it be stored? Will it have encrypted links? What’s the recovery method? What happens if we move provider – will it be destroyed?” he says.
“[And what about] auditing? Are they open to audit? It’s not just technical, it’s physical security too.”
Dymacz says that the traditional set-up does cause difficulties. “The problem most businesses have is that their data sits in silos. The ability to delete a specific customer’s data or to provide all of the data on a customer back to them depends on their ability to get the
data from several sources,” he states. “From our conversations we know that
businesses aren’t confident that they can remove all customer data if they get that request. They can do it very easily for some systems but they can’t be sure they have removed it from everywhere.”
Need to know?There’s a good deal of debate at the moment about what’s meant by personal privacy and what companies can know about their customers. Google has built its business on knowing as much as possible about its users but, as the company found out lately, Europeans take privacy very seriously – hence the right to be forgotten ruling.
Can there be a fair balance between personal privacy and a company’s right to
know about its customers? Databarracks’ Dymacz isn’t sure. “I would say ‘yes’ and ‘no’. For there to be a fair balance, there needs to be a good understanding about what data a company holds about you and how you can actually manage and influence that,” he says.
Databarracks itself has developed a new product to help manage unstructured data. Dymacz describes the thinking behind it: “Kazoup (see boxout) was created firstly to solve data storage issues. When we spoke to businesses about their backups, it was clear that very few had a good understanding of their unstructured data.
“Services like backup and disaster recovery are charged based upon volumes of data. We would ask a company how much data they had to give them a quote and they often wouldn’t know. They would know how much email data they had or how large their databases were because structured data is easier to manage, but not the unstructured, file data.”
More companies will explore ways to look at both structured and unstructured data and cloud is going to play a big part in this. There are many steps to take first, both in terms of improving the infrastructure and handling the data, but the rewards will be massive.
Customer data concerns
CLOUD FOR BUSINESS www.cloudindustryforum.org
The problem most businesses have is that their data sits in silos. The ability to delete a specific customer’s data or to provide all of the data on a customer back to them depends on their ability to get the data from several sources.
Radek Dymacz describes the technology:
“Companies would have X TBs of data, but
would usually tell us most of it is rubbish.
Kazoup scans a business’ file data so you can
see what you have and then put policies in
place to manage it better.
It uses metadata to set up policies to
archive or delete older data and sort it into
categories.
We created the product because businesses
were constantly asking for a tool to help
understand their data.
We found larger organisations would have
some of the enterprise (expensive) tools for file
analysis or search and the smaller
organisations were just using some simple
freeware that didn’t have enough
functionality.
We think these issues are going to increase
in importance as data continues to grow and
as businesses have more regulations to comply
with like the Data Protection Directive.”
ALL ABOUT KAZOUP
31
T here used to be a clear split between the technology you used at home and your technology at work. In the
office, you had access to a powerful desktop, wide-reaching business software and fast connections, while at home, you had some simple programs running on a cheap PC using a dial-up modem.
That’s the way that things were because there was no need for it to be otherwise. The notion that home technology was more powerful than commercial offerings would have been deemed nonsense. In the last decade, however, all that has changed. There wasn’t a single revolution that changed this but many smaller steps: the provision of broadband to homes (especially when accompanied by an upgrade to fibre); the
development of the smartphone market and, connected to this, the decision by Apple to see mobile phones as a means of disseminating applications. Put that all together and you have the perfect storm for a revolution in how devices are viewed and used.
There’s been an about-turn though as the sexy devices are now in employees’ pockets and not on their desktops. What has this meant for the CIO? The former gatekeeper for company technology is now relegated to a bit-part role as companies look to adopt bring your own device (BYOD) strategies.
This change has massive implications for the way that a business operates, with CIOs having to completely rethink all aspects of their IT infrastructure.
BYOD vs cloudOne of the first things to look at is whether a move to BYOD means a move to cloud. In some ways, says Richard Archdeacon from the HP Enterprise Service CTO office, there are similarities. “Look at the drivers for the move to cloud,” he says. “It’s driven by a need for greater flexibility and better management.” He adds that BYOD has brought a similar level of flexibility to the part.
The 451 Group security analyst Javvad Malik also sees advantages of moving to the cloud. “Cloud providers are often in ideal positions to offer BYOD-specific features, and many have. Though a large market exists as ‘middlemen’ to provide BYOD features in what I like to call ‘missing feature’
Does BYOD mean bring your own disaster?BYOD could be a recipe for disaster as the IT department relaxes control, but it doesn’t need to be a big problem…
BYOD: Bring Your Own Disaster?
CLOUD FOR BUSINESS www.cloudindustryforum.org
32
markets,” he says. Archdeacon points out that although
companies are keen to keep data on-premise for security reasons, it shouldn’t be forgotten that cloud providers often deliver higher levels of security, particularly for small businesses.
Weakest linksThe danger of unsecured data being loose in the enterprise was highlighted in October 2014 when a survey from Kroll Ontrack suggested that 4.6 million employees had lost work-related data in the last 12 months due to corrupted and malfunctioning personal devices or cloud services. As around a third of UK employees use their own devices to store data, businesses are leaving themselves open to security leaks of this kind, the research warned.
As such, CIOs must make themselves much more aware of what is going on around them, cautions Malik. “The main challenges facing the CIO are monitoring and tracking corporate data and user activity,” he adds. “If 40 per cent of work/corporate system use happens outside the corporate network, how do you keep tabs on what’s going on, and where your data ends up?”
The key is establishing firm BYOD policies, according to Archdeacon.
“Once you have decided to bring in BYOD, you have to implement a BYOD policy,” he says.
“This will include elements such as physical security and anti-malware software, but will also allow CIOs to restrict data to
certain devices and let them bring in controls as to what can be accessed from those devices.”
Within a BYOD environment, it’s paramount that those in charge know who is accessing data at any given time.
“You need to work on a clear policy of identification or authentication and this will be additional software on top of your Active Directory implementation,” Archdeacon
says, adding that changes in technology will make it easier to pick out compromised users.
“We’re beginning to see the emergence of situational identity where CIOs can identify patterns of access. For example, if a user is accessing the network from a different geographic location than usual, why is that? Has his identity been compromised?”
However, technology is only part of the puzzle. The key to successful implementation of any BYOD policy is knowing the basic ground rules. Companies shouldn’t get too hung up on technical solutions, warns 451’s Malik. Indeed, he advises the first thing they do is realise that they retain responsibility.
“Regardless of whether you explicitly allow employees to put corporate data and do work on personally-owned devices, or allow it by not setting clear acceptable use policies, the company is responsible,” he says. “Where the responsibility lies is up to the company itself to decide. At least, until the breach occurs, then the board of directors, customers, lawyers and lynch mobs decide who was responsible.”
There are other technical issues that shouldn’t be ignored. Malik warns CIOs
BYOD: Bring Your Own Disaster?
CLOUD FOR BUSINESS www.cloudindustryforum.org
Once you have decided to bring in BYOD, you have to implement a BYOD policy. This will include elements such as physical security and anti-malware software, but will also allow CIOs to restrict data to certain devices and let them bring in controls as to what can be accessed from those devices.
07 CLOUD SECURITY
about the growing use of f ile sync and share services such as Box, Dropbox et al. These services - which are usually a boon for users - can be a real problem for managers.
“No business should be ignor ing the f ile sync and share (FSS) market. It is one of the easiest ways to lose control of corporate data. There are some good products out there that can give employees the convenience of sharing f iles they need, whilst also offering the ability to audit, track and secure data to satisfy corporate requirements,” says Malik.
HP’s Archdeacon sees possibilities from
the use of virtual technology. “These can be used to create solutions based around the idea that a virtual device can be created
for remote workers and these can be wound down as soon as the job is completed,” he says.
As the Kroll survey shows, the move to BYOD is a trend that’s not going to disappear any time soon. However, the risks of embracing BYOD are here to stay too. Archdeacon sees the need for education here, saying: “The CISO has to explain the implications of moving to the cloud, he has to explain why you use a cloud solution in a particular way.”
Running a BYOD policy from the cloud offers a whole new way of doing business, but it’s one fraught with risk.
However, not taking that risk could be foolhardy too.
www.cloudindustryforum.org
• Ensure that all devices
connecting to the corporate network
have appropriate protection
• Implement a strict security policy –
ensure that it’s adhered to
• Ensure thorough education
for all users
• Bring in guidelines on what can and
can’t be accessed on devices
• Deploy 256-bit encryption throughout
the organisation
• Sort out data early – critical data and
data subject to laws should be
separated from the rest of the data
• Implement proper identification/
authentication software
• Keep tabs on shadow IT
implementations at all times
WAYS TO IMPLEMENT BYOD
Pull quote hea dvadva dre ishgio fvhso i hisha va vdvio hisa vadvad fhip hvihspivh sijvj b ua dvadvaghva dvadvlk mkl;cmavbadoicn kamdckba va dvadv adv iandvlkn nadv ;n;oamdva dvadvadvaa dvad advad vadv adv dcuadhiadmcklmnnvajkhviaj.
BYOD: Bring Your Own Disaster?
Lift yourbusinessinto the cloudIngram Micro is a master cloud service provider (mCSP), offering channel partners and professionals access to a global portfoilio, expertise, solutions and enablement programs that empower organizations to configure, provision and manage cloud technologies with confidence and ease.
Ingram Micro Cloud’s premier partner program, Cloud Elevate delivers rewards and enablement services to help channel partners and professionals accelerate their cloud sales and profitability.
If you would like to get your business into the cloud call our Cloud Specialists today or visit us online.0871 973 3060www.ingrammicrocloud.co.uk
What has this meant for the CIO? The former gatekeeper for company technology is now relegated to a bit-part role as companies look to adopt bring your own device (BYOD) strategies.
34
Ingram Micro Cloud Q&A
The challenge is not that CIOs are not aware, more so that the technologies within certain DC providers are not strong enough to assist CIOs in answering these questions.
CLOUD FOR BUSINESS www.cloudindustryforum.org
What reassurance can you provide CIOs who want to move to the cloud and who are concerned about the regulatory environment?There are many UK partners today
who are skilled and specialise in
cloud technology as part of their core
business. These partners are aligned
to major industry players such as CIF,
Ingram Micro Cloud and vendor
partners who are all versed in
understanding the challenges and
complexity of issues around data
sovereignty, security, management
and DLP. Providing CIOs choose the
right partners to work with and be
part of the cloud delivery system,
then they have gone a long way
towards gaining peace of mind.
How aware are CIOs of where their data is stored?
Very. They are the most senior
executive in an enterprise
responsible for information
technology. Depending on the
industry, size, type of organisation
CIOs have varying degree of
awareness around data residency.
As technology gets even better and
Apay Obang-Oyway, general manager, Ingram Micro Cloud
We speak to Apay Obang-Oyway, Ingram Micro Cloud’s general manager, about the changing nature of cloud governance
CIO awareness around compliance
relating to data grows, there is
certainly a greater level of
competence around this.
The challenge is not that CIOs are
not aware, more so that the
technologies within certain DC
providers are not strong enough to
assist CIOs in answering these
questions.
ProfileApay Obang-Oyway is general manager of Ingram Micro
Cloud, a role he has held since early 2014.
He is responsible for defining and executing the
strategic direction of the company in Northern Europe,
working with key influencers and decision makers
internally and externally to achieve such goals.
He is an experienced and highly motivated leader in
sales, marketing and the channel and prides himself on
delivering results through focus, partnerships, energy and acumen.
Prior to his taking up his current rule, Apay was general manager of the firm’s software,
cloud and mobility group for more than five years. Before that, he held a number of key
roles both at Ingram Micro Cloud and elsewhere in the industry.
35
Within a hybrid environment, is there a difference between the way you look after data on-premise and data in the cloud?
Where data assets are prioritised and
secured appropriately, this security is
translated to the cloud.
Who should have responsibility for data governance? The CIO? The CSO? A compliance officer/lawyer? Or a combination?
All of the above. It certainly should
be all stakeholders within an
organisation.
As the democratisation of IT
becomes more of a reality - especially
because of cloud - all individuals
cannot and must not abdicate
responsibility around data
governance to just one or a few
individual roles.
Yes, some roles are responsible for
policy creation and implementation,
but this is separate to governance
responsibility.
What particular reassurances can you offer to CIOs within highly regulated industries?
It is not helpful for the adoption of
cloud to be all about reassurances
when there are some real challenges
- especially for highly regulated
industries - that CIOs must
understand and take heed of.
Cloud does indeed offer a
wealth of value and
opportunities for all
organisations irrespective of
industry, size, type and complexity.
However, the key is to understand
your regulatory boundaries and
compliance issues, find the right
partners who understand your
industry to deliver the right cloud/
hybrid solution and ensure you have
a robust, coherent risk management
process.
Regulatory complexities should not
be a barrier to leveraging cloud
solutions for organisations. Indeed,
that’s exactly what shows off
organisations with the right talented
CIOs and partnerships.
The rise of big data has meant that data needs to be more readily accessible from a variety of different endpoints. How can you marry accessibility with security?
By using mobile device management
mechanisms and two factor
authentication.
Following on from that, what preparations should a CIO be making to prepare for a culture where mobile communication is the norm?
Mobile device management and a
direct focus on all data endpoint
management.
Do you think legal requirements and regulatory issues are a barrier to cloud adoption
Not at all. The data location and data
security is universal, whether it be
cloud or on-premise.
Ingram Micro Cloud Q&A
CLOUD FOR BUSINESS www.cloudindustryforum.org
Cloud indeed offers a wealth of value and opportunity for all organisations irrespective of industry, size, type and complexity. The key is to understand your regulatory boundaries and compliance issues, find the right partners who understand your industry to deliver the right cloud/hybrid solution and ensure you have a robust, coherent risk management process.
36
Current legal situation
CLOUD FOR BUSINESS www.cloudindustryforum.org
Do you think that companies are fully aware of their legal responsibilities when it comes to the cloud? And do you see a difference in attitude between cloud providers and customers?
Whilst there has been a great
improvement over the last couple of
years in companies’ understanding of
the legal issues and their
responsibilities in relation to the cloud,
we still have some way to go.
As the use of the cloud has become
more pervasive, companies still do not
appreciate some of the issues that arise
as a result of its use, in particular
customers at the SME level.
The major providers are now pretty
much up to speed on the legal issues
that customers need to address and
have terms and conditions that cover
key issues though - perhaps not
unexpectedly - their contract terms
favour the suppliers. Data protection
(and related security) has probably been
the dominant legal issue and at the
forefront of companies’ thinking, but
customers need to take a more holistic
view when looking at cloud services
and consider what can go wrong and
what remedial action may be required.
The answers will clearly differ
depending on the customers’ business
Conor Ward, CIF Legal Forum & Hogan Lovells
We speak to Conor Ward, consultant with international law firm Hogan Lovells and chair of the CIF Legal Forum, about the current state of play
(and whether or not it is regulated) and
the nature of the services: medical staff
not being able to access patient records
stored in the cloud will have different
consequences from an accounts
department not being able to access
archived records.
How up to date is the law? By and large, the law is capable of
dealing with the provision and use of
cloud. It may have taken some time but
lawyers are generally familiar with the
issues that arise (and the solutions to
apply) in respect of outsourcing
transactions.
However, as is always the case when
new technologies or services emerge,
there are areas of the law that need to be
reviewed and possibly changed.
Jurisdiction is clearly one issue that is
very topical (e.g. can a US court require
Microsoft to provide access to data
stored by a customer of Microsoft
Ireland on servers located in Ireland)? as
is format shifting (e.g. does storing
music and other content in the cloud
require the permission of – and hence
payment of a licence fee to – the rights
holder?) These are just a couple of
examples of where the law will need to
be clarified.
Can the law makers ever keep up with technological change?Law makers have never been able to
keep up with technological change.
Typically, the courts have to grapple
with issues as they arise and legislators
Law makers have never been able to keep up with technological change. Typically, the courts have to grapple with issues as they arise and legislators then pick up the pieces.
ProfileConor is consultant with the international law firm
Hogan Lovells (where he was a partner between 1998
and 2014), practising exclusively in contentious and
non-contentious aspects of computers and
communications law. In the 1980s he worked as a
development programmer at IBM’s UK Laboratories. He
also qualified as a barrister.
His work has included advising in relation to
numerous outsourcing transactions, cloud computing and SaaS projects, systems
development and integration contracts as well as acting for clients in various
disputes involving failed projects. Conor is recognised in both Chambers and the
Legal 500 legal directories as one of the leading IT lawyers in the UK. Prior to joining
Hogan Lovells, Conor worked for IBM as a systems development programmer.
Conor is a member of the Cloud Industry Forum (CIF) and chairs the Cloud
Industry Legal Forum which advises CIF on cloud computing Legal Issues.
37
then pick up the pieces. Around 150
years ago, we were questioning
whether or not you could enter into a
contract by post; 50 years ago the same
question arose in relation to telex
transmissions (and a supplementary
question was where the contract was
formed and which law applied). More
recently, the question was about email
or click wrap agreements.
There’s a greater call for sharing data and for data to be made more open – does this conflict with privacy law?Much will depend on what data is being
shared but, yes, privacy issues loom
large. So do issues of IP rights and
ownership. Data has a value and thus
questions of ownership, control and
payment will arise.
Do you think penalties are currently appropriate for breaches of security?The short answer is no. In the case of
personal data, the data controller (which
is typically the customer in a cloud
context) is responsible and liable for any
breach of security.
The customer will face any sanctions
from the regulators such as the ICO or
the FCA and may be liable for damages
to the data subject.
The service provider typically limits
and excludes its liability to such an
extent that the customer has little or no
effective remedy against the supplier.
Hence it is important to understand
fully what the consequences of a breach
of security might be and what
mitigations need to be put in place.
The service provider is not there to
insure the customer’s business risks:
cyber security policies are available.
Other practical steps may also be
relevant. These include encrypting data
at rest, for example.
An organisation can have very strict rules on privacy and security only to find these are not being adhered to by junior staff. In such cases, do penalties for organisations really help? What more could be done to solve this problem?Education and training clearly help. The
ethos of the company/department are
also important. If processes and
procedures are lax/not enforced,
breaches are likely to happen. Security
by design should also be considered so
when the employee does something
dumb, its effects are mitigated.
What legal challenges are thrown up by the emergence of BYOD?Control is obviously an issue. What data
will the employee have on the device
and what happens if the device is lost or
compromised? How is data secured/
encrypted? What happens to the data
when the employee leaves? What
happens if the employee’s device is
hacked or subject to a Trojan Horse?
What if it infects the network or is used
by a hacker as a back door into the
network? Can the employee use the
device during working hours for
personal use?
How can highly regulated industries like banking and pharma cope with cloud?In some respects, the cloud does not
bring any new issues to the table.
Regulated entities have coped with
outsourcing and the use of web-based
solutions. They will still be responsible
for the services. They will want
transparency and visibility, in particular
in the event of security breaches or
threats, and they will want robust SLAs
with teeth that bite.
The one area which may be seen by
some as being problematic will be audit
rights (and in particular the regulator’s
right to audit service providers). This is
a known issue and the large service
providers have solutions which are
generally accepted by customers and
regulators alike.
What effect have the Snowden revelations had on the way cloud providers operate? There is greater focus on knowing
where your data is and service
providers are making a sales point of
stating that data will be stored in
specific locations/jurisdictions. See, for
example, recent comments by Brad
Smith (Microsoft’s general counsel)
about creating a trustworthy cloud free
from intrusion.
Others, such as Apple, are pushing
for data in their cloud to be encrypted
in a way that they cannot decrypt: only
the user/the relevant device can do that
– though the obvious issue here is if the
user loses the means of decryption
Apple cannot help. Then, in Germany,
service providers are effectively
building a private internet (based in
Germany) to secure data.
Do you think customers’ current safeguards are strong enough?Typically no, particularly those
customers who use off-the shelf-
services.
But then again, the main cloud
service providers probably provide
better security than those customers
could provide for themselves.
Current legal situation
CLOUD FOR BUSINESS www.cloudindustryforum.org
If processes and procedures are lax/not enforced, breaches are likely to happen. Security by design should also be considered so when the employee does something dumb, its effects are mitigated.
38
Where next?
www.cloudindustryforum.orgCLOUD FOR BUSINESS
A Martian arriving in the UK and glancing at our national press would quickly get the idea that
Europe is some hostile force aimed at subjugating British powers. What wouldn’t be so clear is that, in many instances, the EU acts in areas where a national body operating on its own would not be so effective.
Data protection is just one such area. The idea that hackers operate solely within national boundaries is a nonsensical one. Therefore all measures around data protection have to involve a multitude of agencies and many nationalities.
Cloud computing is perhaps the most obvious example of this globalisation at work. A system where data can be stored in any country and accessed in another country is a perfect illustration of why national boundaries are inadequate in this case and the reason why there needs to be a pan-European drive towards data protection.
It’s a situation that has been complicated by Edward Snowden’s admission that security forces have been regularly spying on British (and other European) users.
This delicate balancing act between individual data and national security is mirrored by another balancing act: the one between the openness of data and the right to privacy.
A debate of the highest orderIt’s a balancing that no less a luminary than Sir Tim Berners-Lee addressed at this autumn’s IP Expo when he ruminated on the
differences between Europe and the US when it comes to handling data.
“I would prefer the US to have stronger data protection so Europe can be a good influence in that way. ” he said, before warning that this could reduce commercial opportunities
It is very easy for the commission to put in place a rule that makes it impossible to start a social network in Europe, Berners-Lee says, but he stresses that initiatives should be Europe-based. “I don’t like the idea of nation siloing,” he added. “It would be bad if you have to store data about a person of a certain nationality in a certain country.”
But there are other problems too, most notably the time lag between technological changes and legal ones.
European legislation scarcely acknowledges the internet, yet alone the implications of cloud
computing. European companies recognise the
problem though. According to a survey carried out this year by Sophos, there’s a need for stronger data protection laws across the continent. Indeed, some 60 per cent of survey respondents thought there should be stronger laws on data protection across Europe. And, even when there was a security policy in place, it was felt that organisations were not doing enough to make employee responsibility clear – 49 per cent of respondents said policies were not being clearly communicated to employees.
Preparing for changeAll that is set to change: the European Union has proposed a new regulation, which, if all goes well, will be passed next year and come into effect shortly after.
This sounds like a long time away but, as Anthony Merry, Sophos’ director of data protection, explains, that’s still rapid by EU timescales. “The last reforms were in 1995. Think how much the world has changed since then. Back in 1995, we’d have been using Nokia Symbian and Windows 95, now we all have smartphones,” he says.
“The law needs to change to keep up.
Where next? The European dimension to cloud computingThe law around cloud has been confusing, particularly when national boundaries are taken into account. But that could be about to change...
The law needs to change to keep up. And it has to be Europe-wide, so there’s one rule for everyone, not 28 different laws.
39
Where next?
www.cloudindustryforum.orgCLOUD FOR BUSINESS
And it has to be Europe-wide, so there’s one rule for everyone, not 28 different laws.”
The changes are about providing the same rights online as offline, something that hasn’t existed before, according to Merry.
Part of the proposals are to make things as SMB-friendly as possible. Multinationals have always had a European dimension but the proposed regulation will provide a framework for national lawmakers to operate in and, despite the prevailing Eurosceptic sentiments in the UK (and in other parts of Europe), the proposed new regulation does provide some useful guidelines.
Perhaps the most far-reaching change is that companies can no longer be silent about breaches. If you suffer data loss it will no longer be enough to hide behind evasions. A business will have to own up and failing to do so will be considered a fraudulent act.
This is backed up with some real teeth; companies that break these guidelines can now be hit with a hefty fine of five per cent of turnover or £100 million – that’s some serious power. And there will be a central authority (whose scope has yet to be defined) responsible for overseeing these changes.
Implications What does this mean for companies pushing things out to the cloud? If you’re a company looking after your customers’ data then you have ultimate responsibility – that’s the situation now and will be the same after the new regulation comes into force. But you now have to be more aware of where the data is being held and if there are any breaches of security. For example, if you hand things over to a cloud provider, you are both responsible.
One of the elements of this is encryption. Companies will now have to be much more thorough about encrypting data. Any organisation whose employees leave unencrypted memory sticks on buses, or who lose unencrypted spreadsheets on laptops in taxis is going to be in serious trouble. Cloud computing offers a way out here but, again, there will be a need to encrypt data at rest and while being transferred to the cloud.
Under the draft regulation, as long as you’ve encrypted data (and can prove it), says Merry, a company is under no obligation to report data breaches to its customers – although you will have to report it to the central authority.
One of the sticking points of the new regulation is going to be the clash with US law. This will be a set of guidelines that apply to European companies and for companies doing business in Europe, but what we don’t
know is how the US will react if European law clashes with its own, according to Merry. The recent case with Microsoft in Ireland demonstrated how US authorities will likely side with US companies and the new directive won’t make such clashes go away.
But, Merry asserts, the proposed regulation is a step in the right direction, saying: “There’s a lot more to be done. There have been close to 4,000 amendments to it.” However, he points out that the big core principles are now bedded down and only smaller implementation issues remain.
It’s been a long time coming, but UK firms are about to get regulations that strike a balance between protecting data and doing business and one that shows the country as part of a wider European set-up.
Do you think the proposed European
Data Protection Regulation will help
clarify some of the existing anomalies or
will it lead to confusion?
The draft regulation is still being debated/
negotiated so many points are up in the air.
If it gets adopted (some in HMG are keen
that it does not, but I believe that the
Germans will prevail and it will get
through) it will introduce clarity in some
areas. It is likely to provide that data
processors (including cloud service
providers) will be liable for data breaches
and not just the controller/customers.
There will undoubtedly be some
ambiguities and disputes that will go
to court.
The new EU proposals set out tougher
penalties for companies who pay little
regard to data protection. Is this a step
in the right direction or a
sledgehammer to crack a nut?
Our existing law is weak when it comes
to penalties for breaches.
The current proposals of the draft
regulation possibly go to the other extreme.
However, in these days of social media and
cloud services, this may be what is required
to ensure good practice when it comes to
the collection and use of personal data.
Do you think cloud providers and
customers who use the cloud will start
changing policies before the regulation
comes into force or be dragged kicking
and screaming to make the changes?
Given that more than 3,000 amendments
were tabled against the original draft, it
may be premature to start changing now.
Though, as the draft firms up, there may be
areas which merit thinking about.
Once the regulation has been adopted, I
am sure that companies who are properly
advised will start to prepare during the
transition period.
We’ve already seen a clash between US
and European law when it comes to
US firms operating in Europe – will the
proposed regs do anything to help?
Unlikely. Indeed, the current draft brings
US companies that target EU customers
under EU control, even though the US
company may not have a physical presence
in the EU. This will be controversial.
Data flows/export are high on the
agenda of the US on the transatlantic trade
treaty negotiations which the US and EU are
about to embark on.
The EU wants them off the table: the US
does not. Credit: Conor Ward,
Hogan Lovells & CIF Legal Forum Chair
I would prefer the US to have stronger data protection so Europe can be a good influence in that way.
EUROPEAN REGULATION – LEGAL QUESTIONS ANSWERED