cloud industry forum report: cloud for business, why security is no longer a dirty word

WINTER 2014

CLOUD FOR BUSINESS

Where are we now with

cloud data governance

and where are we headed?

WHY SECURITY IS NO LONGER A DIRTY WORD

12

Cloud computing is here to stay.

According to the latest CIF survey,

some 78 per cent of UK

organisations are now using at least one form

of cloud service and, perhaps more

remarkably, 11 per cent of British businesses

are now using four or more services. That’s

definitely a sign that it’s no longer a few test

sites that are being deployed.

The trend is ever upwards: this is the fifth

year of the survey and, since the first one in

2010, the growth has been 61.5 per cent: a

healthy growth indeed. That’s not to say that

cloud is taking over these organisations: the

CIF survey found that 85 per cent of

organisations still operate on-premise

datacentres, so most firms are looking for a

way for the systems to co-exist – the hybrid

model of IT.

There’s a structure to CIOs’ choice with

certain services becoming an obvious fit for

cloud: web hosting, email, CRM, data

back-up and disaster recovery are prime

choices. +++++Anything that involves any

confidential client data tends to be kept well

away.That reflects a seeming paradox among

companies. Yes, there is greater acceptance

of the cloud and more businesses want to use

it, but such attitude goes hand-in-hand with

How to get the most out of

different cloud models

Public, private and hybrid cloud all have their own security challenges. What are

the options for the CIO?

Different cloud models

If you want total data security,

you can put all your data on a drive,

lock it in a safe and drop it at the bottom

of the sea.

CLOUD SECURITY

www.cloudindustryforum.org

02

Contents


About the Cloud Industry Forum

The Cloud Industry Forum (CIF) was established in

2009 to provide transparency through certification

to a Code of Practice for credible online service

providers and to assist end users in determining

core information necessary to enable them to adopt

these services.

CIF’s Goals:

• Help end users make informed business

decisions about the adoption of cloud services

and the governance of hybrid IT environments

• Provide vendor independent market research

and outlook of cloud adoption trends,

opportunities and inhibitors to offer qualitative

guidance to businesses

• Raise industry standards and bring greater

transparency and trust to doing business in the

cloud with its Code of Practice for Cloud Service

Providers

• Champion and advocate the adoption of cloud

services by businesses and individuals

• For more information, visit: http://www.

cloudindustryforum.org

CONTENTS

Introduction 4A foreword by Maxwell Cooter, founding and contributing editor,

Cloud Pro

Cloud and data governance 5Is data governance a legal or technical problem? What should cloud

customers be thinking about when they make the move?

Hybrid, private or public: Which way to go? 12There’s plenty of choice when bringing cloud on board, but which is

the best option for you?

Cloud in regulated industries 19Certain companies have a real problem with cloud when trying to

keep up with regulatory demands. Are there ways around this?

Drawing up a security policy 27Moving to the cloud should mean a brand new security policy as the

old one won’t do. What should be included and removed?

Keeping customer data safe 29Customer data has become gold dust to organisations. How can

these assets be protected?

Mobile and flexible working 31BYOD is the name of the game, but what challenges does this route

bring to a company?

Current legal situation state of play 36We speak to Conor Ward, consultant with international law firm

Hogan Lovells and CIF Legal Forum chair, about the issues as they

stand now.

The European legal framework 38A new EU Regulation is set to change the way data is protected: what

does this mean for companies and their customers?

31

T here used to be a clear split between your technology at home and your technology at work. In the office,

you had access to a powerful desktop, wide-reaching business software and fast connections while, at home, you had some simple programs running on a cheap PC using a dial-up modem.

That’s the way that things were because there was no need for it to be otherwise. The notion that home technology was more powerful than commercial offerings would have been deemed nonsense. In the last decade, however, all that has changed. There wasn’t a single revolution that changed this but many smaller steps: the provision of broadband to homes (especially when accompanied by an upgrade to fibre); the

development of the smartphone market and, connected to this, the decision by Apple to see mobile phones as a means of disseminating applications. Put that all together and you have the perfect storm for a revolution in how devices are viewed and used.

There’s been an about-turn though as the sexy devices are now in employees’ pockets and not on their desktops. What has this meant for the CIO? The former gatekeeper for company technology is now relegated to a bit-part role as companies look to adopt bring your own device (BYOD) strategies.

This change has massive implications for the way that a business operates, with CIOs having to completely rethink all aspects of their IT infrastructure.

BYOD vs cloudOne of the first things to look at is whether a move to BYOD means a move to cloud. In some ways, says Richard Archdeacon from HP Enterprise Services’ CTO office and IS strategy, there are similarities. “Look at the drivers for the move to cloud,” he says. “It’s driven by a need for greater flexibility and better management. He says that BYOD has brought a similar level of flexibility to the part.”

The 451 Group security analyst Javvad Malik also sees advantages of moving to the cloud. “Cloud providers are often in ideal positions to offer BYOD-specific features, and many have. Though a large market exists as ‘middlemen’ to provide BYOD features in what I like to call ‘missing feature’

Does BYOD mean bring your own disaster?BYOD could be a recipe for disaster as the IT department relaxes control, but it doesn’t need to be a big problem…

BYOD disaster

CLOUD SECURITY www.cloudindustryforum.org

WINTER 2014CLOUD FOR BUSINESSWhere are we now with cloud data governance and where are we headed?

WHY SECURITY IS NO LONGER A DIRTY WORD

CLOUD FOR BUSINESS

http://pubads.g.doubleclick.net/gampad/clk?id=71616900&iu=/359/impcount.co.uk


HP is on a multi-year

journey to turn HP around,

and has put in place a plan to

restore the company to

growth. It knows where it

needs to go, and is making

progress. It continues to drive

product innovation in its core

markets, with a focus on cloud,

security, and big data.

HP sees big opportunities

ahead, and is well positioned

to take advantage of these

opportunities with its

remarkable set of assets and

strengths. It has the people,

the plan, and the foundation

in place to help it succeed on

the next phase of the journey.

HP Helion Cloud helps

you transform your

enterprise with the most

comprehensive cloud

computing solutions in the

industry.

Cloud is not a destination,

it is part of the journey to the

New Style of IT. For more

information, visit: www.

hp.com/uk/helion

03

About our sponsors


About our sponsorsConcorde’s breadth and depth

of industry knowledge is

recognised by top software

vendors such as Adobe, IBM,

Microsoft, Oracle, and

Symantec. Its knowledge

extends from the desktop and

datacentre to complex

multi-vendor environments. It

has experience and references

across a variety of market

sectors and industries, and

clients include members of the

Global Fortune 1,000 as well as

investment banks, mid-

market companies, public

sector organisations and

charities.

Concorde’s specialists

bring with them many years

of licensing and software

expertise, from their

experience within end-user

organisations, the software

industry, or from running

SAM teams themselves.

With the emphasis on

creating sustainable solutions

rather than one- off

engagements, Concorde has

helped customers save and

mitigate over £50 million in

the last four years by

providing the tools, processes

and knowledge to better

manage their software.

Concorde does not re-sell

software or licensing, and its

reputation is one of complete

vendor-independence. It can

therefore offer impartial advice

and support and truly

represent the best interests of

clients. Concorde’s practices

are aligned with the IT

Infrastructure Library (ITIL)

SAM best practice and ISO

Standard 19770-1 for SAM.

At the heart of its solution is

Core Control, a platform for

presenting critical business

intelligence from across your

entire (global) software estate,

enabling powerful analytics,

scenario modeling and decision

making support. For more

information, visit: www.

concordeuk.com

Databarracks provides the

most secure and supported

cloud services in the UK.

In 2003, it launched one

of the world’s first true

managed backup services to

bring indestructible resilience

to mission-critical data.

Since then, it has

developed a suite of services

built with superior

technology, support and

security at their core.

Today, it delivers

Infrastructure as a Service,

Disaster Recovery as a

Service and Backup as a

Service from some of the

most secure datacentres in

the world, 30 metres below

ground in ex-military

nuclear bunkers.

The company backs this

up with unbeatable support

from a team of handpicked

experts. There’s no such

thing as ‘above and beyond’

for the firm’s engineers

because they only work to

one standard: to keep your

systems running perfectly.

Databarracks is certified

by the Cloud Industry

Forum, ISO 27001 certified

for Information Security and

has been selected as a

provider for the G-Cloud

framework.

For more information, visit:

www.databarracks.com

CLOUD FOR BUSINESS

Ingram Micro Cloud is a

master cloud service

provider (mCSP), offering

channel partners and

professionals access to a

global marketplace,

expertise, solutions and

enablement programs that

empower organisations to

configure, provision and

manage cloud

technologies with

confidence and ease.

Ingram Micro Cloud is

part of Ingram Micro,

which helps businesses

Realise the Promise of

Technology. It delivers a

full spectrum of global

technology and supply

chain services to

businesses around the

world.

Deep expertise in

technology solutions,

mobility, cloud, and

supply chain solutions

enables its business

partners to operate

efficiently and successfully

in the markets they serve.

Unrivaled agility,

deep market insights and

the trust and dependability

that come from decades

of proven relationships,

set Ingram Micro Cloud

apart and ahead.

Discover how Ingram

Micro Cloud can help you

Realise the Promise of

Technology.

For more information

on Ingram Micro Cloud,

please visit: www.

ingrammicrocloud.com






S ecurity is often held up as one of the main concerns for not going down the cloud route: it seems to set

off all manner of nervous reactions in even the most sensible of organisations.

In some ways this is a natural reaction. After all, by definition, cloud means losing some sort of control. But security is too much of a catch-all term: what does it actually mean? Do we mean perimeter security? (something that becomes harder in an era of flexible and remote working) Do we mean device security? (something that’s harder in the age of BYOD)

Do we mean data governance? (That’s a serious issue but are we talking legal concerns or technical ones?)

In the midst of all this confusion, there’s also a greater drive towards letting lines of business choose software and run services themselves. But can we really trust non-IT people with data security?

There are so many questions to ask and that’s before we decide whether we’re talking about threats from cyber criminals or the rather more commonplace array of spam or bloatware.

This special report, produced by the experts at Cloud Pro in association with The Cloud Industry Forum (CIF), aims to explore the key issues. We will examine the techniques that some CIOs can employ to ensure cloud implementations are running smoothly and with little risk. We believe that cloud in itself can be a secure option and that if you choose the right provider, it can be even more secure than what’s possible on-premise.

The interesting challenge for CIOs is to make their systems more secure at a time of greater openness. The prevailing philosophy

is towards more sharing and greater collaboration, but the demand for cloud security could make actioning that more difficult. However, there are ways to ensure that the modern company can be more open and accessible while still ensuring secure access - the ideal approach for all organisations.

Cloud is here to stay and more businesses are going down that route. The key, then, is to try to stay secure while doing so. We hope this report provides plenty of food for thought.

04

Introduction

Cloud is here to stay and more businesses are going down that route. The key, then, is to try to stay secure while doing so.


Welcome!

Editor, Cloud Pro

For further information please visit www.cloudpro.co.uk

CLOUD FOR BUSINESS



05

T he arrival of cloud has shaken up many IT departments and long-held ways of doing business have been

shoved aside. For example, the idea that business expansion could only occur by provisioning new servers has all but

disappeared. Even more radically, the notion that IT departments are solely in charge of buying software has also stepped to one side. Indeed, business departments are assessing and even purchasing applications, and that’s a situation that is not going away any time soon.

Cloud touches every aspect of a business. This can be demonstrated by the way that it impacts on data governance. The arrival of a cloud provider changes everything. If you look at the definition of data governance from the Data Governance Institute (DGI), you can see where some of the sticking points are: “Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”

There are some obvious hot points here: “accountabilities” and “who can take what actions” are areas where meanings can be interpreted very differently.

Data governance in the cloudMoving to the cloud has plenty of implications for the way that data governance is handled within organisations. How should firms approach this?

Data governance in the cloud

Data governance is a big problem for CIOs, particularly people who have been a long time in the industry, ones who started off as more akin to CTOs looking after hardware and wires. They don’t really understand the business issues.

CLOUD FOR BUSINESS www.cloudindustryforum.org


06

Business issueAccording to HP fellow Mateen Greenway, there’s a more fundamental problem. It’s one that’s to do with the way that CIOs operate. “Data governance is a big problem for CIOs, particularly people who have been a long time in the industry, ones who started off as more akin to CTOs looking after hardware and wires. They don’t really understand the business issues,” he says.

In this world where lines of business have a big impact on the way that software is chosen, this can really matter. CIO thinking has to change, according to Greenway. “They’re still thinking in bits. They need to start thinking at the opposite end. ‘Who are the people who want this information and who gets value from it?’. Data governance becomes how to meet that need too,” he adds. “CIOs are used to worrying about the storage of data, now it needs to be about getting that data to the right people.”

There’s also the concern about what else happens to that data. Individuals have been considerably more agitated about threats to data security and privacy since the revelations by Edward Snowden that NSA agents were looking into Europeans’ data. The news made many businesses extremely

jumpy about putting their data (or customer data) in multi-tenanted cloud providers.

According to Clive Longbottom, founder of analyst firm Quocirca, companies are certainly questioning who’s looking at their data – whether that be the NSA, GCHQ or whoever – but he says that much of this is overstated. “For the average company, there’s going to be little interest from the security forces. It’s only in industries like defence, petrochemical or aerospace that they’re going

to be interested,” he says. “Your main worry is going to be the black hats, who certainly will be interested in things of financial value that you have.”

TrustTrust is at the heart of the problem when it comes to moving to cloud. Do you trust your provider? It’s a problem that’s particularly acute for small businesses, as they may not have security resources on hand in-house. According to a recent survey from the University of Bournemouth, just over half (54.6 per cent) of small businesses cited data protection and privacy as the main reasons for shying away from cloud services. The ironic thing is that it is precisely these companies who would most benefit from the cloud – it’s a way to bring enterprise-class security to SMBs.

Some SMBs are worried that cloud service providers will not bring industry best practice to the table. There are also concerns that companies will not know where their data is being held. Any company that has dealings internationally or sends data across borders has such worries. All cloud users need to have an idea of national laws and regulations from the outset.

CIOs should start off by asking cloud providers some basic questions, advises Longbottom. “For a start, you should ask whether their datacentres are ISO 27001 compliant and then you should be asking them how they deal with data sovereignty: you want them to say where the data is,” he says.

Some of the low-cost providers may try to



Cloud covers a multitude of sins and you have to realise that not all cloud providers are the same: some clouds have high SLAs, some have none. You can only select the right tool if you understand the needs. For example, you wouldn’t treat a Porsche and a truck the same. The Porsche has a lot going for it, but you can’t deliver a piano with a Porsche.


07 CLOUD SECURITY

blur the issue of where data is being held by using content delivery networks (CDNs) or wide area data accelerators but, as Longbottom explains, this is little comfort to customers. “The best service providers don’t do this – the low cost do and will shift everything to Akamai or Limelight. You have to understand that you’ll have to pay to get the best solution,” he adds.

HP’s Greenway concurs, saying: “Cloud covers a multitude of sins and you have to realise that not all cloud providers are the same: some clouds have high SLAs, some have none. You can only select the right tool if you understand the needs. For example,

you wouldn’t treat a Porsche and a truck the same. The Porsche has a lot going for it, but you can’t deliver a piano with a Porsche.”

If a company has a data governance professional, it’s key that they are involved in the decision to move to the cloud from the outset.

Only a data governance professional can address all the regulatory concerns: CIOs

don’t have that expertise or that level of experience.

So, what should a CIO be doing? They need to make sure they address all these concerns up front, then work out what data could be stored in the cloud. Active customer data must be treated very differently from archived data, for example. Policies should be defined and then also strictly adhered to.

Longbottom advises a slightly different order to proceedings,

adding: “The first thing a CIO should be doing is

taking a look at the existing internal infrastructure, as it’s probably pretty bad. You can’t look to external suppliers if your internal structure

is a mess.”There’s an old adage

that one shouldn’t outsource chaos because the end result

will be chaos. It’s a similar story with data governance. Cloud won’t solve a problem if you haven’t got the principles right in the first place.


• Enable much more effective decision-

making within firms

• Reduce operational friction

• Protect needs of data stakeholders

• Train management and staff to adopt

common approaches to data issues

• Build standard, repeatable processes

• Reduce costs and increase

effectiveness through coordination

of efforts

• Ensure transparent

processes

DATA GOVERNANCE INSTITUTE GOALS FOR A DATA GOVERNANCE PROGRAMME

Pull quote hea dvadva dre ishgio fvhso i hisha va vdvio hisa vadvad fhip hvihspivh sijvj b ua dvadvaghva dvadvlk mkl;cmavbadoicn kamdckba va dvadv adv iandvlkn nadv ;n;oamdva dvadvadvaa dvad advad vadv adv dcuadhiadmcklmnnvajkhviaj.


www.concordesoluti ons.com

Soft ware Clarity and Control in a changing world

Core Control simplifying soft ware asset management• Using data from any source• Automated Vendor Logic and

Licensing rules for all major Vendors• Easy to use - complete SAM

functi onality• What-if Scenario Modeling • Trend analysis and variance alerti ng

Concorde’s fl exible service and support empowers organisati ons to embrace new technology and drive value from their IT investment.

Call today to see how Concorde can help you deliver clarity and control to your Hybrid IT Environment.

Enabling complex global organisati ons to: • Control Contracts• Reduce Cost • Plan for the future based

on fact• Measure vendor

performance

Our services provide: • Independent knowledge

and experti se• On demand or as a

service support• Pre-audit assessment support• Compliance reporti ng

+44 (0) 1491 870 250

Concorde delivers best practi ce SAM platf orm and services for complex hybrid IT environments


08

Concorde Q&A


How is cloud computing changing software asset management? The difference with cloud

computing when it comes to license

management is that your software

is now being delivered as a service.

Updates and security patches are

instant and can happen undetected,

with your software estate

constantly changing.

This is presenting a visibility

challenge for businesses, especially

in enterprises that often deal with

the management of much bigger

and much more complex

infrastructure.

Trends like BYOD are also further

complicating this; with employers

also having to take licences

employees have downloaded onto

mobile devices into consideration.

How have vendors changed their approach to software licensing in light of the emergence of cloud? In many cases, vendors are taking

the perceived weakness of end-

users, which is their lack of

software licensing visibility, and

turning it into their strength, by

treating it as a revenue generating

opportunity.

While the typical vendor audit

selection process was usually at

random and every few years, audits

are becoming more frequent and

many high profile vendors now

have special software compliance

teams in place to specifically target

organisations that may be under-

licensed.

Vendors have a lot to gain from

this process. Take, for example, the

recent situation with CommVault

where it revealed that it had only

met its revenue growth target

because of its recognition of deferred

licensing revenue.

In some cases, vendors are

making strides to cut down the

complexity of licensing brought on

by cloud by changing the licensing

structure. One example is Microsoft,

who recently implemented Server

and Cloud Enrolment (SCE), a

licensing model that enables

customers to standardise on several

Microsoft Server and Cloud

technologies.

Martin Prendergast, CEO & co-founder, Concorde

We speak to Martin Prendergast, CEO and co-founder of Concorde, about the changing nature of software asset management and the role cloud plays here

ProfileMartin brings 10 years-plus of domain and industry

experience to Concorde. He has held senior management

roles at Unitrans and Morse and a number of operational

roles at Peregrine Systems. Martin has worked with a large

number of companies around the world and has helped

architect, sell and deliver solutions for market leaders such

as Computacenter, CSC, EDS and HP. He also sits on the

Governance Board of the Cloud Industry Forum and, prior

to moving into business, served as an army officer.

If you have an in-house IT team, you may be paying for a service that isn’t needed, so it’s a good idea to check in order to skim off additional (unnecessary) costs.


09

How should end-users now be handing their software licensing?Many enterprises are changing the

way they look at software asset

management to adapt to the

changes happening in the industry,

and this is through the

consideration of software value

management (SVM). It’s not about

simply counting licences anymore.

Instead, the focus should be on

obtaining and maintaining

visibility of your entire software

estate at all times.

Governance is an ongoing

effort rather than a tick box

exercise and many organisations

are seeing the benefits of using

real-time business intelligence to

help facilitate this. Scenario

modelling and comparing historic

estate software values is a good way

to keep track of software licensing

as it continues to change.

Furthermore, keeping track of

software on mobile devices and

having usage policies in place

will help provide a clearer picture

to help avoid compliance risk.

What should end-users specifically pay attention to in their cloud contracts to keep on top of SVM? Audit and maintenance clauses

are the main ones here. If you have

an in-house IT team, you may be

paying for a service that isn’t

needed, so it’s a good idea to check

in order to skim off additional

(unnecessary) costs.

When it comes to audit clauses,

make sure that you understand

your contractual obligations and

have a clear understanding of what

information you will need

to provide in the event of a

licence audit.

The majority (94 per cent) of

vendors have audit clauses in their

contracts, and the notice period for

an audit can range from a few

weeks to a few days, so it’s important

to be aware of exactly what

information needs to be provided

before it happens.

What changes should we expect for the IT department in the coming months? The role of the IT department has

changed dramatically with the

emergence of cloud computing.

We’ll soon see more organisations

take action to get to grips with the

complexity in order to gain

complete visibility of their estate.

Some companies have already

taken steps by using business

intelligence tools to achieve this

and we’re likely to see more IT

departments making use of these

to be in a better position to

negotiate pricing with vendors

and avoid being fined for non-

compliance.

Transparency, compliance and

governance will be key

considerations for software asset

managers especially, as the risk of

audits and, equally, paying over the

odds for software licensing

continues to grow.

Concorde Q&A


The role of the IT department has changed dramatically with the emergence of cloud computing. We’ll soon see more organisations take action to get to grips with the complexity to gain complete visibility of their estate.


10

Concorde


Contact us today on +44 (0)1491 870 250

or [email protected]

Understanding what software a business is using has never been a straightforward task.

Concorde delivers intelligent solutions for managing software assets across the hybrid IT infrastructure, enabling end-users across a range of sectors to take control of their software estates, by optimising IT investment through measuring, planning, and implementing change. For one enterprise client in the manufacturing sector, the increased need for license and software transparency was becoming a key priority that could no longer be ignored.

Working alongside the client’s software asset management team, Concorde’s licencing and technology experts gathered data from across the IT landscape, hardware information, software usage data, contracts and entitlement. By increasing the range and type of data – ADDM, SCCM, LANDesk and existing discovery tools, the team could start to identify how the organisation’s IT functioned.

Using Concorde’s Core Control Software Asset Management (SAM) solution, the client’s team mapped the IT environment and identified those programmes, applications and systems that were used for business, easily identifying the common software types using the Core Control Definitive Software Library (DSL). This enabled the client to visualise the relationship between users and their specific software requirements. In addition to identifying what software was used for business, Core Control also identified those consumer applications that were installed but not approved or relevant to the organisation. With this detailed and

transparent intelligence, the client was able to initiate their IT governance policy.

With the client driving the SAM programme across the global IT estate, Core Control had links to data from every device connected to the network, enabling accurate measurement of software usage, where it was located and at any given time. This real-time data enabled the client to rationalise its IT strategy, to identify if and where cloud applications were relevant and make informed decisions on the contract types that best suited their needs.

This programme has brought considerable benefits to the client, driving governance alongside flexibility and increasing data security throughout the business.

Defining a strategy for governanceFigures from the latest Cloud Industry Forum (CIF) white paper ‘The Normalisation of Cloud in a Hybrid IT market’ tell us that despite the fact that most UK organisations have adopted some sort of cloud solution, 92 per cent of UK businesses don’t intend on placing everything in the cloud just yet. Many resellers have largely adapted to this model, and are now in a more confident position to be able to offer this. However, while some businesses are finding the best models that work for them and resellers are becoming more accustomed to delivering this, many end-users are leaving themselves vulnerable to exploitation by vendors.

The CIF results also revealed that private enterprises had the highest rate

of cloud adoption in the last year at just over 80 per cent. Considering that larger companies have the hardest job keeping track of licenses due to the sheer volume of users, visibility of an entire software estate is progressively becoming an issue.

The tables are turning from the world of traditional IT with its limited choice and risk of vendor audit. Now the challenge is to make sure you know what you’re being billed for and whether your vendor is meeting their SLAs.

Without proper governance policies and a system for identifying non-approved applications on business devices, it is difficult for an organisation to accurately identify the risks. This leaves them open to hidden costs and obscure licensing rules or tricky exit clauses and undefined data ownership. Cloud contracts are a whole new breed of agreement, and it is evolving very quickly.

Concorde delivers accurate insight into software usage, the ability to drive governance and maintain security of data across an entire IT landscape, whether it is cloud-based, on-premises or a hybrid model, providing visibility of software and service usage down to the device level. Concorde has built performance measures into vendor contracts, and can track usage or utilisation against plan, and above all, it has established global enterprise governance.

See how you can use SAM to help your business adapt to the changing IT Environment

Best Practice- the driving force behind governanceSAM

Using accurate software business intelligence,

the client is now driving governance alongside

flexibility and increasing data security throughout

the business.

CS050_advertA_v2.indd 1 24/11/2014 22:34



11

Concorde


Cloud—software, infrastructure or platform-as-a-service, has radically changed the traditional role of software procurement, software asset managers and vendor managers.

With cloud adoption rates growing, the issues of cloud governance and vendor performance are becoming a real concern for businesses. Those adopting hybrid infrastructures and using cloud applications need to consider their overall IT strategy in order to manage the services they access in the cloud and to ensure that they are both compliant and getting value for money.

It is understandable that cloud brings with it a host of new concerns for managing the needs of end users and in particular controlling the applications they use for business. The ease at which individuals can find, download and access applications that satisfy their immediate need is astounding and there are a host of ‘quick apps’ available that offer a wide range of productivity benefits, all you need is internet access and a credit card.

The complexity of having both cloud and on-premises solutions as part of an IT infrastructure means that it can become even harder to have visibility of exactly how software is licensed across an organisation. This issue is further aggravated by the emergence of consumerisation of IT trends like BYOA (Bring Your Own Apps) which is increasingly becoming a compliance problem, especially when employees begin to download unlicensed software onto company devices.

Achieving a strong governance position is a real challenge as organisations become reliant on an increasing number of suppliers and service providers, each with their own SLAs and license agreements. As a result, it is critical for businesses to maintain a clear picture of what software they have, where they have it and how they are using it in order to demonstrate good cloud governance, maintain compliance and ensure their providers are maintaining similar due diligence for their end of the bargain.

For example, one of Concorde’s clients recently considered replacing their CRM system. They had a number of options – an entirely new cloud-based solution or a traditional on-premises

platform. Cloud offers a great deal of advantages around new ways of working, including greater flexibility of business and reduced costs through user based charging rather than capital expenditure. The client considered the risk to data security increased, as users had the ability to access data and systems on any device as well as downloading data to any device.

However, opting for a traditional on-premises platform brought its own risks, defining strict ways of working; poor access to information and tightly controlled security would make users source their own solutions in order to increase their productivity. With a tranche of quick apps being available to download, both data security and governance were completely ignored and their users could download their application of choice and input their client data within minutes.

Success or failure in the ‘as a service’ environment brings new challenges, difficult decisions for finance and greater complexity for procurement and contract negotiation.

The biggest single risk to governance and data security is the host of ‘apps’ that offer business applications and productivity tools – all your users need is internet access and a credit card.

Call today to see how Concorde can help you deliver clarity and control to your Hybrid IT Environment.

+44 (0) 1491 870 250

Building Governance ‘as-a-service’ Environment

into the

Contact us today on +44 (0)1491 870 250

or [email protected]

CS050_advertB_v2.indd 1 24/11/2014 22:32



12

C loud computing is here to stay. According to the latest CIF survey, some 78 per cent of UK

organisations are now using at least one form of cloud service and, perhaps more remarkably, 11 per cent of British businesses are now using four or more services. That’s

definitely a sign that it’s no longer a few test sites that are being deployed.

The trend is ever upwards: this is the fifth year of the survey and, since the first one in 2010, the growth has been 61.5 per cent: a healthy growth indeed. That’s not to say that cloud is taking over these organisations: the

CIF survey found that 85 per cent of organisations still operate on-premise datacentres, so most firms are looking for a way for the systems to co-exist – the hybrid model of IT.

There’s a structure to CIOs’ choice, with certain services becoming an obvious fit for cloud: web hosting, email, CRM, data back-up and disaster recovery are prime choices. Anything that involves any confidential client data tends to be kept well away.

That reflects a seeming paradox among companies. Yes, there is greater acceptance of the cloud and more businesses want to use it, but such an attitude goes hand-in-hand

How to get the most out of different cloud modelsPublic, private and hybrid cloud all have their own security challenges. What are the options for the CIO?


If you want total data security, you can put all your data on a drive, lock it in a safe and drop it at the bottom of the sea.



13

with a distrust of cloud providers. According to research published in September 2014, 70 per cent of businesses accused cloud providers of failing to comply with laws and regulations on data protection and privacy.

The survey, which was commissioned by Netskope and The Ponemon Institute, also found that businesses thought a data breach was more likely when data was stored in the cloud – 53 per cent of respondents said the likelihood of a data breach increases due to the cloud. But that’s not the worst of it. The study also found that data breaches were likely to be more expensive when they involved the cloud.

This does seem to be unnecessary paranoia though. There are certain items that shouldn’t be placed in the cloud and there are some regulated industries that do have restrictions of what can and can’t be done in the cloud (more of this in another article).

Mixing things upIn fact, there’s a rather unholy mix dominating IT departments. On the one hand, there is this heightened security but, on the other, there’s been a change in business culture. The CIO has to think like a service provider and deliver services – whether they are from public cloud or private datacentres, according to HP fellow Mateen Greenway.

Unfortunately, too often the CIO comes from a culture where he or she has tried to control what’s being offered, rather than thinking about what the business wants, Greenway adds. “The CIO has the reputation of being the person who says no, but the business is there to get the job done,” he says. “That’s why we’re seeing the emergence of shadow IT, because it’s the quickest way to get the job done.”

Greenway sees a contrast between the way that start-ups operate and the way that

enterprises work. “New companies behave differently. They take the shadow IT route and explore the public cloud option,” he says. “It’s when they get bigger, they look to take things more private because, for some organisations, public cloud is not enough even if you encrypt the data.”

The current thought seems to be that information such as confidential customer data can’t be put in the public cloud and private cloud is the answer, but this is a little bit too simplistic. One of the problems faced by organisations is that many of them aren’t aware of what they actually have. So the tendency has been to treat everything as highly secure and, instead, the starting point should be to assess what data a company holds.



The CIO has the reputation of being the person who says no, but the business is there to get the job done. That’s why we’re seeing the emergence of shadow IT, because it’s the quickest way to get the job done.

✓ Organise your data in a taxonomy

according to its confidentiality

✓ Ensure you use 256-bit encryption at

rest and on the move

✓ Ensure that your organisation has a

clear security policy

✓ Ask the right questions of your cloud

service provider – is it

27001-compliant? Who has access to

your data?

Assume that if it’s not in the public

cloud it will be safe

Go for the cheapest cloud provider

– look at the levels of security

Shut end users out. There has to be a

mix of openness and security

DOS AND DON’TS OF SECURING DATA IN THE CLOUD


14 CLOUD SECURITY www.cloudindustryforum.org


Now cloud teaches old apps new tricks.

Technology is a constant, forward march. And HP Helion keeps businesses from missing a beat. An open, hybrid cloud brings traditional IT up to speed and gives your developers the power to build new applications faster than ever. Built on OpenStack® technology, HP Helion boosts business productivity while making the most of your IT budget. All while keeping your data as available and secure as it should be. See how cloud lives up to its promise at hp.com/uk/helion

© Copyright 2014 Hewlett-Packard Development Company, L.P. The OpenStack Word Mark is either a registered trademark/service mark or trademark/service mark of the OpenStack Foundation, in the United States and other countries and is used with the OpenStack Foundation’s permission. We are not aff iliated with, endorsed by or sponsored by the OpenStack Foundation, or the OpenStack community.

Starting with the basicsGetting a handle on the data you have should be your first port of call, according to Quocirca analyst Clive Longbottom. “First of all you should establish a taxonomy of data, then sort out what should be open, commercially confidential and top secret. Then you need to make sure everything in the top two categories is encrypted at rest and on the move. And that it’s the same level of encryption throughout - something sensible like 256-bit,” he says. “Once you start encrypting, you don’t want to have multiple keys.” This move to encryption is something that needs to be sorted out whether data is being held on-premise or in the cloud.

That’s a point of view shared by Databarracks’ solutions architect Mark Thomas. “Generally, do companies know what they have? Nine times out of 10 they don’t,” he says. But, he adds, the problem with companies getting to grips with the data they store is that it’s very time-consuming. “It takes a lot of time to sift through and classify that data: many companies just won’t do that. If they don’t have time to segregate and classify data they

will assume that it has to be secure.”However, this classification is just one

stage. According to HP’s Greenway, there needs to be greater sophistication in the way that companies operate – the simple paradigm of public cloud being unsafe and private cloud being safe is not enough. “How do you securely move across a hybrid cloud environment? We need security that propagates across the infrastructure,” he says.

Greenway thinks that present day discussions about security provision don’t go far enough. “What should happen is that the security travels with the data itself. It should be the platform that should say ‘This is a document I need to secure.’ When we get to those levels, then we can start treating hybrid cloud as a secure option,” he says.

In the meantime, we have a host of different efforts to secure cloud.

We’ll still get companies moving

confidential data into private cloud but it’s doubtful whether this is a situation that will last forever.

Public cloud is not the insecure option that many people take it for, according to

CIF chairman Richard Sykes, who says: “When you look at

companies like Amazon, you effectively have

people running datacentres as a manufacturing process, so there’s a state of continual progress. Big cloud

players offer so much in servers, in security and so

on that companies who run their own datacentres will

constantly be slipping behind.” Sykes believes that, sooner or later, public

cloud providers will offer so much more in terms of security that private cloud will be left behind. Although some concerns will linger. Greenway concludes: “If you want total data security, you can put all your data on a drive, lock it in a safe and drop it at the bottom of the sea.”


15

HP Q&A


What reassurances can you provide CIOs who want to move to the cloud? Assurances on the use of HP Helion OpenStack components for enterprise use include the portability of workloads. In addition, there is the integration between different cloud services using HP’s CloudSystem Automation software and strong solutions to meet regulatory, security and privacy requirements.

Within a hybrid environment, is there a difference between the way you look after data on-premise and data in a cloud? Yes. On-premise, the legal and regulatory frameworks are clear. For cloud services, the geographical boundaries of the cloud and, in some cases, support services needs to be taken into account for government and regulated businesses. Who should have responsibility for data governance? The business owner of the data is a

Peter Schofield, HP’s cloud & mobility director of advisory services

We speak to Peter Schofield, cloud and mobility director of advisory services at HP, about how cloud is changing the nature of business

ProfilePeter is the global portfolio lead for HP’s applications

transformation, cloud and integration. In this role Peter is

responsible for HP’s investments in cloud applications and for

the global and EMEA cloud applications portfolio and sales

enablement teams.

Peter is currently also leading HP’s Helion Professional

Services initiative for application transformation to cloud,

launched at HP Discover in Las Vegas.

Peter has experience in implementing major applications modernisation programmes in the

UK Government and financial services in the private sector .

He has also worked with HP’s strategic clients and carried out financial services and government

strategy work, in addition to his role as EMEA consulting CTO during his 12 years with HP.

The business owner of the data is a core part of the business. In my opinion, this should never be delegated. But, it can be assisted and enabled by the supporting functions listed.

core part of the business. In my opinion, this should never be delegated. But, it can be assisted and enabled by the supporting functions listed. What particular reassurances can you offer to CIOs within highly regulated industries? HP has a range of hardened enterprise-grade cloud services tailored to meet regulatory needs with military-spec security built-in, while HP Enterprise Security Services provides independent validation and assurance for HP and any other cloud offerings. The rise of big data has meant that data needs to be more readily accessible from a variety of different endpoints. How can you marry accessibility with security? Big data can be aggregated for consumption so that the


16

core data remains highly secure on-premise or in a private cloud. Where data needs to be made more accessible, existing trusted authentication processes and technologies should be used to ensure the correct level of security on the full range from public through to private cloud. Following on from that, what preparations should a CIO be making to prepare for a culture where mobile communication is the norm? In many countries, mobile communication is already the norm. Some government departments are already switching to mobile as the primary channel and many enterprises are already finding that ‘digital natives’ are spurning traditional channels.

In addition to the well-trailed technology enablement for mobile communications and managing the apps ecosystems springing up, there are two key areas that CIOs need to grasp with the support of their marketing colleagues.

These are focused on the whole area of digital customer experience and bringing service-design thinking to the fore. Both of these disciplines are aimed at making digital services infinitely much more attractive and consumable by today’s consumers, customers and citizens whose expectations have been fundamentally changed by the new generation of business. Do you see a difference in the way that the public sector and private sector handle data? Interestingly, I see a huge convergence between commercial and public sector organisations in the care needed for data whether it be patient healthcare records, the delivery of digital content for a cinema chain or the integration of risk and

regulatory data for a bank. The issues and solutions are

increasingly the same. Is there a difference in the way that HP tackles security and cloud security? HP Enterprise Security Services provides an integrated

set of security consulting and management services.

These services are underpinned by a network of eight security operations centres to effectively cover all aspects of information security, including issues related to cloud computing.

HP Q&A


I see a huge convergence between commercial and public sector organisations in the care needed for data.


17

HP Case study


At-a-glance

Secure protection in a world of complex threats HP Vulnerability Management Identify vulnerabilities and learn from gathered intelligence. Get current state knowledge from constant assessment of your IT systems’ vulnerabilities.

See your vulnerabilities

IT vulnerabilities can be tremendously expensive to companies in terms of brand and reputation damage, lost IP, fines, and remediation costs.

In a large environment, it is always challenging to validate that proper patches or correct configuration settings have been applied. You need regular vulnerability assessments of computer systems, networks, or applications for weaknesses, along with criticality prioritization and remediation advices.

On the other hand, applying patches to avoid vulnerabilities also can be tremendously expensive due to the system downtime, testing, and disruption inherent to the patching process.

Since many vulnerabilities may pose minimal or no risk to your particular IT environment, it is important to judge carefully the relevance and seriousness of vulnerabilities versus the cost of patching.

Know the value

HP Vulnerability Management Services provides capabilities for proactive and periodic scanning of the corporate IT infrastructure to discover vulnerabilities. It also provides threat intelligence information correlated and focused on your critical technologies.

This enables you to stay a step ahead of hackers and make sure your critical infrastructure is patched and protected. At the same time, you avoid the effort and cost of emergency remediation for vulnerabilities that are less important or even irrelevant to your specific IT environment.

Realize the benefits

• Risk-prioritized approach to managing vulnerabilities

• Threat intelligence and insight focused on your corporate IT infrastructure

• Cost-effective approach to meet regulatory compliance requirements

• On-demand access to service without capital expenditures

Insights • You need to protect and

defend your IT systems.

• An integrated approach is necessary.

• HP Vulnerability Management Services can help.


18

HP Case study


Rate this documentShare with colleagues

Sign up for updates hp.com/go/getupdated

At-a-glance | HP Vulnerability Management

Manage your threats, exposure

HP provides a variety of options for scan coverage and integration of data into other outsourced services. We provide input into the prioritization of security alerts and investigations. It follows this approach:

• Implement plan with technical facts survey—ensuring relevant information is captured and considered.

• Assign and track remediation activities and approved exceptions, using the HP Implementation Plan Builder.

• Provide an historical record of scanning for at least one year, using a scan manager.

• Implement an automated preinstallation scan to minimize the build time of a new server by enabling automated scanning and rescanning of new servers.

• Integrate existing vulnerability scanning information into an HP Security Information Event Management solution to prioritize other types of alerts and enable HP Security Operations Center staff to quickly investigate issues.

• Correlate scanning information with vulnerability and threat information from hundreds of vendors and thousands of specific versions of products 24x7x365— further prioritizing incoming threat and alert data and enabling the semi-automation of alert investigation.

Scan for vulnerabilities

Three types of vulnerability scanning services are available:

Scheduled scans—You can request the scan, based on contracts and subscription for regular reoccurring, periodic scans. Frequency is based on your needs.

Preinstall scans—These scans are performed before system deployment as part of the system provisioning process.

Ad hoc scans—You can request these scans separate from contracted periodic scheduled or preinstall scans.

Our best practice recommendation is that all servers be scanned a minimum of once per year but a variety of options are available.

This minimum level of scanning is considered a required service. Many organizations opt for quarterly, monthly, weekly, or continuous scanning. We work in smaller or shared environments to validate inventory and blacklists of devices and applications that should not be scanned.

Organizations in larger environments can work with an inventory list or use discovery scans to gather and validate inventory information.

HP tracks the quality of the network vulnerability scanning service through three key measures:

• Scan coverage—This is the percentage of inventory Internet protocols (IPs) successfully scanned. This metric provides visibility into the coverage quality for each scan so issues can be addressed, and any network changes affecting coverage can be remediated.

• Serious vulnerabilities per scanned IP—This is the number of high vulnerabilities per IP scanned. HP works with your organization to prioritize remediation activities and track overall issues and improvement.

• Number of repeat vulnerabilities—If issues cannot or have not been remediated between scans, identified stakeholders and remediation teams can be alerted so remediation barriers can be investigated, reviewed, and resolved.

Get vulnerability intelligence

The HP Vulnerability Intelligence Service is an optional capability if additional awareness of

threats and vulnerabilities is warranted within your environment. It includes:

• Assessment and customization—Evaluation of your in-scope environment and written recommendations on technology prioritization for monitoring

• Instant notification—Real-time notification provided for publicly known vulnerabilities, based on your criteria—severity of vulnerability and other risk criteria

• Daily and monthly summary reports—Consolidation of all publicly known vulnerabilities, based on your criteria

Other optional features include:

• Monthly, live, and interactive Adobe and Microsoft Patch Tuesday briefings, with question-and-answer period

• Quarterly, live, and interactive Oracle briefings, with question-and-answer-session

• 24x7 hotline access to HP experts for additional consultation

Why HP?

• We offer an integrated framework for the discovery, tracking, remediation, and analysis of vulnerabilities—at an attractive price.

• Through our Tipping Point team, NMCI security team, and other groups, HP is actually the source of many of the vulnerability discoveries that are fed to Microsoft, VeriSign, and others. HP discovers four times the critical vulnerabilities found by the rest of the market combined.

• HP monitors thousands of technologies from 200-plus vendors for system vulnerabilities. We publish more than 8,500 bulletins per year.

• HP has more than 40 years of experience delivering security services, with thousands of certified security professionals worldwide.

Learn more at hp.com/go/security

© Copyright 2012-2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Adobe is a registered trademark of Adobe Systems, Inc. Microsoft is a U.S. registered trademark of the Microsoft group of companies. Oracle is a registered trademark of Oracle and/or its affiliates.

4AA4-0828ENW, August 2014, Rev. 3




19

W hile there have been huge advances in the take-up of cloud thus far, certain

industries have been reluctant to commit. Organisations in the finance, insurance, pharmaceutical sectors or any industry that is

subject to a certain degree of regulatory control, have been loath to put too many assets into the cloud.

Compliance regulators have laid down a lot of demands on enterprises, who are forced to jump through multiple regulatory hoops.

Although there have been some exceptions to this - a couple of banks in Australia, for example, have been moving sections of their infrastructure (and, in one case, the entire IT set-up) to Amazon - it’s fair to say that highly regulated industries have historically been suspicious of the cloud.

It has been very difficult for these industries to embrace cloud as not every service provider is very transparent as to how data is protected, according to Mark Thomas, solutions architect at Databarracks. “That’s not to say it can’t be done. Regulatory bodies can set guidelines to follow and credit card regulatory body, the PCI, does this well,” he says.

“The PCI has been doing this a lot. And

Regulated industries can benefit from cloud computingThe idea cloud can’t be used by regulated industries doesn’t stand up to scrutiny. Indeed, there are many ways in which the technology can be deployed...

Regulated industries

The laws are lagging behind what’s happening in the industry. Politicians are not very good at keeping up to date. They don’t realise that the world doesn’t pay attention to lines drawn on a map.



20

you can meet PCI, as long as you follow best practice,” he adds.

PCI is just one example of a guideline that can be followed by a company going down the cloud route. Not all regulatory bodies are so open-minded, however. But this should not be a barrier; thousands of companies are moving to some form of cloud computing and there are advantages for financial institutions to move to the cloud too.

That includes all the usual benefits (greater flexibility, cheaper software, easier disaster recovery and so on) but also the ability to modernise their infrastructures. This is particularly problematic for banks, many of which are built on legacy IT.

Old-fashioned and out of date?Quocirca analyst Clive Longbottom says that the main issue with regulatory bodies is that they’re based on old-fashioned technologies. “Compliance standards are based on physical paper,” he says. “BASEL and DCA, for example, are still very much based on paper and are yet to take on board electronic delivery.”

Politicians have been slow to react to global changes, which has exacerbated the problem, according to Longbottom. “The laws are lagging behind what’s happening in the industry,” he says. “Politicians are not very good at keeping up to date. They don’t realise that the world doesn’t pay attention to lines drawn on a map.”

According to Longbottom, there’s one exception to this. “The only regulatory body that I’ve seen that really takes cloud on board is the Capital Requirement Directive with its external reporting markup language,” he says, stressing it stands alone amidst a herd of paper-based dinosaurs.

But this idea of slow-moving regulatory bodies is not a fair one, according to Marc Vael, chairman of the cloud computing task force with IT auditing body ISACA. “Maybe it’s true [of some], but I don’t think it’s true of other bodies,” he says. “Yes, the financial regulators are a little behind, but they’re aware of digital and are investing in digitisation.”

So, if the regulatory bodies are doing their best to catch up with the 21st century how should CIOs work with them? Vael says that the first thing that CIOs should be doing is asking the same questions of providers as they would of their own company. But, most of all, he says, CIOs should not treat all cloud providers as the same. “There’s a huge difference between the global players, then the marketing people who changed everything to the cloud and small and niche players,” he says.

Vael points out that much of the discussion on cloud focuses on the major providers, but it doesn’t have to be that way. “Everyone’s staring at the big ones, but they’re not the only ones,” he says, pointing out that where he is based, in Belgium, he has other choices. “There are four big



One of the ways in which regulated

industries can explore cloud safely is the

community cloud option, a multi-tenant

cloud infrastructure providing cloud

services to organisations with similar

requirements and shared objectives.

For example, it may be the best-fit for

utility companies, for public sector

groups with shared interests or among

banks. By combining resources, the

members of the community cloud will

benefit from sharing compute power,

software and storage, using economies

of scale to drive costs down.

There will be some data held in private

datacentres, as companies will be

unwilling to share everything with close

competitors, but not all data is that

confidential and the community cloud

could provide a way forward.

There are difficulties with the concept

though. Security, obviously, but there are

also issues with software licences,

allocation of costs and data governance

(among others). That said, the concept of

the community cloud is clearly an option

for some. In time, we can expect to see

certain service providers specialising in

particular sectors, offering a customised

service.

We’re some way from community clouds

becoming mainstream, but they do offer

a further option to regulated sectors.

THE COMMUNITY CLOUD OPTION

domestic providers in Belgium who say that data is going to stay in Belgium and is not going to go anywhere else,” he adds.

That provides a choice, one that is replicated in other countries, according to Vael. Customers should look to domestic models, ones which provide an outlet that may have more of a focus on privacy,” he suggests.

There certainly seems to be a clash between service providers, national regulators and, in Europe, the EU. At present, governments are lagging behind, according to Longbottom. “National and regional laws are trailing what’s happening in technology. For example, Germany says


14 CLOUD SECURITY

information on German citizens can’t be held outside German borders – I’m not sure that it’s enforceable,” he says.

“That’s before we mention the question of where the data’s being distributed. It’s no longer subject just to national regulation, but could be held on a variety of different appliances around the world.”

Private: Do not enterThere are also other forces at play. While a company has to follow guidelines laid down by an industry regulator, there are other bodies involved, namely privacy bodies. “Privacy is important too. Personal identification information (PII) is regulated by industry regulators and privacy regulators,” Vael adds. This is yet another issue to throw into the mix.

There’s also the ever-shifting pattern of regulation. Rules that were once sacrosanct are now being reworked. “Healthcare data used to be held within the hospital, now it’s within the borders of the country,” adds Vael, who calls for an approach towards privacy that would be immediately effective in all countries in the EU. He points out some of the drawbacks: “It won’t help

companies who are global and companies outside the EU see that as a trade barrier,” he says, adding he believes such challenges can be overcome.

It’s not just about national or EU regulation though, according to Vael. Firms should be asking cloud service providers whether they follow ISAE 3472, he suggests. “This is an international standard of audit – replacing SAS79,” Vael says. “It’s a mark to a customer that I’m guaranteed to follow all the rules and saves them having to check everything – otherwise it’s a big task to get that done.”

But details about the standard are not easily found. And, as Vael points out: “Other people - the bad guys - would really like that information.”

There’s nothing wrong with any industry

– even a regulated one – exploring the potential of cloud. There are the usual questions to ask, ones you would ask any provider, but there are also other areas to explore. These are based on auditing standards and ensuring you know where your data is at all times. It’s important not to treat all cloud providers the same – some will provide detailed information about where data is being held, some won’t.

It’s also important not to treat all data the same: sensitive customer information cannot be treated in the same way as system data.

And there shouldn’t be too much pressure placed on the service provider. “Not all the emphasis should be on the service provider,” Thomas says.

“The customer has to do as much digging and analyse what it has in its environment.”



Disaster Recovery as a Service ULTRA SECURE PEACE OF MIND

Databarracks has been providing the most secure cloud services in the UK for 10 years.

Since launching one of the world’s first managed backup services in 2003, we’ve been bringing unbeatable performance and resilience to mission critical data with our disaster recovery and infrastructure services.

Housed 30 metres below ground in ex-military nuclear bunkers, our DRaaS platform was recently benchmarked as running 1,702% faster than a leading competitor.

That means faster recoveries, better testing and guaranteed availability when you need it most.

This is all backed up by unparalleled support. Our hand-picked engineers are dedicated to keeping your public and private clouds running in perfect harmony, 24/7/365. Consistent performance, constantly supported.

To find our more visit us online at www.databarracks.com or call 0800 033 66 33

Not all the emphasis should be on the service provider. The customer has to do as much digging and analyse what it has in its environment.


22

Databarracks Q&A


What reassurances can you provide

CIOs who want to move to the cloud

and are concerned about the

regulatory environment?

They are not on their own. This is a very

common concern. I would suggest that

they engage with their regulators. If

there is not any specific guidance

published on the use of cloud services,

ask why.

There are different types of regulators

with different approaches to how they

govern. Payment card regulations for

instance are very prescriptive – you

know exactly what needs to be done to be

compliant. Industry-specific regulations

are often less specific and more like

guidelines for the use of cloud computing. It

is that sort of regulatory environment

that can cause the most difficulties,

because there is a lack of clarity.

If you have a good understanding of

your regulatory environment, there is a

lot that can be transferred from on-

premise computing to cloud services.

Access, encryption and data retention

are all issues that can be tackled in

similar ways. If regulators are not clear

about how to address cloud-specific

issues like location of datacentres and

multi-tenancy then push them for

clarification.

Peter Groucutt, managing director, Databarracks

We discuss cloud security concerns and why businesses needn’t worry so much with Peter Groucutt, managing director of Databaracks

How aware are CIOs of where their

data is stored?

Very aware….mostly. Major IT decisions

and infrastructure moves will be very

well scrutinised. If a business wants to

move all of their systems to an IaaS

provider, those projects will involve not

just the CIO, but the IT team, legal and

compliance departments and probably

the board.

The problem for CIOs is what we are

now calling ‘Shadow IT.’ These are the

smaller projects that aren’t authorised

and approved by the IT department.

As more technology products target

‘line-of-business’ owners rather than the

IT department, it is a trend that is likely

to continue. Often the first time that IT

will hear about these projects is after the

purchase when someone wants to

integrate the service with another

system and needs some help.

This issue is fixed by communication

and by making sure that departments

actually engage with the IT team rather

than work around them.

The better CIOs are the ones who are

thought of as enablers by the rest of the

business, not just compliance-fiends

who are defending their empires.

Within a hybrid environment, is there

a difference between the way you look

after data on-premise and data in a

cloud?

There can be. For some people that is

the point of having a hybrid cloud,

keeping sensitive systems on premise

and pushing less sensitive data out into

the cloud.

On the other hand, one of the other

key reasons businesses use hybrid cloud

is that they can use it for ‘cloud

bursting.’ This can be sensible if you

usually have very stable resource

consumption, then periods when you

ProfilePeter has a history in understanding and mitigating risk,

having spent many years working in risk management

roles within the banking sector – particularly developing

applications to monitor value-at-risk across the banks’

treasury and hedged products. In 2000, Peter combined his

skills in application development with his love of sailing to

set up his own company building ship monitoring and

harbour management software, integrating search and

rescue using GPS and Radar. Peter has been the managing director of Databarracks for the

past 12 years, growing it from one of the first online backup companies in 2002 to one of

the UK’s leading cloud service providers.

One of the other key reasons businesses use hybrid cloud is that they can use it for ‘cloud bursting.’ This can be sensible if you usually have very stable resource consumption, then periods when you need to scale up.


23

need to scale up.

For those use cases, you actually want

exactly the same data management for

your on premise systems as in the cloud.

The best platforms in those instances

are the ones that allow for good

integration to keep the process simple.

Who should have responsibility

for data governance?

A combination of people. This is really

about responsibility and accountability.

In organisations large enough to have a

CIO or a CSO then, yes, this obviously

becomes something they would have

overall accountability for. However, they

won’t have the direct interaction

with systems to make plans a reality, so a

lot of responsibility is pushed down to

the systems teams to make sure it is

enacted.

This also depends on the type of

organisation and the regulations you

need to comply with. Individual

departments will have responsibility for

certain regulations. The Data Protection

Act is concerned with personal data so

there needs to be an element of

ownership from marketing departments

and the accounts department will

primarily be responsible for HMRC

compliance.

What particular reassurances can you

offer CIOs within highly regulated

industries?

The most highly regulated industries like

finance, healthcare and legal actually

tend to be very well informed.

Often we find that regulation isn’t

actually preventing uptake of cloud

services. In some cases, it is just a case of

not wanting to be the first to stick their

neck out and use a service no-one else is.

It is a case of waiting and watching

the early adopters. Once these first

companies have taken the risk - and

then reported the benefits - it is easy for

others to start using cloud services.

Vendors can provide assurances about

data security in the form of accreditations.

Vendors can also be transparent about

their infrastructure and processes.

Again, it tends to show potential

customers the service providers invest

far more in security than customers can.

The lesson we have learned taking

‘online’ or ‘cloud’ backup to market over

the last 12 years is that, ultimately, the

best reassurance won’t come from the

service providers. Such reassurance will

come from other businesses in the same

industry with similar compliance

challenges who are willing to share their

success stories.

Do you see a difference in the way that

the public sector and private sector

handle data?

Yes. Public sector data management is

changing. They are moving from seven

classifications in the ‘Business Impact

Level’ system of data down to just three.

Data would be classified IL0, IL1, up to

IL6. Now it is just ‘Official’, ‘Secret’ and

‘Top Secret’.

It is a slight oversimplification but, in

the private sector, businesses often have

just two broad categories of data. Their

‘compliance data’ and ‘everything else’.

They manage the ‘everything else’

according to their own principles but

keep it separate from ‘compliance data’

because they know they have to follow

specific rules for that data.

The problem for the public sector is

that firms often have a mix of different

classifications of data all together. This

means they have to manage all the data

at the highest level of security. The

changes in public sector data

classification mean that now the

majority of that data is at the lower level.

This makes it far easier to manage that

data and to use cloud services through

G-Cloud.

In terms of procuring cloud services,

this actually makes the public sector

more like the private sector When

G-Cloud started, public sector buyers

could just pick a supplier based on a

security level, for example an IL2 backup

service.

G-Cloud buyers now have far more

freedom of choice, but they also have the

responsibility for choosing a service

suitable for their needs.

Is there a difference in the way that

Databarracks tackles security and

cloud security?

No. We have technically always been a

cloud service provider, even before we all

used the term ‘cloud’. Since we began in

2003, we have always provided multi-

tenant services over the internet. For us

‘cloud security’ is ‘security’.

Do you think legal requirements

and regulatory issues are a barrier

to cloud adoption?

They can be. How regulation

impacts the adoption of cloud

depends on the specifics of the

regulator. If the responsibility is

pushed onto users of those services,

like for instance how the Solicitors

Regulation Authority (SRA) governs,

then users are free to make their own

decisions.

I think most organisations prefer

this method of governance to overly

specific and prescriptive guidance.

Databarracks Q&A


The lesson we have learned taking ‘online’ or ‘cloud’ backup to market over the last 12 years is that, ultimately, the best reassurance won’t come from the service providers. Such reassurance will come from other businesses in the same industry with similar compliance challenges who are willing to share their success stories.


24

Databarracks

CLOUD FOR BUSINESS www.cloudindustryforum.orgwww.databarracks.com

Data Health Check

The Databarracks annual Data Health Check surveys hundreds of IT professionals across 19 different fields to capture a snapshot of the way businesses use and think about IT. Here are the highlights from 2014.

Key findingsSurvey reSultS

1.

49%

of organisations do not distinguish between old and

new data

48%

of organisations have not tested their

disaster recovery plan in the last 12 months

18%

“Human error” was the 3rd largest

cause of data loss

large organisations Small organisations

22% listed ‘human error’ as the main cause of data loss over the last 12 months ...

... compared to just 6% listed human error as main cause of data loss

10% of larger organisations lost data as a direct consequence of an external security breach ...

... compared to just 1% of small organisations and 7% of mid-size organisations

Only 3% of large organisations have no data retention policy ...

... compared to 23% of small organisations

vs

How did small and large organisations compare in this survey?

BACKuP And dAtA retention


25

Databarracks



9% of Consumer, Retail and Leisure businesses experienced data loss because of human error, compared to 23% in Technology and 29% in Finance.

On the other hand, as one of the most tightly regulated industries, none of the financial organisations surveyed reported experiencing data loss as a consequence of an internal security breach (such as employee theft).

What is your data retention policy?

Which factors do you consider to be most important when selecting a cloud provider?

2. tHe StAte oF Cloud CoMPutinG

5%

11%

18%

18%

49%

I don’t know

We don’t have one

We have an internally set policy

We keep all data forever

We keep data for a

period specified for

regulatory compliance

62%

38%

33%21%

19%

18%

13%

10%

5%

11%

17%

SecurityFunctionality of serviceReputationStandard of SLA (service level agreement)

Hardw

areD

ata centresSize of com

pany

Location of cloud service provider HQ

Other

Hypervisor

Location of hosting

The majority of respondents from every industry rated security as the most important quality when selecting a cloud provider.

However, those who had adopted fewer cloud services tended to rate security more highly, indicating a disparity between expectation and reality.

Percentage of respondents who rate security highly:

78%

48%

74%

49%

Small organisations

Large organisations

Respondents who’ve adopted 1 or 0 cloud services

Respondents who’ve adopted 2+ cloud services

Medium organisations

59%

36%


26

Databarracks



3. CoMPliAnCe And dAtA SeCurity

Of the 106 respondents who reported they had not reviewed their security policies in the last year, an astounding 21 chose not to despite having experienced significant cyber-attacks in the last 12 months. CryptoLocker, Heartbleed and Keyloggers were the most common cyber threats experienced.

Respondents that have been affected by cyber threats in the last 12 months:

Have you reviewed your security policies in the last 12 months in response to a cyber-threat?

yes, we have reviewed our security policies:

32%

29%

26%

13%

yes, we have reviewed our security policies and made no changes

no, we have not reviewed our security policies

i don’t know

yes, we have reviewed our security policies and have made changes

Small organisations

48%

Medium organisations

70%

Large organisations

63%39

%

Industrial

37%

Consumer, Retail & Leisure

42%

Finance

46%

Public Services

30%

Technology

30%

Professional Services

Want to know more?Download the full report at info.databarracks.com/DataHealthCheck2014.html or take a look the interactive infographic at datahealthcheck.databarracks.com




27

A formal information security policy is not an optional item for your business. Yet, when your company

migrates to the cloud, in any capacity from data storage through to application delivery, it’s often mistakenly accepted that the existing policy will cover this new ground.

Many say that data is data wherever it is stored and the same security policies should apply. While there is some logic to this, it’s rather flawed and has the potential to leave your enterprise exposed to unnecessary risk. An information security policy needs to be a dynamic thing that changes to meet the security demands of the enterprise, and the data it deals with, as new technologies become part of the business landscape.

When it comes to the cloud, the single biggest benefit of having a relevant policy is that the process of creating it requires in-depth thought about what security in the cloud really means to your business and to your data. This necessity to think out loud, to determine a structured response to your needs from top to bottom, is often an eye-opener for the entire team working on it.

Making the commitment to your dataWriting such a document for the cloud is actually little different from any other security policy. It’s just a formal commitment to protect all the data your business uses, which then necessitates a strategy to determine the levels of required protection and the process needed to both achieve and

maintain that. Delegating this policy building process to

a third party such as, for example, your cloud service provider is security suicide. Your cloud security policy, like your broader data security policy, must be your responsibility. To be sustainable and effective it has to be written from the ground up, and contain input from the top down.

Whether that means the director of a small business working with an external consultant or the board working with the IT, legal and HR departments will depend entirely upon the size and structure (and to some degree the market sector) of your organisation. However, there are some constants which remain no matter how big or small the business, or what sector you are working in.

No policy document is an islandYour cloud security policy should form a

coherent part of your organisation’s Written Information Security Programme (WISP).

So, while it has to be able to stand tall in addressing the specific needs of data security within the cloud environment, it cannot be totally separate from - and at odds with - the data security policies that are in place elsewhere. A WISP should be seen as a collection of policy documents that provide the steps needed to enforce the security measures they demand. Be aware of this need to co-exist from the get-go.

Don’t reinvent the wheel Although your existing data security policy isn’t going to be a shoo-in to a cloud-based document, parts of it will fit without too much adaptation. Don’t be afraid to re-use them if they are fit for purpose. Existing policies are there for a reason, and if it can apply to cloudy data then apply it. Equally, look to what others have done and draw from

How to draw up a comprehensive cloud security policyWhat should your first steps be when formulating a security policy for cloud use? Davey Winder has been talking to the experts about this very subject. Read on to find out more...

Cloud security policy

A policy which has no legal standing is as good as useless.



28

that; ask affiliates or peers within your market sector who have migrated to the cloud for their thoughts, and draw on their experience when it comes to considering your own policy.

Understand your needs before you start writing policies to address them This might sound obvious, but putting the cart before the horse is not as uncommon as you might imagine.

You need to determine how you will be using the cloud; will it be for data or applications, or maybe a combination of the two? This determination will then allow you to focus on which criteria are required in terms of security policy. It’s that ‘thinking out loud’ process mentioned earlier in action.

For example, when looking at data handling in the cloud from a policy perspective, you will first need to think about how you classify data and how that determines which data is considered ‘cloudable’ by your policy. If you don’t already have a data classification policy then you will need to create one, and the processes required to put that into place.

Your cloud security policy should be readily accessible Your policy must be both available to and understood by all your employees. No exceptions. You should also bear this in mind when writing the policy in the first place. What’s more, if you want to keep training costs down, it’s best to avoid over-

complication and technical complexity. The best security policy will be one that is clear and concise. Don’t be afraid to state the obvious, as that way nobody can claim to have missed the point. Every cloud security policy should start with a definition of intent, which clearly outlines the whole point of the policy. For most organisations, this is likely to be ‘to mitigate the risk to data when using cloud-based services’.

Include worst case scenarios as well as rose-tinted best practice specsYour policy should not just be about protection, but also about reaction too. Consider how any cloud data breach would be dealt with, including logging and reporting processes, forensic functions and cloud provider cooperation. There are also disaster recovery issues to be considered. You must ensure continuity of operations and not forget ‘end of life’ procedures relating to data transfer and secure wiping if you wish to change cloud providers at any point.

Finally, always involve your legal departmentIf you don’t have an in-house legal team you should instruct a suitably qualified lawyer. A policy which has no legal standing is as good as useless.

This point is particularly pertinent when it comes to the cloud, not least as subjects such as physical location of data storage and transit can have legal implications upon privacy and security compliance issues.

Cloud security policy


The single biggest benefit of having a relevant policy is that the process of creating it requires in-depth thought about what security in the cloud really means to your business and to your data.

One policy should take pride of place:

make it mandatory that non-supported

devices cannot be used to access or

store corporate data. And that means

being wary about consumer (i.e.

non-business) devices.

Your security policy should also

address the fact that, if the device has

access to corporate information, then

company policy applies. If it can access

the corporate network via VPN, then it’s

part of the same network and subject

to the same rules.

Use a real-time approach to malware

detection to ensure that any threats are

detected in the shortest possible time.

Access to non-business cloud

services should be carefully monitored

and controlled. Why are employees

doing this? Ascertain what they’re

using it for and offer secure

alternatives.

Ensure that devices and cloud-based

applications adhere to any appropriate

regulatory compliance schemes.

DEVELOPING A BYOD-FRIENDLY SECURITY POLICY


29

I n the past couple of years, companies have been waking up to the idea that the data they hold can bring commercial

success. We’re now seeing companies looking to assess social media feeds and video in an attempt to become better informed about their customers.

It’s here that cloud comes into being. It provides businesses with faster analytics, which leads to greater agility. In a competitive market, having such flexibility could lead to real business advantage.

However, there’s still some resistance to this. A US survey from analyst firm Forrester Research, published earlier this year, found that about a third of companies had no plans to move BI systems to the cloud at any point. It’s true though that this means about two-thirds have either done so already or are about to move. Because cloud offers fantastic advantages for companies wanting advanced analytics, it was only to be expected that such large numbers would opt for the benefits that it could bring.

The European ethos is somewhat different. The need for privacy is more deeply ingrained and this goes hand-in-hand with concerns. The Forrester survey was a stark reminder of the difference: so concerned are Europeans about cloud security, there would have been far fewer companies if Forrester

had carried out a similar piece of research over this side of the pond.

This is because there is much more concern about the perceived lack of security about cloud. Service providers can talk up their credentials as secure providers but it’s often to little avail.

Couple this with an almost philosophical belief that all data should be held securely, regardless of its importance and level of confidentiality, and you can see some of the difficulties in using cloud within Europe.

And there lies the problem for companies. To make best use of the data, there needs to be a degree of openness and an ability to share, but many businesses are reluctant to make the move – often the barriers are cultural rather than technical.

Some companies do get it though. According to Radek Dymacz, Databarracks’ head of R&D, there are two different approaches to openness and sharing: modern IT and old-school enterprises. “The old-school enterprises have struggled because they have data management baggage,” he says. “They tend to keep more data private than is actually necessary. Their challenge is to rethink what they classify as private to just not shareable information,” he says.

Modern enterprises don’t have the same problem, according to Dymacz. “That’s because they exist in the era of data sharing,” he adds. “I would say that these organisations have a much smaller proportion of their data overall that they consider to be private, but they also have a good grasp of the distinction over what can be shared,” he adds.

“They also tend to have a better grasp over

Concerns over customer data still holding businesses backBusinesses are beginning to make the most of their data, but they to need to ensure security issues are sorted out first...

Customer data concerns


The old-school enterprises have struggled because they have data management baggage. They tend to keep more data private than is actually necessary. Their challenge is to rethink what they classify as private to just not shareable information.


30

the methods to share data effectively. These are the organisations who understand how important speed of access to data is.”

Private vs publicMany companies do not have a sufficiently granular taxonomy for dealing with information and are inclined to treat all data as private. This has led to companies spending more on security than they need to and also leads to the idea that the cloud is the only place to put confidential data. That’s not necessarily true but is widely accepted as the case.

It’s time to think again. What’s needed, suggests Dymacz, is to re-evaluate what private data actually means.

“By old standards, contracts are private information, but if your company pricing is transparent and you have nothing to hide is the contract really private information?” he says.

“The only way to manage the sharing vs privacy issue is to be able to understand your data so you can make informed decisions. For instance, if you know exactly what your private data is, you can do things to secure it like encryption-at-rest, which is something we don’t see enough organisations doing.”

Companies have a very traditional approach to data management, according to Dymacz. “Businesses usually have a good grasp on their structured data systems. They will have security policies in place for their finance and their CRM systems,” he says.

“There is usually good management of a small set of other documents like HR records and internal company reports. The big challenge is everything else. Businesses have masses of file data that they don’t know how to classify.”

There are other issues too. Richard Archdeacon from the HP Enterprise Service CTO Office says that just storing data in the cloud is not enough. “You then have to look at the whole lifecycle. How will it be stored? Will it have encrypted links? What’s the recovery method? What happens if we move provider – will it be destroyed?” he says.

“[And what about] auditing? Are they open to audit? It’s not just technical, it’s physical security too.”

Dymacz says that the traditional set-up does cause difficulties. “The problem most businesses have is that their data sits in silos. The ability to delete a specific customer’s data or to provide all of the data on a customer back to them depends on their ability to get the

data from several sources,” he states. “From our conversations we know that

businesses aren’t confident that they can remove all customer data if they get that request. They can do it very easily for some systems but they can’t be sure they have removed it from everywhere.”

Need to know?There’s a good deal of debate at the moment about what’s meant by personal privacy and what companies can know about their customers. Google has built its business on knowing as much as possible about its users but, as the company found out lately, Europeans take privacy very seriously – hence the right to be forgotten ruling.

Can there be a fair balance between personal privacy and a company’s right to

know about its customers? Databarracks’ Dymacz isn’t sure. “I would say ‘yes’ and ‘no’. For there to be a fair balance, there needs to be a good understanding about what data a company holds about you and how you can actually manage and influence that,” he says.

Databarracks itself has developed a new product to help manage unstructured data. Dymacz describes the thinking behind it: “Kazoup (see boxout) was created firstly to solve data storage issues. When we spoke to businesses about their backups, it was clear that very few had a good understanding of their unstructured data.

“Services like backup and disaster recovery are charged based upon volumes of data. We would ask a company how much data they had to give them a quote and they often wouldn’t know. They would know how much email data they had or how large their databases were because structured data is easier to manage, but not the unstructured, file data.”

More companies will explore ways to look at both structured and unstructured data and cloud is going to play a big part in this. There are many steps to take first, both in terms of improving the infrastructure and handling the data, but the rewards will be massive.

Customer data concerns


The problem most businesses have is that their data sits in silos. The ability to delete a specific customer’s data or to provide all of the data on a customer back to them depends on their ability to get the data from several sources.

Radek Dymacz describes the technology:

“Companies would have X TBs of data, but

would usually tell us most of it is rubbish.

Kazoup scans a business’ file data so you can

see what you have and then put policies in

place to manage it better.

It uses metadata to set up policies to

archive or delete older data and sort it into

categories.

We created the product because businesses

were constantly asking for a tool to help

understand their data.

We found larger organisations would have

some of the enterprise (expensive) tools for file

analysis or search and the smaller

organisations were just using some simple

freeware that didn’t have enough

functionality.

We think these issues are going to increase

in importance as data continues to grow and

as businesses have more regulations to comply

with like the Data Protection Directive.”

ALL ABOUT KAZOUP


31

T here used to be a clear split between the technology you used at home and your technology at work. In the

office, you had access to a powerful desktop, wide-reaching business software and fast connections, while at home, you had some simple programs running on a cheap PC using a dial-up modem.

That’s the way that things were because there was no need for it to be otherwise. The notion that home technology was more powerful than commercial offerings would have been deemed nonsense. In the last decade, however, all that has changed. There wasn’t a single revolution that changed this but many smaller steps: the provision of broadband to homes (especially when accompanied by an upgrade to fibre); the

development of the smartphone market and, connected to this, the decision by Apple to see mobile phones as a means of disseminating applications. Put that all together and you have the perfect storm for a revolution in how devices are viewed and used.

There’s been an about-turn though as the sexy devices are now in employees’ pockets and not on their desktops. What has this meant for the CIO? The former gatekeeper for company technology is now relegated to a bit-part role as companies look to adopt bring your own device (BYOD) strategies.

This change has massive implications for the way that a business operates, with CIOs having to completely rethink all aspects of their IT infrastructure.

BYOD vs cloudOne of the first things to look at is whether a move to BYOD means a move to cloud. In some ways, says Richard Archdeacon from the HP Enterprise Service CTO office, there are similarities. “Look at the drivers for the move to cloud,” he says. “It’s driven by a need for greater flexibility and better management.” He adds that BYOD has brought a similar level of flexibility to the part.

The 451 Group security analyst Javvad Malik also sees advantages of moving to the cloud. “Cloud providers are often in ideal positions to offer BYOD-specific features, and many have. Though a large market exists as ‘middlemen’ to provide BYOD features in what I like to call ‘missing feature’

Does BYOD mean bring your own disaster?BYOD could be a recipe for disaster as the IT department relaxes control, but it doesn’t need to be a big problem…

BYOD: Bring Your Own Disaster?



32

markets,” he says. Archdeacon points out that although

companies are keen to keep data on-premise for security reasons, it shouldn’t be forgotten that cloud providers often deliver higher levels of security, particularly for small businesses.

Weakest linksThe danger of unsecured data being loose in the enterprise was highlighted in October 2014 when a survey from Kroll Ontrack suggested that 4.6 million employees had lost work-related data in the last 12 months due to corrupted and malfunctioning personal devices or cloud services. As around a third of UK employees use their own devices to store data, businesses are leaving themselves open to security leaks of this kind, the research warned.

As such, CIOs must make themselves much more aware of what is going on around them, cautions Malik. “The main challenges facing the CIO are monitoring and tracking corporate data and user activity,” he adds. “If 40 per cent of work/corporate system use happens outside the corporate network, how do you keep tabs on what’s going on, and where your data ends up?”

The key is establishing firm BYOD policies, according to Archdeacon.

“Once you have decided to bring in BYOD, you have to implement a BYOD policy,” he says.

“This will include elements such as physical security and anti-malware software, but will also allow CIOs to restrict data to

certain devices and let them bring in controls as to what can be accessed from those devices.”

Within a BYOD environment, it’s paramount that those in charge know who is accessing data at any given time.

“You need to work on a clear policy of identification or authentication and this will be additional software on top of your Active Directory implementation,” Archdeacon

says, adding that changes in technology will make it easier to pick out compromised users.

“We’re beginning to see the emergence of situational identity where CIOs can identify patterns of access. For example, if a user is accessing the network from a different geographic location than usual, why is that? Has his identity been compromised?”

However, technology is only part of the puzzle. The key to successful implementation of any BYOD policy is knowing the basic ground rules. Companies shouldn’t get too hung up on technical solutions, warns 451’s Malik. Indeed, he advises the first thing they do is realise that they retain responsibility.

“Regardless of whether you explicitly allow employees to put corporate data and do work on personally-owned devices, or allow it by not setting clear acceptable use policies, the company is responsible,” he says. “Where the responsibility lies is up to the company itself to decide. At least, until the breach occurs, then the board of directors, customers, lawyers and lynch mobs decide who was responsible.”

There are other technical issues that shouldn’t be ignored. Malik warns CIOs



Once you have decided to bring in BYOD, you have to implement a BYOD policy. This will include elements such as physical security and anti-malware software, but will also allow CIOs to restrict data to certain devices and let them bring in controls as to what can be accessed from those devices.


07 CLOUD SECURITY

about the growing use of f ile sync and share services such as Box, Dropbox et al. These services - which are usually a boon for users - can be a real problem for managers.

“No business should be ignor ing the f ile sync and share (FSS) market. It is one of the easiest ways to lose control of corporate data. There are some good products out there that can give employees the convenience of sharing f iles they need, whilst also offering the ability to audit, track and secure data to satisfy corporate requirements,” says Malik.

HP’s Archdeacon sees possibilities from

the use of virtual technology. “These can be used to create solutions based around the idea that a virtual device can be created

for remote workers and these can be wound down as soon as the job is completed,” he says.

As the Kroll survey shows, the move to BYOD is a trend that’s not going to disappear any time soon. However, the risks of embracing BYOD are here to stay too. Archdeacon sees the need for education here, saying: “The CISO has to explain the implications of moving to the cloud, he has to explain why you use a cloud solution in a particular way.”

Running a BYOD policy from the cloud offers a whole new way of doing business, but it’s one fraught with risk.

However, not taking that risk could be foolhardy too.


• Ensure that all devices

connecting to the corporate network

have appropriate protection

• Implement a strict security policy –

ensure that it’s adhered to

• Ensure thorough education

for all users

• Bring in guidelines on what can and

can’t be accessed on devices

• Deploy 256-bit encryption throughout

the organisation

• Sort out data early – critical data and

data subject to laws should be

separated from the rest of the data

• Implement proper identification/

authentication software

• Keep tabs on shadow IT

implementations at all times

WAYS TO IMPLEMENT BYOD

Pull quote hea dvadva dre ishgio fvhso i hisha va vdvio hisa vadvad fhip hvihspivh sijvj b ua dvadvaghva dvadvlk mkl;cmavbadoicn kamdckba va dvadv adv iandvlkn nadv ;n;oamdva dvadvadvaa dvad advad vadv adv dcuadhiadmcklmnnvajkhviaj.


Lift yourbusinessinto the cloudIngram Micro is a master cloud service provider (mCSP), offering channel partners and professionals access to a global portfoilio, expertise, solutions and enablement programs that empower organizations to configure, provision and manage cloud technologies with confidence and ease.

Ingram Micro Cloud’s premier partner program, Cloud Elevate delivers rewards and enablement services to help channel partners and professionals accelerate their cloud sales and profitability.

If you would like to get your business into the cloud call our Cloud Specialists today or visit us online.0871 973 3060www.ingrammicrocloud.co.uk

What has this meant for the CIO? The former gatekeeper for company technology is now relegated to a bit-part role as companies look to adopt bring your own device (BYOD) strategies.


34

Ingram Micro Cloud Q&A

The challenge is not that CIOs are not aware, more so that the technologies within certain DC providers are not strong enough to assist CIOs in answering these questions.


What reassurance can you provide CIOs who want to move to the cloud and who are concerned about the regulatory environment?There are many UK partners today

who are skilled and specialise in

cloud technology as part of their core

business. These partners are aligned

to major industry players such as CIF,

Ingram Micro Cloud and vendor

partners who are all versed in

understanding the challenges and

complexity of issues around data

sovereignty, security, management

and DLP. Providing CIOs choose the

right partners to work with and be

part of the cloud delivery system,

then they have gone a long way

towards gaining peace of mind.

How aware are CIOs of where their data is stored?

Very. They are the most senior

executive in an enterprise

responsible for information

technology. Depending on the

industry, size, type of organisation

CIOs have varying degree of

awareness around data residency.

As technology gets even better and

Apay Obang-Oyway, general manager, Ingram Micro Cloud

We speak to Apay Obang-Oyway, Ingram Micro Cloud’s general manager, about the changing nature of cloud governance

CIO awareness around compliance

relating to data grows, there is

certainly a greater level of

competence around this.

The challenge is not that CIOs are

not aware, more so that the

technologies within certain DC

providers are not strong enough to

assist CIOs in answering these

questions.

ProfileApay Obang-Oyway is general manager of Ingram Micro

Cloud, a role he has held since early 2014.

He is responsible for defining and executing the

strategic direction of the company in Northern Europe,

working with key influencers and decision makers

internally and externally to achieve such goals.

He is an experienced and highly motivated leader in

sales, marketing and the channel and prides himself on

delivering results through focus, partnerships, energy and acumen.

Prior to his taking up his current rule, Apay was general manager of the firm’s software,

cloud and mobility group for more than five years. Before that, he held a number of key

roles both at Ingram Micro Cloud and elsewhere in the industry.


35

Within a hybrid environment, is there a difference between the way you look after data on-premise and data in the cloud?

Where data assets are prioritised and

secured appropriately, this security is

translated to the cloud.

Who should have responsibility for data governance? The CIO? The CSO? A compliance officer/lawyer? Or a combination?

All of the above. It certainly should

be all stakeholders within an

organisation.

As the democratisation of IT

becomes more of a reality - especially

because of cloud - all individuals

cannot and must not abdicate

responsibility around data

governance to just one or a few

individual roles.

Yes, some roles are responsible for

policy creation and implementation,

but this is separate to governance

responsibility.

What particular reassurances can you offer to CIOs within highly regulated industries?

It is not helpful for the adoption of

cloud to be all about reassurances

when there are some real challenges

- especially for highly regulated

industries - that CIOs must

understand and take heed of.

Cloud does indeed offer a

wealth of value and

opportunities for all

organisations irrespective of

industry, size, type and complexity.

However, the key is to understand

your regulatory boundaries and

compliance issues, find the right

partners who understand your

industry to deliver the right cloud/

hybrid solution and ensure you have

a robust, coherent risk management

process.

Regulatory complexities should not

be a barrier to leveraging cloud

solutions for organisations. Indeed,

that’s exactly what shows off

organisations with the right talented

CIOs and partnerships.

The rise of big data has meant that data needs to be more readily accessible from a variety of different endpoints. How can you marry accessibility with security?

By using mobile device management

mechanisms and two factor

authentication.

Following on from that, what preparations should a CIO be making to prepare for a culture where mobile communication is the norm?

Mobile device management and a

direct focus on all data endpoint

management.

Do you think legal requirements and regulatory issues are a barrier to cloud adoption

Not at all. The data location and data

security is universal, whether it be

cloud or on-premise.

Ingram Micro Cloud Q&A


Cloud indeed offers a wealth of value and opportunity for all organisations irrespective of industry, size, type and complexity. The key is to understand your regulatory boundaries and compliance issues, find the right partners who understand your industry to deliver the right cloud/hybrid solution and ensure you have a robust, coherent risk management process.


36

Current legal situation


Do you think that companies are fully aware of their legal responsibilities when it comes to the cloud? And do you see a difference in attitude between cloud providers and customers?

Whilst there has been a great

improvement over the last couple of

years in companies’ understanding of

the legal issues and their

responsibilities in relation to the cloud,

we still have some way to go.

As the use of the cloud has become

more pervasive, companies still do not

appreciate some of the issues that arise

as a result of its use, in particular

customers at the SME level.

The major providers are now pretty

much up to speed on the legal issues

that customers need to address and

have terms and conditions that cover

key issues though - perhaps not

unexpectedly - their contract terms

favour the suppliers. Data protection

(and related security) has probably been

the dominant legal issue and at the

forefront of companies’ thinking, but

customers need to take a more holistic

view when looking at cloud services

and consider what can go wrong and

what remedial action may be required.

The answers will clearly differ

depending on the customers’ business

Conor Ward, CIF Legal Forum & Hogan Lovells

We speak to Conor Ward, consultant with international law firm Hogan Lovells and chair of the CIF Legal Forum, about the current state of play

(and whether or not it is regulated) and

the nature of the services: medical staff

not being able to access patient records

stored in the cloud will have different

consequences from an accounts

department not being able to access

archived records.

How up to date is the law? By and large, the law is capable of

dealing with the provision and use of

cloud. It may have taken some time but

lawyers are generally familiar with the

issues that arise (and the solutions to

apply) in respect of outsourcing

transactions.

However, as is always the case when

new technologies or services emerge,

there are areas of the law that need to be

reviewed and possibly changed.

Jurisdiction is clearly one issue that is

very topical (e.g. can a US court require

Microsoft to provide access to data

stored by a customer of Microsoft

Ireland on servers located in Ireland)? as

is format shifting (e.g. does storing

music and other content in the cloud

require the permission of – and hence

payment of a licence fee to – the rights

holder?) These are just a couple of

examples of where the law will need to

be clarified.

Can the law makers ever keep up with technological change?Law makers have never been able to

keep up with technological change.

Typically, the courts have to grapple

with issues as they arise and legislators

Law makers have never been able to keep up with technological change. Typically, the courts have to grapple with issues as they arise and legislators then pick up the pieces.

ProfileConor is consultant with the international law firm

Hogan Lovells (where he was a partner between 1998

and 2014), practising exclusively in contentious and

non-contentious aspects of computers and

communications law. In the 1980s he worked as a

development programmer at IBM’s UK Laboratories. He

also qualified as a barrister.

His work has included advising in relation to

numerous outsourcing transactions, cloud computing and SaaS projects, systems

development and integration contracts as well as acting for clients in various

disputes involving failed projects. Conor is recognised in both Chambers and the

Legal 500 legal directories as one of the leading IT lawyers in the UK. Prior to joining

Hogan Lovells, Conor worked for IBM as a systems development programmer.

Conor is a member of the Cloud Industry Forum (CIF) and chairs the Cloud

Industry Legal Forum which advises CIF on cloud computing Legal Issues.


37

then pick up the pieces. Around 150

years ago, we were questioning

whether or not you could enter into a

contract by post; 50 years ago the same

question arose in relation to telex

transmissions (and a supplementary

question was where the contract was

formed and which law applied). More

recently, the question was about email

or click wrap agreements.

There’s a greater call for sharing data and for data to be made more open – does this conflict with privacy law?Much will depend on what data is being

shared but, yes, privacy issues loom

large. So do issues of IP rights and

ownership. Data has a value and thus

questions of ownership, control and

payment will arise.

Do you think penalties are currently appropriate for breaches of security?The short answer is no. In the case of

personal data, the data controller (which

is typically the customer in a cloud

context) is responsible and liable for any

breach of security.

The customer will face any sanctions

from the regulators such as the ICO or

the FCA and may be liable for damages

to the data subject.

The service provider typically limits

and excludes its liability to such an

extent that the customer has little or no

effective remedy against the supplier.

Hence it is important to understand

fully what the consequences of a breach

of security might be and what

mitigations need to be put in place.

The service provider is not there to

insure the customer’s business risks:

cyber security policies are available.

Other practical steps may also be

relevant. These include encrypting data

at rest, for example.

An organisation can have very strict rules on privacy and security only to find these are not being adhered to by junior staff. In such cases, do penalties for organisations really help? What more could be done to solve this problem?Education and training clearly help. The

ethos of the company/department are

also important. If processes and

procedures are lax/not enforced,

breaches are likely to happen. Security

by design should also be considered so

when the employee does something

dumb, its effects are mitigated.

What legal challenges are thrown up by the emergence of BYOD?Control is obviously an issue. What data

will the employee have on the device

and what happens if the device is lost or

compromised? How is data secured/

encrypted? What happens to the data

when the employee leaves? What

happens if the employee’s device is

hacked or subject to a Trojan Horse?

What if it infects the network or is used

by a hacker as a back door into the

network? Can the employee use the

device during working hours for

personal use?

How can highly regulated industries like banking and pharma cope with cloud?In some respects, the cloud does not

bring any new issues to the table.

Regulated entities have coped with

outsourcing and the use of web-based

solutions. They will still be responsible

for the services. They will want

transparency and visibility, in particular

in the event of security breaches or

threats, and they will want robust SLAs

with teeth that bite.

The one area which may be seen by

some as being problematic will be audit

rights (and in particular the regulator’s

right to audit service providers). This is

a known issue and the large service

providers have solutions which are

generally accepted by customers and

regulators alike.

What effect have the Snowden revelations had on the way cloud providers operate? There is greater focus on knowing

where your data is and service

providers are making a sales point of

stating that data will be stored in

specific locations/jurisdictions. See, for

example, recent comments by Brad

Smith (Microsoft’s general counsel)

about creating a trustworthy cloud free

from intrusion.

Others, such as Apple, are pushing

for data in their cloud to be encrypted

in a way that they cannot decrypt: only

the user/the relevant device can do that

– though the obvious issue here is if the

user loses the means of decryption

Apple cannot help. Then, in Germany,

service providers are effectively

building a private internet (based in

Germany) to secure data.

Do you think customers’ current safeguards are strong enough?Typically no, particularly those

customers who use off-the shelf-

services.

But then again, the main cloud

service providers probably provide

better security than those customers

could provide for themselves.

Current legal situation


If processes and procedures are lax/not enforced, breaches are likely to happen. Security by design should also be considered so when the employee does something dumb, its effects are mitigated.


38

Where next?

www.cloudindustryforum.orgCLOUD FOR BUSINESS

A Martian arriving in the UK and glancing at our national press would quickly get the idea that

Europe is some hostile force aimed at subjugating British powers. What wouldn’t be so clear is that, in many instances, the EU acts in areas where a national body operating on its own would not be so effective.

Data protection is just one such area. The idea that hackers operate solely within national boundaries is a nonsensical one. Therefore all measures around data protection have to involve a multitude of agencies and many nationalities.

Cloud computing is perhaps the most obvious example of this globalisation at work. A system where data can be stored in any country and accessed in another country is a perfect illustration of why national boundaries are inadequate in this case and the reason why there needs to be a pan-European drive towards data protection.

It’s a situation that has been complicated by Edward Snowden’s admission that security forces have been regularly spying on British (and other European) users.

This delicate balancing act between individual data and national security is mirrored by another balancing act: the one between the openness of data and the right to privacy.

A debate of the highest orderIt’s a balancing that no less a luminary than Sir Tim Berners-Lee addressed at this autumn’s IP Expo when he ruminated on the

differences between Europe and the US when it comes to handling data.

“I would prefer the US to have stronger data protection so Europe can be a good influence in that way. ” he said, before warning that this could reduce commercial opportunities

It is very easy for the commission to put in place a rule that makes it impossible to start a social network in Europe, Berners-Lee says, but he stresses that initiatives should be Europe-based. “I don’t like the idea of nation siloing,” he added. “It would be bad if you have to store data about a person of a certain nationality in a certain country.”

But there are other problems too, most notably the time lag between technological changes and legal ones.

European legislation scarcely acknowledges the internet, yet alone the implications of cloud

computing. European companies recognise the

problem though. According to a survey carried out this year by Sophos, there’s a need for stronger data protection laws across the continent. Indeed, some 60 per cent of survey respondents thought there should be stronger laws on data protection across Europe. And, even when there was a security policy in place, it was felt that organisations were not doing enough to make employee responsibility clear – 49 per cent of respondents said policies were not being clearly communicated to employees.

Preparing for changeAll that is set to change: the European Union has proposed a new regulation, which, if all goes well, will be passed next year and come into effect shortly after.

This sounds like a long time away but, as Anthony Merry, Sophos’ director of data protection, explains, that’s still rapid by EU timescales. “The last reforms were in 1995. Think how much the world has changed since then. Back in 1995, we’d have been using Nokia Symbian and Windows 95, now we all have smartphones,” he says.

“The law needs to change to keep up.

Where next? The European dimension to cloud computingThe law around cloud has been confusing, particularly when national boundaries are taken into account. But that could be about to change...

The law needs to change to keep up. And it has to be Europe-wide, so there’s one rule for everyone, not 28 different laws.


39

Where next?

www.cloudindustryforum.orgCLOUD FOR BUSINESS

And it has to be Europe-wide, so there’s one rule for everyone, not 28 different laws.”

The changes are about providing the same rights online as offline, something that hasn’t existed before, according to Merry.

Part of the proposals are to make things as SMB-friendly as possible. Multinationals have always had a European dimension but the proposed regulation will provide a framework for national lawmakers to operate in and, despite the prevailing Eurosceptic sentiments in the UK (and in other parts of Europe), the proposed new regulation does provide some useful guidelines.

Perhaps the most far-reaching change is that companies can no longer be silent about breaches. If you suffer data loss it will no longer be enough to hide behind evasions. A business will have to own up and failing to do so will be considered a fraudulent act.

This is backed up with some real teeth; companies that break these guidelines can now be hit with a hefty fine of five per cent of turnover or £100 million – that’s some serious power. And there will be a central authority (whose scope has yet to be defined) responsible for overseeing these changes.

Implications What does this mean for companies pushing things out to the cloud? If you’re a company looking after your customers’ data then you have ultimate responsibility – that’s the situation now and will be the same after the new regulation comes into force. But you now have to be more aware of where the data is being held and if there are any breaches of security. For example, if you hand things over to a cloud provider, you are both responsible.

One of the elements of this is encryption. Companies will now have to be much more thorough about encrypting data. Any organisation whose employees leave unencrypted memory sticks on buses, or who lose unencrypted spreadsheets on laptops in taxis is going to be in serious trouble. Cloud computing offers a way out here but, again, there will be a need to encrypt data at rest and while being transferred to the cloud.

Under the draft regulation, as long as you’ve encrypted data (and can prove it), says Merry, a company is under no obligation to report data breaches to its customers – although you will have to report it to the central authority.

One of the sticking points of the new regulation is going to be the clash with US law. This will be a set of guidelines that apply to European companies and for companies doing business in Europe, but what we don’t

know is how the US will react if European law clashes with its own, according to Merry. The recent case with Microsoft in Ireland demonstrated how US authorities will likely side with US companies and the new directive won’t make such clashes go away.

But, Merry asserts, the proposed regulation is a step in the right direction, saying: “There’s a lot more to be done. There have been close to 4,000 amendments to it.” However, he points out that the big core principles are now bedded down and only smaller implementation issues remain.

It’s been a long time coming, but UK firms are about to get regulations that strike a balance between protecting data and doing business and one that shows the country as part of a wider European set-up.

Do you think the proposed European

Data Protection Regulation will help

clarify some of the existing anomalies or

will it lead to confusion?

The draft regulation is still being debated/

negotiated so many points are up in the air.

If it gets adopted (some in HMG are keen

that it does not, but I believe that the

Germans will prevail and it will get

through) it will introduce clarity in some

areas. It is likely to provide that data

processors (including cloud service

providers) will be liable for data breaches

and not just the controller/customers.

There will undoubtedly be some

ambiguities and disputes that will go

to court.

The new EU proposals set out tougher

penalties for companies who pay little

regard to data protection. Is this a step

in the right direction or a

sledgehammer to crack a nut?

Our existing law is weak when it comes

to penalties for breaches.

The current proposals of the draft

regulation possibly go to the other extreme.

However, in these days of social media and

cloud services, this may be what is required

to ensure good practice when it comes to

the collection and use of personal data.

Do you think cloud providers and

customers who use the cloud will start

changing policies before the regulation

comes into force or be dragged kicking

and screaming to make the changes?

Given that more than 3,000 amendments

were tabled against the original draft, it

may be premature to start changing now.

Though, as the draft firms up, there may be

areas which merit thinking about.

Once the regulation has been adopted, I

am sure that companies who are properly

advised will start to prepare during the

transition period.

We’ve already seen a clash between US

and European law when it comes to

US firms operating in Europe – will the

proposed regs do anything to help?

Unlikely. Indeed, the current draft brings

US companies that target EU customers

under EU control, even though the US

company may not have a physical presence

in the EU. This will be controversial.

Data flows/export are high on the

agenda of the US on the transatlantic trade

treaty negotiations which the US and EU are

about to embark on.

The EU wants them off the table: the US

does not. Credit: Conor Ward,

Hogan Lovells & CIF Legal Forum Chair

I would prefer the US to have stronger data protection so Europe can be a good influence in that way.

EUROPEAN REGULATION – LEGAL QUESTIONS ANSWERED
