While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Planning for a cloud deployment is straightforward. It should start with a thorough assessment of needs. For example, IT staff should identify the applications and data that are candidates for deployment, then assess the benefits and risks associated with those deployments.
This assessment should include identification of all requirements pertaining to the cloud deployments for these applications and data. A solution that contains many benefits but does not meet basic requirements is not going to be successful. After evaluating the possible options and considering the costs involved with each option — both direct (for example, usage charges) and indirect (such as the cost of a potential data breach) — the next step is to build out a deployment plan.
When planning a cloud deployment and management activities, organizations need to address SPIL: security, performance, integration and legal requirements. Each of these concerns has a significant effect on optimizing operations to make a cloud work, both operationally and financially. Omitting any of the SPIL requirements from consideration makes the cloud implementation less likely to succeed.
It is critical to figure out what kind of data may be put in the cloud. Highly sensitive data, such as financial or medical records, requires planning for an entirely different level of security. Such data may even need to reside in a particular type of cloud to reduce risk. If the data is publicly available information for which confidentiality is irrelevant, security requirements may be minimal, focused on assuring the integrity and availability of the data.
Another potential issue affecting security controls is compliance. Any enterprise may be required to meet certain sets of security requirements, regardless of the sensitivity of the data. These are generally considered minimum requirements, and organizations are encouraged to perform their own risk assessments and exceed the requirements as needed to safeguard sensitive data.
On the other hand, some cloud providers support particular compliance initiatives, including the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) and the Federal Information Security Management Act (FISMA), and will take responsibility for safeguarding the organization’s data in support of one or more compliance initiatives. This can provide an economical way to use the cloud while maintaining compliance with these initiatives.
An IT department should also consider what kind of applications the organization may put into the cloud. Is it a database-heavy custom web application or a standard office productivity suite? There’s a huge difference in how IT staff would architect these solutions in terms of ensuring their performance. For example, IT administrators might find that it is more cost-effective to run certain applications in-house, potentially from a private cloud located onsite, instead of migrating them to a remote cloud location.
One way to find out how solutions should be architected for performance is to launch a pilot and measure the application’s behavior under realworld conditions. However, this is not always feasible, such as when the pilot itself would take a massive effort — perhaps 90 percent of the work for a full deployment. Fortunately, experts on cloud-based application performance can conduct an assessment of a planned cloud deployment and point out the likely shortcomings in its expected performance under typical and peak conditions.
If an application cannot be fully virtualized, it’s not a good candidate for cloud deployment, although this happens rarely. Much more common is that organizations will deploy different apps in different clouds, such as software-as-a-service applications that are provided by different third parties. Planning for integration is critically important for getting these disparate applications to work together seamlessly.
Enterprises seeking to integrate cloud applications with each other or with noncloud applications should pay particular attention to the application programming interfaces (APIs) that the applications make available. These APIs can provide a simple and inexpensive way to connect application services and data to each other. Third-party integration experts can also help IT staff understand how disparate applications can be integrated.
Enterprises need to be cognizant of all the legal requirements that they and their cloud implementations may be subject to. Whenever sensitive information is migrated to a third-party cloud solution, there are inevitably questions about responsibility. If a security breach occurs, who is responsible for paying for the damage it causes and the recovery actions that are needed?
For example, an organization may ask a cloud provider to sign a HIPAA business associate agreement (BAA) for medical records, stating that if the cloud provider loses medical data or is out of compliance, then the cloud provider will be considered liable on behalf of the organization.
This brings up the issue of compliance. Different types of data are subject to different compliance initiatives, such as HIPAA, PCI DSS and the Sarbanes–Oxley Act (SOX). Often migration to the cloud, particularly a public cloud, raises issues regarding compliance.
For example, it may not be possible for an organization to achieve compliance with a particular initiative if it is allowing the cloud service provider to hold secret or private encryption keys on its behalf. Another common concern is having full audit records of cloud-based activity to be used to demonstrate compliance with major initiatives.
Any enterprise considering cloud migration must first identify all compliance initiatives with which it must comply and determine what data is subject to those initiatives. This may steer an organization away from placing certain types of data in the cloud because of concerns regarding compliance requirements.
Want to learn more? Check out CDW’s Tech Insights App on Cloud Computing.