Cloud adoption is increasing at a rapid rate across the
globe as organisations require the ability to deliver agile, mobile, feature-rich
and scalable digital services cost effectively to customers not possible
through traditional ICT environments.
However, the increasing use of cloud has escalated the
concerns around security and privacy given the possibility that data can be
compromised. This is exacerbated by the speed at which news, particularly if it
is bad, travels across national and international boundaries and the greater scrutiny
cloud providers are faced with due to their public presence.
To counter this there has been an increase in regulations
and controls being implemented to ensure that organisations can demonstrate
governance around cloud use. Organisations need to do more than meet these compliance
regulations and build a comprehensive Cloud Adoption Framework.
A strategic and logical cloud assurance framework can
provide senior ICT and business leaders with the confidence that cloud
assurance has been undertaken.
The Cloud Assurance Framework shown above includes four main
areas – security, protection, privacy, and control. The Information Security,
Cloud, Risk and Vendor assessment tools provide senior leaders and business and
ICT owners with the additional assurance that the requirements of the
organisation and the regulatory compliance have been met. Once developed and
agreed to these tools can provide a repeatable and effective assessment
methodology that can be used when negotiating contractual arrangements and
undertaking cloud migration.
Security is one of the primary risk factors that
organisations have when moving data to the cloud. As an Enterprise Architect, I
often see security architecture as the missing link in the Enterprise
Architecture Framework where too much reliance is placed on the application and
technology domains. The link between the business and information and data
layers with the security layer is paramount when undertaking cloud migrations.
Security risk posed by the location of data and how the data is accessed is
often overlooked but needs to be a mandatory assessment consideration. Other
risks identified by senior management need to be documented and appropriate
mitigations established so they are deemed to be acceptable risks. These risks
can be categorised under the subject headings of compliance, strategic,
operational and market, and finance.
Privacy concerns are real and it is necessary to ensure that
information assets are classified to determine if there is any confidential,
personal, sensitive or regulated data. Privacy Impact Assessments are necessary
when personal information about individuals can be identified and these
assessments can assist in the cloud decision-making process.
One of the main aspects to Cloud computing is the loss of
control that the cloud consumer has compared to more traditional
implementations and that is at the highest level with SaaS applications.
Control and compliance is particularly important and well developed assessment
tools can be used to ask all the right questions to ensure data and workload is
protected in the cloud. Vendor assessment tools allow the organisation to do
the necessary due diligence.
The level of Control that can be applied to your information
in the Cloud and the protection required will depend on the cloud delivery
model and deployment model. For instance, there will be more control available
under an IaaS private cloud arrangement than a SaaS public cloud offering. This
is where the information classification is important as it is logically acceptable
to have data classified as public stored in the public cloud but not acceptable
for any national and non-national security data to be in the public cloud.
In the government environment, it can become difficult to
satisfy customers, auditors and regulators that sensitive data and
mission-critical services are sufficiently controlled in a multi-tenanted
public cloud environment. The information security classification of the data
is the key first step as it can guide the decision-making process in the
development or procurement of an application. Organisations need to make sure the
correct protection controls are in place to protect their data relative to the
information security classification determined. For government documents,
protective markers can be used to determine the level of protection required in
the use and transfer of information.
The emerging role of Digital Service Providers (DSPs) will
continue to place cloud as a vital enabling technology. Organisations will be
better placed if they have a robust cloud assurance framework that provides senior
management the confidence in migrating to the cloud.
Hear from Nigel Schmalkuche at Akolade's Australian Government Cloud Summit as he shares his insights on mitigating security risks by developing a cloud assurance framework.
Hear from Nigel Schmalkuche at Akolade's Australian Government Cloud Summit as he shares his insights on mitigating security risks by developing a cloud assurance framework.
Guest Blog Written By: Nigel Schmalkuche
Nigel manages the Enterprise Architecture, ICT and Digital
Strategy program and planning activities at the Department of Housing and
Public Works Queensland. The role is critical in providing strategic direction
to the department on ICT and the management of an Enterprise Architecture
program that leads to effective governance and innovative service delivery.