Creating a Cloud Assurance Framework

Cloud adoption is increasing at a rapid rate across the globe as organisations require the ability to deliver agile, mobile, feature-rich and scalable digital services cost effectively to customers not possible through traditional ICT environments.

However, the increasing use of cloud has escalated the concerns around security and privacy given the possibility that data can be compromised. This is exacerbated by the speed at which news, particularly if it is bad, travels across national and international boundaries and the greater scrutiny cloud providers are faced with due to their public presence.

To counter this there has been an increase in regulations and controls being implemented to ensure that organisations can demonstrate governance around cloud use. Organisations need to do more than meet these compliance regulations and build a comprehensive Cloud Adoption Framework.

A strategic and logical cloud assurance framework can provide senior ICT and business leaders with the confidence that cloud assurance has been undertaken.

The Cloud Assurance Framework shown above includes four main areas – security, protection, privacy, and control. The Information Security, Cloud, Risk and Vendor assessment tools provide senior leaders and business and ICT owners with the additional assurance that the requirements of the organisation and the regulatory compliance have been met. Once developed and agreed to these tools can provide a repeatable and effective assessment methodology that can be used when negotiating contractual arrangements and undertaking cloud migration.

Security is one of the primary risk factors that organisations have when moving data to the cloud. As an Enterprise Architect, I often see security architecture as the missing link in the Enterprise Architecture Framework where too much reliance is placed on the application and technology domains. The link between the business and information and data layers with the security layer is paramount when undertaking cloud migrations. Security risk posed by the location of data and how the data is accessed is often overlooked but needs to be a mandatory assessment consideration. Other risks identified by senior management need to be documented and appropriate mitigations established so they are deemed to be acceptable risks. These risks can be categorised under the subject headings of compliance, strategic, operational and market, and finance.

Privacy concerns are real and it is necessary to ensure that information assets are classified to determine if there is any confidential, personal, sensitive or regulated data. Privacy Impact Assessments are necessary when personal information about individuals can be identified and these assessments can assist in the cloud decision-making process.

One of the main aspects to Cloud computing is the loss of control that the cloud consumer has compared to more traditional implementations and that is at the highest level with SaaS applications. Control and compliance is particularly important and well developed assessment tools can be used to ask all the right questions to ensure data and workload is protected in the cloud. Vendor assessment tools allow the organisation to do the necessary due diligence.

The level of Control that can be applied to your information in the Cloud and the protection required will depend on the cloud delivery model and deployment model. For instance, there will be more control available under an IaaS private cloud arrangement than a SaaS public cloud offering. This is where the information classification is important as it is logically acceptable to have data classified as public stored in the public cloud but not acceptable for any national and non-national security data to be in the public cloud.

In the government environment, it can become difficult to satisfy customers, auditors and regulators that sensitive data and mission-critical services are sufficiently controlled in a multi-tenanted public cloud environment. The information security classification of the data is the key first step as it can guide the decision-making process in the development or procurement of an application. Organisations need to make sure the correct protection controls are in place to protect their data relative to the information security classification determined. For government documents, protective markers can be used to determine the level of protection required in the use and transfer of information.

The emerging role of Digital Service Providers (DSPs) will continue to place cloud as a vital enabling technology. Organisations will be better placed if they have a robust cloud assurance framework that provides senior management the confidence in migrating to the cloud.

Hear from Nigel Schmalkuche at Akolade's Australian Government Cloud Summit as he shares his insights on mitigating security risks by developing a cloud assurance framework.

 Guest Blog Written By: Nigel Schmalkuche

Nigel manages the Enterprise Architecture, ICT and Digital Strategy program and planning activities at the Department of Housing and Public Works Queensland. The role is critical in providing strategic direction to the department on ICT and the management of an Enterprise Architecture program that leads to effective governance and innovative service delivery.