Tag Archives: Cloud Service Providers

Cloud Information Assurance must address the whole risk picture

Seeing the Whole Risk Picture

PWC Risk assurance partner Dean Simone.

Prepare for what’s around the corner.

Anticipate and deal with risks that are unknown.

How can we build trust in the cloud to drive business growth?

Extract from a report co-authored by Jan Schreuder PWC Partner

“When adopting Cloud Services PWC clients often ask:

  • What are the risks associated with Cloud Computing and how do we manage them?
  • How will cloud computing impact our regulatory and compliance requirements?
  • How do we maintain control and oversight over the cloud environment?
  • Is moving to a cloud computing environment cost effective?
  • How will cloud computing impact on business continuity and disaster recovery planning?

PWC Cloud Assurance can help clients:

  • Assess and manage the technical, operational, financial, legal, regulatory, tax risks and opportunities associated with cloud adoption.
  • Design and review the project framework to transition services to the cloud.
  • Analyse the business case and costs to ensure business benefits are realistic and achievable.
  • Design and review security and controls before, during, and after the move to the cloud.
  • Design and review business continuity and disaster recovery procedures for cloud services.
  • Provide third party assurance over cloud service providers’ control environment.”

Information Assurance in the Cloud

Alan Calder, CEO of IT Governance Ltd

Three minutes into this video clip Alan looks at risk in the cloud.

03:39 One way of looking at Risk in the Cloud is to look at where risk ownership lives.

03:55 – where Security and Compliance is concerned there is balance with responsibility shared between the Cloud Service Provider and the User.  Risk however is all with the user of the Cloud service.

Nature of the cloud is that you can take and use what you want to but it is your risk your information, your business,  your service.

04:40 – Trust Boundaries in the Cloud shift depending on usage, e.g. IaaS or SaaS

09:15 – Cloud Controls Matrix

LINK to download the Cloud Security Alliance – Cloud Controls Matrix

11:45 Understand Cloud Security

Steve Wozniak, interviewed by a French press agency earlier this week, confessed to the audience that he worries about the insecurity of Apple’s famed iCloud.

“I really worry about everything going to the cloud,” said Wozniak. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”

iCloud essentially acts a remote server responsible for synching computing devices. In other words, if a user sends information to one cloud-connected device, the cloud will intercept the information and send it to every other device connected to the cloud space.

“With the cloud, you don’t own anything. You already signed it away,” said Wozniak. “The more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”

Matt Honan – How Apple and Amazon Security Flaws Led to My Epic Hacking

“My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.” LINK to Wired article.

Steve Wozniak and Matt Honan have both spoken out about the risk to Cloud Service users losing their content stored in the cloud.  Security Controls require strengthening to protect access to cloud based personal information.

Alan Calder mentioned that SAS 70 has been replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.

In addition, Joe Panettieri has written about how SSAE 16 Audits Gain Momentum With Cloud Data Center Providers  LINK

Cloud Service Providers are also keen to achieve accreditation to SSAE 16. One example is a cloud data security company CloudLock who completed their SSAE 16 SOC 1 Audit in May.

Cloud Information Assurance for me is applying the Cloud Controls Matrix to build the end-to-end service model that differentiates between who has ownership for service assets.

It is also about having clear Trust Boundaries in the cloud with crystal clear commercial and contractual responsibilities for service risk .

The Cloud Computing Model with Hyper Hybrid [Connected] Clouds, Cloud Service Providers, Cloud Service Brokers and Cloud Service Users is still in its infancy.  

As such nobody in the end-to-end service chain has an understanding of the whole risk picture but the colour palette is emerging.

1 Comment

Filed under Business

IDC launch a Cloud Decision Framework Tool

IT Leaders are struggling with the role and application of Cloud Computing.

Explore the topic of IT Cloud Decision Economics.

IDC has developed a new Cloud Decision Tool.

Access to the Tool is provided on a complimentary basis.

“IDC’s new Cloud Decision Economics tool, the Cloud Decision Framework Tool helps inform those seeking insights into the application and workload hosting strategies, analyzes private vs. public options and more.

Worldwide public IT cloud services spending is forecast to surpass $55 billion in 2014. Yet IT leaders continue to struggle with quantifying the operational, organizational, and financial implications of their application hosting and platform decisions.

To help IT decision makers to better understand their options and the associated implications as they move various enterprise workloads to the cloud, International Data Corporation has developed a new Cloud Decision Framework Tool.”

“This tool was carefully designed to help guide IT managers in their decisions around on-premise, private and public cloud computing options,” said Joe Pucciarelli, vice president, Technology Financial & Executive Strategies at IDC. “The painstaking evaluation struggles that once plagued the cloud decision-making process have been all but eliminated as the Cloud Decision Framework Tool does all the heavy lifting.”

IDC’s Cloud Decision Framework Tool Helps IT Managers:

  • Become more agile in the cloud decision making process
  • Understand and take advantage of the profound technology, platform, staffing, and economic opportunities that will shape IT strategies in the coming years
  • Identify customer priorities for IT cloud system management software investments
  • Align business/IT governance around a specific cloud vision
  • Restructure IT purchasing and sourcing approaches
  • Evaluate overall cloud goals

“The Cloud Decision Framework Tool allows you to decompose a very complex business decision by breaking it down into its key components. A CIO can use the tool to collaborate with the rest of the executive team and get them on board with moving to a cloud,” commented Allyn McGillicaddy, Principal, Office of the CIO.com

IDC should be congratulated for creating a tool that will help inform IT Leadership in the development of their cloud adoption approach,  

The design principles and selection criteria support the decision making process by providing a fact based report against three dimensions – Organization, Operations and Business.

By making the tool complimentary IDC has made it possible for IT Leaders to “open the kimono” of external Service Providers and also to see through the solution vendors inflated claims.  

The Cloud Decision Framework will force the Cloud Brokers and Cloud Service Providers to demonstrate how they score / rate against a standard set of publicly available criteria.

So the time has arrived for the Cloud Ecosystem partners to stop being masters of spin and specify exactly how they will deliver speed to value.

My 24th June post was on the subject of Cloud Economics.


Leave a comment

Filed under Business