That #Cloud Thing

1817

We live in the age of economic downturn, placing both the Private and Public Sectors in a very tight financial corner. This same economic downturn has been driving Commercial, and Government leaders to seek out opportunities to reduce spend, to balance the organisational books a little closer to the black side of the accounting scale. It is for these reasons that the buzz word in over the last years has been that of Cloud.

So what is this new revolution we refer to as Cloud? And what are its potentials to support the Business Mission in both Public, and Private Sectors? Furthermore, is it all positives, or do some challenges exist, which need to be understood prior to embracing this style of operability? To answer these questions, and to consider the opportunities accommodated by Cloud, we must first look back to history to appreciate where the current day Cloud came from – enter Cloud Mk1.

The last decade has seen organisations leveraging the potentials of the Cloud Mk1 – AKA Outsourcing, with businesses engagements moving all, or part operations into the hands of third party providers residing both on, and offshore. Examples of such service providers are, SunguardTCSPatniWipro, and Genpact to name but a few. The services offered by these organisations can range from full, or part hosting, system, and application support, through to specialist software development; or high end quality backup services such as those offered by Veeam Software. Here such opportunities as these which would seem to be endless. But why was the Mk1 offering so popular, opposed to the associated fear of entering into the Cloud Mk2 and the debate relative to its CloudSourcing opportunities?

One noticeable benefit of the specialist Mk1 variant was the provisioning of highly trained, specialist operational staff, interfaced to technologically advanced environments able to provision leading edge support. As a real world example, one Financial Sector organisation leveraged the Mk1 opportunities, associated skills, and capabilities of an Offshore provider to support their financial platforms, and applications, with the clear operational objectives to increased efficacies, enhanced  levels of quality assurance, and of course, to realise financial reductions.

Enter Outsourcing Mk2, AKA CloudSourcing. Let us consider what this channel of Service Provider can bring to the table of the Commercial, and Government enterprise, and attempt to reveal its opportunities and benefits. First of all it is important to appreciate that, when compared against the offerings of its grown up, and well used sibling – Outsourcing, by compassion Cloud is on steroids, enabling it to deliver a) Flexibilityb) Operational Efficiency, aligned with, c) Robustness of Service, d) Sustainability, e) Assured Service Levels, and of course that very important element, F) SECURITY, not to mention the opportunities to reduce running costs. So let us dig a little deeper with articulation in the following areas:

  • Flexibility: Cloud offers meteredopportunities to increase, or reduce the technological resource requirements to sustain optimised delivery of service, as and when needed. For example, increasing the number of processors, or memory allocation on demand to support the time based operational mission.
  • Operational efficiency: Cloud Providers are in business to deliver high end, maintained, tuned, and leveraged technological systems, and infrastructures which support optimisation.
  • Robustness: As with the aspect of delivering efficiencies, Cloud Providers are also well positioned to provision underpin of technical robustness, ensuring that the established expectations of the SLA are be delivered to meet the contracted uptime obligation(s).
  • Sustainability: CredibleCloud Providers are in it to win it. Thus they have invested significant sums to provision the accommodation, systems, and infrastructure(s) to provision robust planned levels of sustainability to support their client base with a long term service delivery chain.
  • Service Levels: It has been said, you get what you pay for, and nothing could be truer of the provisioning of Cloud. The key to success here is prior establishment of clear operational requirements to underpin the business mission. This followed by engagement with a partnerwho is capable of supporting the expectations of the operational delivery and service support.
  • Partnership:Any engagement with a Third Party who will support organisational services, storing and possibly processing organisational business assets (e.g. Information) will play an important role in any mission. It is therefore important that such Providers are considered Partners engaged with supporting the Extended Perimeter of Operations (EPO) residing within the Cloud.
  • Protective Marking:For the Public Sector, an area of absolute importance for any Government engagement will be a) The appropriateness of CloudSourcing for the particular Protectively Marked information asset, and b) Consideration of any additional Special Handling, or Caveat requirements applied to the information asset, and of course paying attention not to fall under the gaze of the US Patriot Act
  • Asset Registers:critical key-point of a potentially successful mission is to underpin the migration into the Cloud based on an Asset Register. Based upon robust Departmental knowledge of what has been exported, linked to a comprehensively maintained Asset Register will represent key instruments to underpin the longer term partnership.
  • SECURITY: And last, but by no means least, the SECURITY element of the partnership should be set as a High Priority, and placed under close scrutiny and management. Whilst anyorganisation, or business can outsource all, or part of their operational services, SECURITY is one important aspect of the EPO element, which should be plugged into the organisational support model, Incident Management, Reporting, Alerting, and SECURITY Service Level Management.

The most important element of any selection process will be that of the Due Diligence activity, focused, and scoped to assess the individual providers operational attributes, and profile, to assure as far as is practicable, a high level of assurance is in place for the longer term obligated partnership. Here the consideration should take account the points tabulated above, but will also need to encompass such evaluations criteria as to the type of components being utilised to support the future engagement. For example, will the provision of service be built on PhysicalVirtualised, Shared or Dedicated, platforms? Will the deployment reside within its own departmental logical environment; or will it be shared by another department, or organisation in a Public Cloud? All of which are but a selection of questions which need to be factored into any robust activity examining the requirements of the provider.

Of course for Government agencies and commercials providing services to the Public Sector who are considering utilisation Cloud based solution, a fundamental key area will be the directions of the Hannigan Report, circa 2008. The report gives guidance and direction as to expectations of data handling within the Public Sector, and here this is of particular relevance to the aspect of Government, entering CloudSourcing, as the requirement also encompasses any contractors, Third Parties, and of course, by inference Cloud Providers.

To maximise the level of security assurance which may be realised within a partnership, it is beneficial to deliver a security activity through alignment with some recognised Best Practices, and/or Standard(s). One valuable direction may be driven through utilisation of the ISO 27001, ISO 27002, both of which support the delivery of Best Practice, which may be used in support of a Third Party engagement. A further extension of such a Best Practice is that of the ISACA COBIT Framework, to underpin the Cloud deployment with a well-rounded set of cross-domain controls.

In a nutshell, to engage Cloud on a formalised route can produce maximized benefits ranging through Financial to Security (yes security). And can, and have been proven to provision a level of technical competence way beyond that which may exist inter-organisation – so get it right and you are on a path to achieve win-win all round. However, please also keep in mind some recent bad examples of the dark side of service provisioned third party service. For example, Lincolnshire County Council (LCC) who have suffered at the hands of Third Party suppler over a period of one year, and this does tend to underpin the importance of selecting a competent provider who can provision an effective and robust service. Yes, get it right and it is a win-win – get it wrong, and as with some examples you may find you are in the middle of a nightmare scenario in which you may be stuck.

About Professor John Walker
john_walkerVisiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia [to 2015], Independent Consultant, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust, Writer for SC Magazine UK, Originator of DarkWeb Threat Intelligence, CSIRT, Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics.
Twitter: @SBLTD 
John Walker is also our Expert Panel member.  To find out more about our panel members visit the biographies page.
In this article