Cloud Computing Today
Since Corix Partners started to look at cyber security in the Cloud, its adoption has continued to grow. This is not only attributable to the continued pressure on cost but more importantly due to the realisation that the Cloud can offer greater flexibility and potential reduction in the “time to market”.
Consequently, many organisations have moved some of their services to the Cloud – most noticeably office automation to Microsoft Office 365 or Google Apps for Work. The Harvey Nash / KPMG CIO Survey 2016 “The Creative CIO”, highlighted that four in ten IT leaders use cloud technology to improve responsiveness as well as resiliency.
Corix Partners and Mavintree are in the process of exploring the changes relating to the Cloud and the approaches that large organisations are taking towards Cloud solutions.
Complexity of a Hybrid Model
It is unlikely that all services will be or are able to be migrated to the Cloud in the short to medium term. Some of the reasons for this are:
- Data privacy, sensitivity and residence
- Legacy applications and technologies
- Existing investment in internal technology and data centres
- Organisation reluctance to change
It may be inevitable that over time everything will migrate to the Cloud but in the meantime organisations are going to have to operate in a hybrid environment. This can be viewed as an Internal Cloud and an External Cloud which interoperate to provide a seamless service to the end users and customers.
It is highly likely that some end-to-end services will have components run both internally and hosted in the Cloud. Further, the extent of this may vary depending to the pressure of the whole service, especially if the Cloud is being used to provide extra capacity during busy periods.
For example, an e-commerce site could be sized to using internal computing resources for normal trading but during the run up to holiday periods additional capacity could be provided by deploying additional computing resources in the Cloud. The major advantages to this approach are:
- Additional computing resources can be brought online very quickly
- The organisation only pays for the time the additional computing resources are actually used
- There is better overall utilisation of the internal computing resources
- No longer a need to building additional capacity for “just in case” scenarios
Of course, this is dependent on designing the services to be able to be deployed in this manner which has not always been the case. In the majority of cases, internal IT departments are building solutions using the same technologies that the Cloud vendors are using to deliver the Cloud.
Clearly, any hybrid model is likely to me more complex from an operational perspective and will demand that the roles and responsibility of all involved are clearly defined. This is not new for any organisation that is involved in an outsourcing agreement. In well run organisations, the roles and responsibility are clearly defined in a Target Operating Model which is effective communicated to everyone. Isn’t this just good practice?
All Your Eggs in One Basket?
On the surface, there appear to be lots of Cloud vendors offering a variety of services but it is not uncommon for the smaller vendors to be leveraging the services of one of the big vendors, Amazon, Google or Microsoft. Therefore, it is key that you understand exactly who and where the Cloud services are being provided – transparency is critical!
The good news is that these major Cloud vendors have significantly matured their service offerings and all provide very good monitoring services as well as being able to hire some of the best talent available. Also, these vendors are very conscious that their reputations will be significant dented or even ruined if they do not take the delivery of high quality mission critical services seriously, including availability, integrity and confidentially.
For example, Microsoft are currently defending the rights of their European customers against the US Government as explained by Brad Smith, their President and Chief Legal Officer.
Increased Regulation around Data
In the European Union, the General Data Protection Regulation (GDPR) has been adopted and we are in a two-year transition phase until 28th May 2018 when this directive will be fully in place. GDPR has been designed to give back the control of personal data to the citizens and to simplify the regulatory environment for international business by unifying the regulation within the EU.
In particular, it addresses how data may be moved outside the EU. Therefore, it will be important to understand where your data resides even if it is in the Cloud. The major Cloud vendors are fully aware of these requirements are working towards ensuring that customers can control the location all their data resides, including resilience and backup copies. For example, Amazon S3 storage has provided the customer with the ability to define which region their data is stored in.
Exploring the way forward
In June 2016, Corix Partners and Mavintree invited a number of senior IT and Cyber Security Leaders to a roundtable event to discuss these topics. This was a very well received event in which the participants were able to have an open and wide reaching exchange of views.
Following this roundtable event, Corix Partners and Mavintree are analysing and assembling the outputs into a whitepaper and welcome any further contributions from any interested readers. The objective of the whitepaper is to provide practical advice to CIOs and other C-level executives involved in Cloud related decisions. It is planned to publish this whitepaper in September/October 2016.
Director
Corix Partners
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.
Mavintree are a management consultancy firm specialising in operational risk, business continuity and crisis management.