16/10/16 - Cloud security and privacy 3 step risk mitigation
14/07/16 - 2 step cloud risk and impact assessment
14/06/16 - Cloud data classification, terms and conditions
12/05/16 - Cloud service security and privacy in 5 steps
18/04/16 - 3 x 3 cloud service models and deployments
14/03/16 - 6 criteria to quantify cloud IT service success
17/02/16 - 6 questions for cloud strategy alignment
30/01/16 - 7 steps to create a business cloud IT strategy
News, updates, business and technology articles presented in this section are in accordance with Astute's disclosure and disclaimer policies.
Cloud security and privacy 3 step risk mitigation
Step 4 of the Astute 5 step cloud security and privacy approach identifies the security "controls" required to protect information stored and accessed in the cloud.
Security controls are processes and technologies applied by both the business and cloud service provider to mitigate the risks identified in the cloud data item risk assessment.
A three step approach is used by businesses to identify and specify cloud security controls:
- Research, identify and specify cloud service security controls
- For each risk identified in the cloud data item risk assessment assign a security control, from step 1, to mitigate (reduces the impact and/or occurrence of) the risk
- For risks that have no assigned mitigations (i.e. from step 2) go back to step 1
Each of the above steps are described below.
Step 1: Identify and specify the cloud service security controls
Cloud security controls are typically identified and specified by the business using each of the following control "classifications".
1.1 Standards compliance
- Identify the relevant specifications, standards, regulations and laws based on the industry (and / or geographical location of the business). Include whether compliance to the standard is mandatory or "nice to have".
- Identify and list the standards the cloud service provider must demonstrate compliance to. Common standards include:
- Payment Card Industry Data Security Standard (PCI DSS) - for online payments
- ISO 27001 - framework through which a business or cloud service provider identifies, analyzes and addresses its information security risks, incorporates ISO 27017 cloud-specific information security controls
- Privacy principles (e.g. Australia, New Zealand, United Kingdom, International Safe Harbor Privacy Principles etc.)
1.2 Operational and physical security
- Identify all business and cloud service provider processes and policies used to ensure that information remains safe and secure; includes (and is not limited to) building security, physical and electronic access, pre-employment checks of service provider employees, logging and recording of incidents, storage, backup and destruction of information etc. Examples of practices and processes can be found in the list of ISO-27001 objectives)
- Ensure the cloud service provider demonstrates compliance to a standard information management security standard such as ISO 27001. Evidence of compliance can be achieved by the cloud provider supplying copies of recent audits performed on the cloud service in accordance with ISAE 3402 and / or SOC 2 standards.
1.3 Terms of service (Cloud Service Agreement)
Identify and specify the terms that should be used to govern the relationship between the business and the cloud service provider (e.g. Access and support days and hours, availability, business continuity and disaster recovery, location of services, legal jurisdiction, payments and penalties etc). Astute recommends the use of the Cloud Council Guide to Cloud Service Agreements as a reference to identify terms used to govern the relationship between the business and cloud service provider.
Identify and specify the mobile cloud capabilities to be supported by the service (e.g. types of devices supported, locations, custom device application or responsive web design, device and user security etc).1.5 User identity and access management
Identify and specify the policies and practices that business users and customers will use to securely access the service (i.e. identity access management). Typically this describes:
- The process (user name and password) used by employees and customers to access (authenticate to ) the service
- How and where the user name and passwords are stored and then used by the cloud service
- Whether additional (or multi) factors should be used to authenticate users
- Policies applied to the management and operation of the employee and customer user names and passwords (e.g. password strength, account expiry and termination processes etc)
Identify and specify the policies, practices and technologies applied to ensure information is not lost, inappropriately accessed, corrupted or deleted in the cloud service. Typically this includes:
- Defining applicable legal and regulatory conditions in the collection, use, disclosure, storage and access to the business and customer information used in the service (i.e. data sovereignty)
- Protecting the information, via encryption, as it is sent and received to the service provider over the internet (in transit) and as is stored (at rest) in the service
- Ensuring the business has access to backups of the information in the event the cloud service is compromised, the business cancels the service subscription or the service is suspended.
- Ensuring the information and service are available to the business via service backups, disaster recovery technologies and practices etc
- Ensuring the service (and information) is protected from internet based threats (e.g. denial of service attacks, malware and viruses etc) with the use of technologies such as traffic screening (e.g. firewalls), denial of service defence systems (e.g. web application firewalls), intrusion detection and prevention systems and anti-virus software
Identify and specify the practices and technologies that allow the business to view health and status of the service, including notification, reporting and handling of service incidents. Typically this provides business access to the service:
- Health, status and incident notifications
- Planned service outage notifications
- Incident management and reporting
In this step the specified security controls are selected and applied as mitigations to the risks identified in the cloud data item (risk) assessment as follows:
- Add an "Mitigations" column (column 7) to the spreadsheet
- For each risk allocate a security control specified in step 1 (1.1 to 1.7 above) that mitigates, or reduces the impact of (and/or occurrence of), the risk
The following are examples of mitigations using specified cloud service controls; extending the spreadsheet format to include a "mitigations" column.
Note that columns 2 through 5 of the original spreadsheet are not shown and column 6 is presented with reduced content.
Step 3 - Risks that have no assigned mitigations
Apply one or more of the following options to identify and specify controls for "unmitigated" risks identified in step 2 above.
- Reassessing the risk (i.e. is it still relevant to the business)
- Identify and specify and new controls (from step 1) from published cloud computing guides (e.g Cloud standards customer council etc)
- Accept the risk cannot be mitigated by the cloud IT service controls; the risk is to be mitigated using business processes and practices
Astute's consultancy services are used by businesses to identify and specify security controls for information stored in the cloud. Simply contact Astute or take advantage of our free and no-obligation quotation to discuss security controls for your business cloud services.
In our next article Astute will describe how business use controls developed above to evaluate potential cloud service provider offerings; the 5th (and final) step of the Astute cloud security and privacy approach.
2 step cloud risk and impact assessment
The third step in the five step security and privacy approach is to identify business risks and impacts of storing and using information in the cloud.
Risk management describes the process of identifying and defining (business) risks and impacts when failing to keep information stored in the cloud secure and private.
Businesses can either develop custom risk management processes or select (and use) published cloud risk assessment templates and frameworks including:
- European Network and Information Security Agency (ENISA) benefits, risks and recommendations for information security
- Cloud Security Alliance (CSA) document, Security Guidance for Critical Areas of Focus in Cloud Computing. Astute recommends this approach for businesses who do not have a risk management process.
- The ISO/IEC 27002:2005 code of practice for information security management.
Astute recommends extending the spreadsheet created in our cloud data classification article by adding a "Risk" column (column 6) to capture the risks of storing data items in the cloud.
Step 1. In the "Risk" column describe the harm or damage (e.g. reputation, financial, legal etc) to the business and its customers if any of the following scenarios apply:
- There was a breach of the classification and conditions associated with the data item
- The data item became public and was widely distributed
- A cloud service employee inappropriately accessed and shared the data item
- Business operations were inappropriately manipulated by an outsider (as a result of access to the data item)
- Business operations, products or services failed to provide expected results (as a result of a breach)
- The data item values were unexpectedly changed (as a result of a breach)
- The data item or service supporting the item were unavailable for a period of time (as a result of a breach)
Step 2. Review published cloud risk references and articles; incorporate relevant risks and impacts in the "Risk" column.
Examples of published cloud risks include:
- OWASP cloud top 10 security risks
- Cloud Security Alliance top security threats
- ENISA cloud computing risks and assessment
The following are examples of data item risks using the extended spreadsheet format - "Risk" column 6. Note that spreadsheet columns 2 through 4 are not shown.
In our next article Astute will describe how business mitigate risks by identifying and specifying "controls" (step 3 of 5) applied to the use and access of information stored in the cloud as part of the cloud security and privacy approach.
Cloud data classification, terms and conditions
In this article Astute describes the first 2 steps of the 5 step approach businesses apply to assure themselves that information stored in the cloud remains secure and private.
Step 1. Identify, define and classify the information
Classify the information stored in the cloud by applying the "what business information can be stored and managed in the cloud" approach; capture the information classification outcomes in a spreadsheet format as follows:
- Column 1 - "Data Item Name". Listing all the data items used in the service by name.
- Column 2 - "Purpose". Define the purpose or reason for the collection and use of the data in the service.
- Column 3 - "Information Category". Select a classification for the data from the ISO 27001 classification policy template.
- Column 4 - "Cloud Store". Using detail captured in columns 2 and 3 define if the data item can, or cannot, be stored in the cloud.
Below is an example of service data item classification using the spreadsheet format above.
Step 2. Identify applicable conditions
Add an "Applicable conditions" column (column 5) to the spreadsheet developed in Step 1. For each data item listed in step 1 select and assign the following:
- Applicable, in country, legal and regulatory conditions. To locate Astute recommends using Google searches on terms like "regulatory authorities" and "regulatory agencies".
- Applicable privacy guidelines and principles (i.e. to address information privacy concerns). Examples:
Below is an example of service data applicable conditions using the spreadsheet format above.
In our next article Astute will identify and describe the activities used to identify and define risks and impacts to the business (step 3 of 5) as part of the cloud security and privacy approach.
Cloud service security and privacy in 5 steps
The security and privacy section of the Astute cloud IT services strategy describes an approach to ensure that information stored (by the business) in the cloud remains safe, secure and private.
Astute's approach to cloud security and privacy is based the businesses accepting responsibility and accountability for ensuring customer and business information stored in the cloud is safe, secure and private.
A responsible and accountable approach to cloud security and privacy helps a business to:
- Understand the nature and purpose of the information used in the service.
- Identify the risks (to the business) in managing the information used in the service.
- Identify and specify technologies and processes that should be used by cloud service providers.
- Assess cloud service provider offerings (ultimately selecting a cloud service).
The following five step approach is used by business to ensure information stored in the cloud is safe, secure and private:
- Identify, define and classify all the information that can (and cannot) be stored in the cloud service.
- Identify the legal and regulatory conditions that apply to the collection and use of information used by the cloud service, especially personal information.
- Identify risks and impacts to the business when failing to keep the information stored in the cloud secure and private.
- Mitigate business risks and impacts (step 3) by identifying and specifying "controls", processes and technologies, to be applied to the use and access of information stored in the cloud.
- Evaluate potential cloud service offerings by verifying the cloud provider implements equivalent controls (step 4) to mitigate the business risks and impacts (step 3).
In our next article Astute will describe, in detail, approaches and processes applied by the business to each of the steps above; delivering the outcomes and business benefits of a cloud security responsible and accountable approach.
3 x 3 cloud service models and deployments
The "types of services" section of the Astute cloud IT services strategy is used to identify and select a cloud IT service model and deployment type.
There a 3 common cloud IT service models available to business:
- Infrastructure as a Service (IaaS). Provides access to networking features, computers (virtual or on dedicated hardware), and file storage space; appeals to businesses that want to extend infrastructure capacity without spending capital.
- Platform as a Service (PaaS). Used to develop, host and operate applications; removing the need for businesses to manage the underlying infrastructure (usually hardware and operating systems) and focus on the development and management the application.
- Software as a Service (SaaS). Provides access to applications that are developed and managed by a (cloud) service providers. The business does not have to develop applications or manage infrastructure.
There are also 3 common cloud deployment options for each of the above cloud service models:
- Private cloud. Used by business to deploy infrastructure and applications on-premises or in dedicated data centers that provide internet accessible services to customers and employees. Private cloud deployments typically use server virtualisation technology as well as resource and performance management tools.
- Hybrid. Used by business to connect infrastructure and applications between public cloud services and on-premise (or private cloud) infrastructure and applications.
- Public cloud or (just) cloud. No business owned or deployed infrastructure or applications; service configured, operated and managed by a third-party provider.
Cloud models and deployment types are then combined to deliver different types of services. E.g:
- Cloud SaaS for document storage (e.g. Google Drive, Dropbox, Microsoft One Drive etc)
- Cloud SaaS for office documents (e.g. Google Docs, Microsoft Office 365 etc)
- Hybrid SaaS for enterprise solutions (e.g. SAP Human Resources integrated with on-premises MS Active Directory - ensures users login to the SAP application using business allocated user names and passwords
- Private cloud for business information backup and archiving (e.g. backup and archive of Cloud SaaS information)
The table below is used to select cloud IT service model and deployment type based on the business capability and environment.
The cloud deployment type and model, once selected, is factored in to the cloud IT service cost component of the success criteria section of the business cloud IT strategy.
In our next article Astute will describe how to develop and create content for the security and privacy section of a business cloud IT strategy.
6 criteria to quantify cloud IT service success
The success criteria section of the Astute cloud IT services strategy identifies the processes and data used to determine the success (or failure) of a cloud service.
The criteria used to determine cloud IT service success is based on quantifying how the service:
- Supports and improves customer acquisition, experience and satisfaction
- Supports and improves employee experience and satisfaction
- Delivers operational efficiencies to the business.
- Enhances the business products and service.
- Operates within the allocated financial budget.
- Is retained or cancelled.
To quantify cloud IT service success the business first estimates and then regularly (e.g. monthly) collects service data using the above (six) criteria.
Financial benefits (or losses) are calculated for each of the criteria above. A negative result indicates a loss, a positive result indicates a benefit.
To ensure accurate financial benefits or losses are reported ensure that negative or positive result is used in all calculations.
The data collected and calculations used, per criteria, to quantify the success (or failure) of the cloud IT service is described as follows.
1. Customer acquisition, experience and satisfaction. Collect, measure and report on the following customer data before and after the introduction of the cloud service:
- Number of customers
- Average income (to the business) per customer
- Customers acquired
- Customers lost
- Customer retention benefit or loss. I.e. Subtract the customers lost (d.) from customers acquired (c.) and multiply the result by the average income (b.) per customer.
- Customer satisfaction survey results (i.e. Do customers feel better or worse off as a result of using the IT cloud service?)
2. Employee experience and satisfaction. Collect, measure and report on the following customer data before and after the introduction of the cloud service:
- The number of employees are using the service.
- The number of employees (using the service) that find the service easy to use (ie are satisfied with the service).
- Overall employee satisfaction with the service (e.g. 7 out of 10 employees using the service and find the cloud service easy to use; satisfaction of 70%).
- Employee identified problems or issues that need to be resolved to improve the use of the service.
- Estimated costs (time and materials) to rectify employee identified problems or issues with the service.
3. Operational improvements and efficiencies. Collect, measure and report on the following operational data before and after the introduction of the cloud service:
- Operational improvements or efficiencies have been identified as a result of introducing the service (e.g. improvements on-boarding new employees, reduced operating costs).
- Savings (time and materials) to the business as a result of the operational improvements or efficiencies.
- Problems and inefficiencies identified as a result of using the service.
- Operational changes required to remedy the identified problems and issues.
- Costs (time and materials) of implementing the operational changes to remedy the identified problems and issues.
- Overall operational benefit or cost of the service (ie. subtract the costs identified in e. from the savings identified in b.).
- Risk position. How risks to the business have been addressed by the use of the service. E.g. Improved customer and business security, information backup and retrieval, enhanced ability to deliver mobile access to services etc.
4. Business product (including services) enhancements. Collect, measure and report on the following business product data before and after the introduction of the cloud service:
- Operational improvements or efficiencies in the delivery and support of the business products (e.g. Improvements to configure and add new customers to the product and service).
- Savings (time and materials) in the delivery and support of the business products.
- Number of support calls and complaints.
- Number of support calls and complaints specifically regarding the cloud service.
- Costs (time and effort) of managing and resolving support calls and complaints specifically regarding the cloud service.
- Overall business products and service benefit or cost (subtract the costs identified in e. from the savings identified b.)
5. Service operating budget. Using the charges and data collected above determine the financial viability of the cloud IT services (for the specified period) as follows:
- Estimated (budgeted) costs of the cloud IT service.
- The actual cost of the cloud IT service (i.e. includes any additional data, storage or usage fees).
- Cloud IT service benefit or cost (subtract actual costs in b. from estimated costs in a.)
- Customer retention benefit or loss (from 1e above)
- Costs to rectify employee identified problems (2 e above)
- Operational benefit or cost of the service (3 f above)
- Business product benefit or cost (4f above)
- Overall financial benefit or cost of the cloud IT service (add c. to g. above). Remember a positive value is a benefit a negative is a cost.
6. Retain or cancel the service. Consider what has been collected and calculated. I.e:
- Customer satisfaction (1f, 4c and 4d above).
- Employee satisfaction (2c above).
- Business risk position (3g above).
- Financial benefit or cost of the cloud IT service.
The results collected from criteria 6 above are "weighted" by the business and used in the decision to retain or cancel the cloud IT service.
E.g: Criteria used to retain the service could be:
- Customer satisfaction is at the same rate (as the previous period) or better and
- Employee satisfactions is at the same rate or better and
- Business risk position is the same (i.e. has not got worse) or better and
- There is a financial benefit - or the cost of the service is acceptable - to the business.
It is important to note that, before terminating the service, the success criteria and costs of the replacement system or service should be collected. I.e. Re-apply the approach above to the replacement system or service.
Astute's consultancy services are used by businesses to identifies the processes and data used by a business to estimate, monitor, measure and determine the success (or failure) of a cloud IT service implementation. Simply contact Astute or take advantage of our free and no-obligation quotation to discuss developing and delivering the criteria to quantify cloud IT service success for your business.
In our next article Astute will describe how to develop and create content for the type of (cloud) service section of a business cloud IT strategy.
6 questions for cloud strategy alignment
The alignment section of an Astute cloud IT services strategy is created by answering 6 simple questions.
The alignment section of the strategy defines how the business vision, strategy, goals and values are supported by the use of cloud IT services. The content of the section is developed by providing concise responses to each of the following questions:
1. What are the business challenges and benefits when using cloud IT services? Content hints below:
- Commonly reported benefits of cloud IT services are capability and convenience; cloud services support a range of functions (e.g. email, storage, customer relationship, customer service, accounting, sales and marketing etc) without the need for the business to commit significant amounts of "upfront" capital
- Improved access for customers and employees as the majority of cloud services are designed to operate using a range of devices (i.e. computer, tablet, smart phone)
- Capability and convenience; cloud services support a range of functions (e.g. email, storage, customer relationship, customer service, accounting, sales and marketing etc) without the need for the business to invest significant amounts of capital upfront
- The range of functions offered by cloud services is also increasing (e.g. product and inventory management, online stores with online payments etc); it is quite possible that the cloud can deliver specific business functions in addition to the common functions listed above
2. How do cloud services align and complement the business vision, strategy and plans? Content hints:
- Reduced and lean (capital) operating costs
- How cloud IT services support, enhance and deliver to the business goals identified as a result of developing customer centric values
3. How does cloud support and enhance a customer centric business model? Content hint:
- Define how cloud IT services supports, enhances or even delivers to business vision and model identified as a result of developing a customer centric culture
4. How will employees and customers access the cloud service? Approach:
- Identify the locations and scenarios that describe how customers and employees will access services
- Identify how customers and employees will access the services. E.g. computer, smart phone, tablet etc
It is important to note that the ability to access services from anywhere, over the internet, using multiple devices (computer, smart phone, tablet etc) is a standard feature of IT cloud services.
5. What is the budget / monthly spend for the service? Approach:
- Identify the type of cloud IT service plan. Cloud service plans can be:
- priced per user (or groups of users) per month
- priced per user per annum; usually discounted rate per user per month over 12 months
- Identify, document and budget for monthly or annual cloud IT service costs in business financial plan
- Cloud IT services can be charged using foreign currency rates. If this a significant amount Astute recommend that business investigate and apply methods to reduce foreign exchange rate risk
6. What business information can be stored and managed in the cloud? Approach:
- Locate or define an information classification policy for the business. Astute recommends using a standards compliant classification model (e.g the ISO27001 classification template)
- Ensure the policy defines the classification of information can and cannot be stored and accessed from the cloud
- Identify the types of information you want stored and accessed from the cloud (e.g. customer name, address, email, phone number, account details etc)
- Assign an information classification (from the policy above) to each of the types of information identified
- Using the policy, list the types of information (based on information classification) that can and cannot be stored and managed in the cloud
In our next article Astute will describe how to develop and create content for the Success Criteria section of a business cloud IT strategy.
7 steps to create a business cloud IT strategy
In 2015 Forbes published a small business cloud usage report; the findings found that 37% of US small businesses are adapted to the cloud and 78% will be fully cloud operational by 2020.
The findings demonstrate how more and more businesses are using the cloud to deliver products and services to their customers.
To select and effectively utilise cloud services Astute recommends businesses start by creating and using a cloud strategy.
A cloud strategy document is used to identify, capture and define how the business vision, strategy, goals and values are supported and delivered by cloud IT services. The strategy document is also used to guide the business in the selection and application of cloud IT services.
In this series Astute presents a 7 step template approach that customer centric businesses use to define their cloud IT strategy.
Astute recommends applying the following principles when developing the every section of the strategy:
- Keep the strategy simple, concise and easy to use
- Ensure the strategy is easy to find and access by all the employees of the business
- Embed the strategy in the culture of the business so it is always used to select and operate cloud services
- Ensure the strategy is reviewed and updated on a regular basis
- The who, what, where, when, why and how of every cloud service is described in the strategy
As presented in the figure below a 7 section template is used to create the content of cloud IT strategy.
The title, purpose and content of each section of the template are described as follows:
- Alignment. Describes how the business vision, strategy, goals and values should be supported by the use of cloud services
- Success criteria. Describes the criteria used to measure and determine whether the cloud service implementation has been successful (or not)
- Types of service. Identifies and describes the types of cloud IT services the business should (and should not) use
- Security and privacy. Identifies and defines cloud IT services security and privacy criteria
- Service checklist. Identifies and defines the criteria used to compare and select the cloud service or application from one or more cloud service providers
- Impact assessment. Describes the changes to business operations and services as a result of selecting the cloud service or application
- Operationalise. Describes how to introduce and use the selected cloud services in business IT operations
Throughout the articles in this series Astute will describe how to develop and create content for each section of the business cloud IT strategy using the template.
In our next article Astute will describe how to develop and create content for the Alignment section of a business cloud IT strategy.