Riding technology waves

BT Assure

Finding the sunshine in the cloud

Finding the sunshine in the cloud

“You think about technology waves, and every once in a while you get one that you know is meaningful, that actually changes the way companies spend their money and invest in solutions; it actually changes the way the tech industry itself is shaped — and cloud computing is one of those things.”

Ted Schadler, vice president and principal analyst, Forrester Research.

We can see clearly now, the haze has gone

Cloud is here to stay; more and more organisations are using cloud services — no great surprise when every business is looking to make efficiency and cost savings in these difficult times.

Cloud computing is a top-of-mind consideration for most CIOs, finding that most organisations are looking to the cloud for ‘extension’ — the capability to take their business in new directions faster — rather than simply as a method of cost management.

The benefits of moving to cloud architecture are widely accepted and potentially huge:

• Increased agility due to rapid provisioning and de-provisioning of resources;

• Significantly-reduced capital expenditure and fixed costs;

• A faster return on investment thanks to pay-as-you-use commercial models;

• Easy availability of services to a mobile workforce; • Less time spent managing technology and software

and more time spent managing information and data to drive business innovations.

And now the hype haze has cleared we have a much clearer picture of how to get the best from the cloud — and what could be holding back take-up.

Finding the sunshine in the cloud

It’s rarely an all-or-nothing decision; cloud deployment is far more likely to be on a project-by-project basis:

• Opportunities to try out new business areas that would otherwise be beyond the budget available.

• Sharing internal services and resources more effectively, enabling a more collaborative way of working.

• Increasing work force mobility.• Rapid, low-cost introduction of new

trading points.• Sharing the cost of control and regulation of

big data with other user organisations.

Are you in the cloud without knowing it?

Although just over half of businesses state they’re now using the cloud1, this figure is conscious use; in reality more businesses are using the cloud (every time they access something hosted remotely) just without giving it that specific label.

The need for a cost-effective solution to these scenarios (and others) pushes organisations into cloud acceptance, often without widespread recognition of the fact.

The cloud needs a different, conscious approach

This is a crucial time for those managing IT. The cloud computing and consumerisation (BYOD) technology waves are changing the distribution of IT control: users are taking more control of the devices they use; business managers are taking more control of the budgets; and service suppliers are taking more control of the data they handle.

CIOs and IT managers wanting to contribute to their organisation’s acceleration in 2012 need to be able to coordinate these different elements in a much wider scope than previously in order to retain control; it’s time to adapt or be swept aside.

Is the security issue holding back cloud take-up?

Not really; it’s more a question of trust.

To use cloud services CIOs and IT managers have to put their organisation’s data in others’ hands, and this creates concerns about a perceived lack of control.

In fact the way you exercise control is through your security policies, and this does not change at all with a cloud deployment; even when you owned all your organisation’s computers and controlled all its hardware, you had to trust vendors, service providers, outsources, suppliers, governments, and your co-workers, and your security policy always defined your organisation’s security posture. All that’s happening now is that the relatively new model of the cloud is highlighting the trust-control and security policy issue afresh.

What CIOs and IT managers need to cultivate is mindful trust — being aware that exploiting the cloud requires trust and a careful assessment of where to place it. Mindful delegation of responsibility frees the IT professional to take on a more strategic role within the organisation.

Finding the sunshine in the cloud

Determine your risk appetite to make the cloud work for you

Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance, BT Global Services

“Enterprises often take a blanket approach to information security. Some try to protect everything against every imaginable threat (sometimes at tremendous expense). Others spread whatever they can afford evenly, hoping — praying — this will keep attackers at bay.

Instead you should define your risk appetite — the amount of risk you’re prepared to take in each area of your operations, from your interfaces with customers and suppliers to the ‘inner sanctums’ that hold your most valuable assets. That done, you can start to think not just about the defences you need to put in place, but the processes you need to enforce the security policy you’ve set out.

And when everything’s in place, you need to check that it works.”

• Determine your risk appetite.• Build appropriate defences.• Test to validate, ideally with ethical hacking.• Continue to ‘rinse and repeat’ to have a

best-of-breed security programme.

Successful cloud is all about pragmatic trade-offs

The decision to go to the cloud should always be as a result of practical and balanced benefit-risk assessments to reveal the true value of cloud services to your organisation.

This may involve new ways of thinking; traditional ICT approaches focus on owning and controlling resources, assets and contracts for specified services — but the cloud allows a shift beyond that, to a focus on accessing evolving services.

Part of the pragmatic trade-off is identifying and tackling the biggest security concerns associated with the cloud: corporate data confidentiality, privacy and the integrity of services and/or data2.

Finding the right trade-off for your organisation involves determining your organisation’s appetite for risk and then facilitating the cultural move from a zero-risk/zero-breach mentality to a predict-and-prevent/risk-resilient mentality. Above all, a successful cloud policy depends on a realistic view about the trade-offs you’re making.

Eight essentials to keep your data secure in the cloud

1. Plan and research. Understand exactly what you want to achieve and work out what type of data you want to move to the cloud. Research the market and the different services, service level agreements and security features available. Investigate hosting and find out the regulatory implications of data being stored in different countries.

2. Look for a supplier you can trust. You need a relationship grounded in a shared understanding of accountabilities and expectations. The choice will not just be about whether a supplier can provide a service within desired cost and time parameters. Rather, the choice will confirm that they will do it with the same care you provide when doing it yourself.

3. Outsource responsibility responsibly. Use the tools that are there to protect your organisation against risks — contracts, governance frameworks, due diligence procedures and insurance policies.

4. Put your prospective supplier under the microscope.Find out who within the supplier organisation will have access to your data; ask for audit logs, details of compliance certification, or info about a recent audit that they can share.

5. Prepare for cloud culture. The automated interface of many cloud services can feel alien to IT departments used to dealing with people within supplier organisations. Procurement, legal or commercial teams can also find the pay-as-you-go contracting model of cloud services demanding. Work to help these teams understand the value of the cloud, or they may become strategic barriers. Create higher levels of security literacy amongst your people. Give them the understanding they need to react in the right way to new situations; it’s about helping them think things through rather than blindly following rules.

6. Protect your data. Use strong authentication. Encrypt your data when stored and transmitted and keep access to your encryption keys within your organisation. Make sure data no longer needed is permanently erased from computer memory and storage.

7. Prepare to prevent DDoS attacks. Attack via denial of access to legitimate users is relatively common. However, with the right planning, cloud systems are highly resilient against simple flood attacks and excel at ramping up more bandwidth and resources in the face of gigabytes of malicious traffic.

8. Review regularly. Seek independent audits of suppliers’ offerings, to ensure they are still the best-in-class and best fit for your needs. Test your systems and procedures, and remember to review the human elements too.

Finding the sunshine in the cloud

A cloudy future

Gartner predicts that by the end of 2016 more than 50 per cent of Global 1000 companies will be storing customer-sensitive data in the public cloud. What’s more, it estimates that more than 20 per cent of organisations have already begun to selectively store their customer-sensitive data in a hybrid architecture that’s a combined deployment of an on-premise solution and a private and/or public cloud provider3.

Half of business decision-makers surveyed said they would be willing to consider using the cloud if they knew more about how their data would be secured4.

The cloud is ready; challenge your cloud provider to help you make sure what’s proposed matches your risk appetite and that you have the cyber-security measures in place to cover your cloud activity.

BT Assure brings you powerful security and risk management products to build a sustainable business with added security and resilience in every process. BT Assure combines the necessary elements of IT security management with the seamless transition between cloud, hosted, and on-premise — offering well-built solutions to complex problems that are adaptable to the most elaborate network environments in the world. We can help you with all aspects of security, including the issues raised by the cloud.

Please get in touch if you’d like to find out more.

1Cloud Industry Forum, 2011.2EU Network and Information Security Agency (ENISA).3Gartner’s Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away.4Trend Micro research.

Offices worldwide

The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract.

© British Telecommunications plc 2012 Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: 1800000