IS THE CLOUD SAFE? CLOUD COMPUTING, SECURITY, AND DATA SOVEREIGNTY

A MeetTheBoss TV ebookIn collaboration with HP24 roundtables, 36 hours of conversation, 120 senior IT executives, one question: what is the impact of cloud on data ownership?

MeetTheBoss TV and HP have hosted 24 roundtables with senior IT professionals. Each roundtable is a 90-minute deep dive into the business impact of cloud computing, led by the executives and independently moderated by MeetTheBoss TV.

This ebook gathers the highlights, challenges and learning from 24 roundtables, 36 hours of conversation, and 120 senior IT executives on the impact of cloud on data ownership.

What does business really think? It’s all here.

INTRODUCTION: ABOUT THIS EBOOK

The paranoia of a post-Snowden world has companies locking down digital borders in the quest to deliver a secure cloud environment. But where do the real risks lie?

Cloud promised the world: unfettered access to computing resources and assets, irrespective of geographic location or device. Sure, people had concerns, security chief amongst them; but even so the cost, speed and agility benefits were largely considered to outweigh any potential risks.

Then along came Snowden, with his revelations of widespread NSA data collection and surveillance. Suddenly, data sovereignty – the concept of where your data resides and who has authority over it – was right back at the top of the CIO agenda, with a growing number of firms refusing to countenance storing data outside of their own country borders. The benefits of cloud were still there, but which provider you used and where they were located became all-important. According to research from NTT Communications, a whopping 95% of IT decision-makers believe location matters when it comes to storing company data, with 88% changing their cloud-buying behaviors in light of the Snowden scandal.

CHAPTER 1 CLOUD, SECURITY AND DATA SOVEREIGNTY: WHAT ARE THE RISKS?By Ben Thompson, Editor, MeetTheBoss TV

But sovereignty is not just about geography; it is also about legal jurisdiction. “Who owns the legal rights to that data?” asked Martin Hagen, Head of IT for the City of Bremen. “Which laws and regulations is it subject to? And who has control over that?” It was a concern echoed across the region. “Establishing the legal location is very important,” agreed Lorenzo Bandelli, CIO for Trieste. “We need legal assurance that the data is ours, and knowledge about who can do what with that data.”

A chief concern for attendees was a lack of transparency into what happens to your data once you hand it over to a provider. “My fear is that when you purchase cloud services, you might be purchasing hosted infrastructure that is contracted to third-party providers located elsewhere,” said Eero Oksa, IT Director for METSO.

...of ICT decision-makers believe location matters when it comes

to storing company data

...are also changing their cloud buying behaviour

88%

95%

“NSA disclosures could significantly lower US technology sales overseas”

“Owning the data and making sure we know where it is sitting and that we can pull it back if we need to is really important,” added Richard Epstein, Head of Enterprise Architecture at Maersk Line. “Cloud computing companies have yet to provide a clear strategy about how we can do that.” Indeed, Forrester has estimated that the NSA disclosures could lower US technology sales overseas by as much as $180 billion by 2016. “In certain areas we simply cannot use the cloud following the Snowden revelations,” confirms Olli Hyyppä, SVP and CIO for NXP Semiconductors. “Now, European clients are nervous about two things: cloud, and American cloud providers.”

And this is what it all comes back to in the end: trust. And not just trust in vendors, but trust in the governments of the countries in which they operate. There is an argument to be made that cloud providers are already better equipped to handle data security than all but the most sophisticated of customers; the question is, in a post-Snowden world, can those providers restore lost confidence in their data sovereignty strategies?

“My fear is that when you purchase cloud services, you might be purchasing hosted infrastructure that is contracted to third-party providers located elsewhere”EERO OKSA, IT DIRECTOR, METSO

LOSING CONTROLPETER RASMUSSENSVP, Danske Bank

“We used to have total control of all servers, settings and data and where they were stored, and we could go and inspect it at any time with our service provider. Moving into cloud, this is no longer the case. You have to rely on reporting, on certifications, and you have to build your security around that.”

SHIFTING SANDSCOLIN MILESDirector Enterprise Services, Virgin Media

“We need to maintain UK residence of data due to government controls, but use accredited partners to place our data in a managed private cloud. There’s a lot to recommend this approach – not least due to the significant management resource required to deal with changing government requests.”

WHO DO YOU TRUST? MARTIN HAGENHead of IT, City of Bremen

“Politicians assume that if the data is in Germany then all is well, and if not then we have a problem. But from my technology-based perspective, that doesn’t make much sense, because it wasn’t just the American secret service spying on data, it was other countries too – including Germany.”

HAVE THE SNOWDEN REVELATIONS CHANGED YOUR APPROACH TO THE CLOUD?

Are carrying out greater due dilligence on cloud providers than ever before

95%88%

38%31%

52%84%

Are moving data to locations where the business knows it will be safe

Feel they need more training on data protection laws

Are changing their cloud buying behaviour

Are amending their procurement conditions for cloud providers

Of ICT ‘decision-makers’ believe location matters when it comes to storing company data

Source: NTT Communications, March 2014

“We are seeing organised gangs focusing on data”

CHAPTER 2 CLOUD, SECURITY AND DATA SOVEREIGNTY: HOW DO YOU MANAGE THE RISKS?

By Adam Burns, Editor, MeetTheBoss TV

A wise CIO once told me the problem with regulators: “they are neither cutting edge, nor consistent”. The reality, he conceded, is that it makes no difference. Regulators are red of teeth and claw and the smell of data breach is in their nostrils.

Of course it’s not just regulators after you. Stephen Deakin, Interim CTO for London’s Metropolitan Police, confirms what chief information security officers have been saying for years: “We are seeing organised gangs focusing on data”.

Four ways businesses are managing risk

But enough fear, uncertainty and doubt (the benefits of cloud computing hugely outweigh them anyway), our roundtable executives are managing risks – and this is how:

Andrew Stanton is charged with Global Infrastructure Strategy and Design for global asset management company Schroders. He sums this point up perfectly: “If we allow SaaS, anything cloud, then we have said the data will go outside of our borders. Recognise it is going to happen, educate, show true governance, do everything you can to show people the importance of data.”

Find out who is using shadow IT, find out what they are using it for, and either integrate or provide an alternative. Then fix the issue that made your business turn to the dark side in the first place.

Norbert Weidinger is Deputy CIO for the City of Vienna. He has recently “formally established rules that internal customers are obliged to comply with,” and, as part of a two-part strategy, also offers alternative services that provide similar services to those offered by Dropbox, etc. “Maybe not as sophisticated, but a lot more secure.”

STAY OUT OF THE SHADOWS

CHANGE THE BUSINESS MINDSET

1

2

Bernhard Schaffrik, VP Global Enterprise Architecture with Merck, has a defined decision framework around cloud (“can it go cloud or not”). Håkan Borglund, CIO for Toyota Material Handling Europe, has ringfenced some transactional and IP data, specifically in the design area (“those systems are not going anywhere”). Schroders is trying to work to a system of concentric circles (“the centre circle is core data surrounded by procurement and contracts,” says Stanton. “The next circle is still using data from the middle, but can have analytical services. In the final, outside circle, you can create your own apps – but if you want to bring those into the core, you have to answer the long list of questions”).

Bjorn Fagerstedt, Head of Corporate IT with Scandinavian Airlines, said the company took three years to transition to a new cloud-based revenue management solution, and it put a lot of effort into “a complicated contract” that included all of the necessary mechanisms “to ensure we are fully compliant on personal data privacy, payment card industry data standards, accounting laws, etc.” Peter Rasmussen, Senior Vice President at Danske Bank, agrees: “Moving into cloud, you have to rely on reporting. You have to rely on certifications. And you have to build your security around that.” Work with your cloud service provider. Audit your cloud service provider. Are they compliant?

WORK OUT WHAT’S NOT RIGHT FOR CLOUD

BE A CONTRACT KILLER

3

4

CHAPTER 3 A HOLISTIC APPROACH TO SECURING THE CLOUDBy Jeremy Ward, Global Development Manager, Security Consulting, HP Enterprise Services

From security to sovereignty, trust clearly remains an issue for companies looking to transition to the cloud. So how do you get assurance that your data is both safe and accessible? The answer might be to develop a more holistic approach to working with your cloud provider.

Cloud security is not what you might think. Despite media reports, many cloud security incidents are actually previously known issues with web applications and data-hosting – but at a greater scale and frequency due to the early adoption of cloud services.

Companies using cloud need to understand that they are consuming a shared resource and must, therefore, select the service that provides the levels of security and service that they need. As with most security challenges, technical solutions are only part of the puzzle. What is needed is a well-rounded approach.

ESTABLISH THE RISKS

As a starting point, a risk assessment is necessary to fully understand the impact of moving chosen applications and data to a particular cloud deployment and/or service model. This assessment must be undertaken from the viewpoint of how it affects the enterprise, not just from a security department viewpoint. The primary objective of a risk-based approach is to help an enterprise move from a reactive to a proactive stance for enterprise security, with the end goal of measurably reducing business risk.

HP has developed its ATOM risk-based methodology – assess, transform, optimise, manage – to help enable enterprises to achieve these goals. We assess your risk tolerance profile, compliance requirements, operational requirements, organisational capabilities, and resources. We typically do this within short HP Cloud and HP Security Discovery Workshops.

We then look to transform your environments, structuring and prioritising security issues and undertaking remediation projects with you. Next, we optimise the environment and also broaden your level of security awareness. Our experts proactively recommend operational and process improvements that can deliver an optimised security and risk posture. Finally, we manage security transformation programs that deliver security in the most effective way for the enterprise, adopting proven security technologies and flexible sourcing models.

INFORMATION-CENTRIC APPLICATIONS

The next thing to consider is that existing applications were not designed to run in a potentially hostile environment. The dynamic behaviour and public environment of cloud implicitly require that data and applications be self-defending, and be information-centric. As such, application developers need to adopt an information-centric approach to securing critical applications and data in the cloud by focusing on confidentiality, integrity and availability.

Developing applications with security already designed in dramatically reduces the risk of vulnerabilities and produces solutions that have greater security assurance at lower cost. And by addressing new attack surfaces early in the design cycle with a security requirements analysis, security maintenance and remediation needs are reduced during the testing and operational phases.

AUDIT AND COMPLIANCE

In today’s highly regulated environment, and in a post-Snowden world where data sovereignty requirements are top-of-mind, a dynamic cloud-based services environment needs continual and ongoing audit and compliance management. A traditional regime of annual or monthly audits becomes meaningless in an environment that changes completely on a daily or hourly basis. To comply with policy and legislation such as the EU Data Protection Directive, GLBA, HIPAA, and export compliance controls such as ITAR, enterprises require continuously running audit and compliance monitoring. Continuous monitoring is also crucial for enabling forensic examination and analysis if a security breach or disclosure occurs. What is more, this information must be available in real time to facilitate rapid response, notification and containment measures.

FINDING THE RIGHT PARTNER

The use of cloud services significantly alters an enterprise’s ability to exert strict controls over infrastructure, storage and network security measures. Therefore, the choice of cloud provider is critical to your success. Enterprises should conduct rigorous due-diligence assessments of the selected service providers’ infrastructure security policies as part of service sourcing and contract negotiations.

Do they offer an appropriate review of legal issues, dedicated infrastructure and select in-country hosting? Are they compliant with the requirements of the US Patriot Act and the EU’s Safe Harbour Framework? Can they ensure that transferring data across national borders is done only in accordance with the needs of the data’s owner and applicable local laws? These are the types of questions you should be asking of your provider.

You need to be clear about where your data resides, and where the risks lie. Only by taking a holistic approach to the cloud can you gain that level of assurance.

ASSESS INFRASTRUCTURE

AND PLATFORM SECURITY

DURING SERVICE SOURCING

ESTABLISH A

RISK-BASED APPROACH

IMPLEMENT ONGOING

AUDITING AND

MANAGEMENT

DESIGN OR CONVERT

APPLICATIONS TO SECURELY

RUN IN THE CLOUD

HOLISTIC CLOUD SECURITY

SUMMARY WHAT WE LEARNED

1 ADDRESS THE TRUST ISSUE CIOs want assurances over where data sits and who has jurisdiction over it. “It’s a question of how much do you potentially expose your IP if you put it on public cloud? That makes people nervous,” says Laurent De Haas, CTO and VP for Global IT at Electrolux. Establish what your appetite for cloud is, and what you’re comfortable putting in the cloud. Involve business and legal units in the process.

2 MANAGE YOUR RISKSConducting a thorough risk analysis is an essential part of any cloud strategy. “Every enterprise or public entity needs to do their own risk assessment,” explains Katarina De Brisis, Deputy Director General at Norway’s Ministry for Local Government and Modernisation. “What kind of data is it, what is the application, and what kind of cloud services are you looking at?”

3 BEWARE SHIFTING SANDS A key challenge is the pace of change. Re-evaluating policies, procedures and strategies on a regular basis will be critical to gaining the all-important visibility required to meet compliance and regulatory demands. As Merck’s Bernhard Schaffrik puts it: “I need a dedicated outsourcing contract that allows me the kind of transparency I am legally required to have.” Constant monitoring is key.

4 FIND THE RIGHT PARTNERSExpectations are rising as cloud usage becomes more pervasive – which is putting increasing pressure on vendors to deliver. “Every time we try to buy a cloud service, we have to explain to the provider how to be secure,” complains Richard Copley, Head of Corporate ICT for Rotherham Metropolitan Borough Council. Finding vendors that can meet these rising expectations will be vital.

5 READ THE SMALL PRINT You’ve found a partner: the next step is to establish baseline expectations of what that relationship entails. Service levels can differ significantly between providers. “Contracts and SLAs are important today; they will become even more important tomorrow,” asserts Joan Ignasi Grau, CIO at Spanish casino giant CIRSA. Do your due diligence upfront, and save yourself a service headache later.

6 THE FUTURE IS HYBRID To meet heightened requirements around data privacy and security, organisations should carefully consider the best option between private and public cloud for each application or workload. If you need to define a very specific environment for your application, to tightly control that environment and have greater control over data, private clouds are better; if you’re after lower costs, immediate access and standard SLAs, then consider public cloud providers. In reality, your approach is likely to be hybrid.

Now cloudmoves the merchandise

Now cloudshows you the money

Starting today, cloud lives up to its promise.Introducing HP Helion. It’s a flexible fabric that unifies public, private, and hybrid cloud solutions with your existing IT. It accelerates innovation by enhancing OpenStack® technology with new levels of manageability, security, and support. And it extends HP’s leadership in private cloud, already trusted by more than ⅓ of the Fortune 100, through an expansion of our overall cloud services and infrastructure around the world. Now cloud runs through your enterprise. To move the merchandise and close the sale. To empower government and transform the classroom. To help you test faster, learn faster, and succeed faster. See how to run HP Helion through your organization at hp.com/helion

www.hp.com/helion

Click here to findout

more about HP Helion

Looking for real Cloud Stories? Visit hp-cloudstories and join us on

@cloud_stories