Buyer’s Guide to Secure Cloud
Buyer’s Guide to Secure Cloud
An executive guide to outsourcing IT infrastructure and data storage using Private Cloud as the foundation.
Executives derive much confidence from the fact their corporate data is stored on assets they own, in buildings they own, and managed by staff they employ. This emotion has been a key factor in establishing Private Cloud as the solution of choice for security conscious outsourcers of IT infrastructure and data storage.
Historically provisioned on dedicated physical systems and storage, Private Cloud is where the infrastructure is managed and operated solely for an organisation, either on premises by internal or third party teams, or externally by a Managed Services Provider (MSP) as an outsourced service. Under the latter, the MSP provides access controls, encryption and segregation, to ensure the confidentiality, integrity and availability of customer data.
By contrast, Public Cloud means applications and data are hosted in shared environments. They are run on multi-tenanted infrastructure where organisations share firewalls, storage and processing. Their applications and corporate data will be sitting alongside those of other customers, often across multiple sites and potentially multiple countries. This exposes them to risk. To bridge the Private/Public divide, Hybrid and Community
Clouds have evolved. These models mean organisations opting for Private or dedicated infrastructure can also benefit from the flexibility, scalability and cost efficiency of shared environments. However, it is vital to engage an MSP or Cloud Services Provider (CSP) with highly secure and redundant facilities, together with the right skills and experience to build a solution enabling innovation in a controlled manner.
The following provides a simple guide to understanding and navigating the available options when using Private, Community and Public Clouds, as well as physical systems and storage, and Virtualised Machines (VMs). It also provides a handy scorecard to help you assess the most appropriate components for your requirement, and what to look for when selecting a service provider.
What’s Important to Your Business?
The key to a successful and secure Cloud migration is to adopt a risk-based approach aligned to business objectives. Common drivers are:
• Availability – a highly available and inherently secure infrastructure guarantees users can connect to business-critical data from desktop to data centre to device.
• Enhanced security and resilience – when using a data centre purpose built for security and redundancy, the Cloud offers superior physical access protection to in-house solutions.
• Reduced capital expenditure – buying a service rather than owning and managing the capital assets of that service means you benefit from the latest technologies without making upfront capital investments.
• Scalability and flexibility – Cloud provides almost limitless scalability without costly and resource intensive IT build-outs, enabling your business to grow in line with demand and customer growth, and manage vast volumes of data securely. • Regulatory compliance and data residency – the right blend of outsourced IT infrastructure and data storage enables companies to achieve and maintain compliance while driving down cost, complexity and risk.
In order to realise these benefits, you first need to evaluate the level of risk associated with the assets you want to migrate. The following three steps provide a simple framework for
establishing your risk position:
1. Identify the asset to move to the Cloud – be it data, processes or applications.
2. Identify the asset value – determine how important the data or function is to your business as usual, its impact on operations costs and sales, as well as its replacement cost. 3. Evaluate the asset’s ‘CIA’ vulnerabilities – assess the Confidentiality, Integrity and Availability requirements for the asset; and how the risk changes if all or part of the asset is handled in the Cloud.
Operating Securely
Hybrid Model
Using a tried and trusted methodology such as the CCTA Risk Analysis and Management Method (CRAMM), it is possible to score your organisation’s risk position on an application-by-application basis. Cloud migration is then a matter of identifying the most appropriate technology stack (compute, network, storage) on which to run the workload:
• Dedicated – where each server runs a single workload, and where all servers, network, switching, storage, firewalls, etc., are managed and operated solely for an organisation.
• Dedicated virtualised – where one server hosts multiple VMs to run multiple workloads and can perform many roles. • Multi-tenant – for Infrastructure as a Service (IaaS), different VMs may share hardware via a hypervisor; for Platform as a Service (PaaS), different processes may share an operating system, database and networking services; for Software as a Service (SaaS), different consumers may share the same application or database.
Wherever shared environments are part of your outsourced infrastructure, it’s important to know your neighbour. This is the underlying principle of the Community Cloud, where the infrastructure is provisioned for exclusive use by a specific community of organisations with shared concerns – such as security requirements, policy, or compliance.
The Community Cloud model is intended to mitigate multi-tenancy risk because the attack surface is smaller (due to there being less members of that community), while the service provider should have vetted the security perimeter of each member organisation.
Contrary to perceptions, organisations can actually improve their risk position by taking the right type of Cloud services in the right proportion from the right type of service provider. This can be achieved under the Hybrid Cloud model, which is a combination of two or more Clouds (Private or Public) that remain unique entities, but are bound together by technology that enables data and application portability.
With a Hybrid Cloud where all constituent components are managed by a single MSP, you can migrate critical applications, data and processes to a Private Cloud (whether dedicated, dedicated virtualised or multi-tenanted), and migrate test and development or web-facing services to Public Cloud and benefit from elasticity, reach and the utility billing model. Working with a Managed Security Services Provider (MSSP) for example,
gives you access to a suite of sophisticated Information Security services such as Security Incident and Event Management (SIEM). SIEM is costly and notoriously complex to manage in-house, but under Cloud, can be delivered as a managed service supported by 24x7x365 monitoring via a Security Operations Centre (SOC).
Security and risk mitigation are also achieved by limiting the types of data processed in the Cloud, or by contracting with service providers for isolation mechanisms such as dedicated infrastructure rather than VMs, Virtual Private Networks (VPNs), segmented networks, or advanced access controls.
For low-impact data and processing, the security perimeter may consist
of commercial firewall rule sets and VPNs. For higher-impact data, more restrictive firewall policies are applied, as are additional
Big Data, Big Concern
Keeping Data Safe
The security and availability of data is consistently identified as the number one concern when it comes to Cloud adoption. This is unsurprising given that virtual Cloud servers can host applications and databases containing sensitive corporate information – including personnel records, intellectual property (IP), and customer information. The loss or theft of these assets can be disastrous – especially where regulation such as the Payment Card Industry Data Security Standard (PCI DSS) and data privacy laws are concerned.
In mid-2014, the uploading of the entire NHS patient database to Google servers based outside of the UK drew strong criticism from a prominent MP, as well as campaigners and privacy experts who raised questions concerning how the use of that data would be controlled and what safeguards were in place to protect privacy. In the US, medical records obtained illegally from servers and containing personal information such as names, addresses and social security numbers, are being sold on the ‘dark web’ and could potentially be used to commit identity fraud.
In addition to concerns around the security of data, there’s also the spiralling cost of storage to contend with. One of the biggest challenges to businesses today is exponential growth in data volumes or ‘Big Data’ and the need for data analytics. It’s therefore essential to work with a service provider that has the capacity to keep pace with the increased demand for physical storage space, and provide a cost effective archiving system supporting future governance and
compliance mandates.
To reduce risk, you should look for Cloud providers who employ storage segregation policies for customers, where you can store your data on a dedicated blade server and who offer 24x7x365 support, monitoring and alerts, and who have the ability to respond rapidly to mitigate risk. With segregation policies, no server contention will ever disrupt your quality of service.
Essential building blocks for ensuring your corporate data is kept secure are:
• Data centres – the foundation of any Private Cloud service. They should be in a location free from hazards, whether natural or man-made, and have a reliable and stable power supply, together with diverse routes of communications. Where business critical or highly sensitive applications and data are being hosted, it is essential that the operator of the facility be ISO 27001 certified, and that the facility itself is rated for information assets up to RESTRICTED (IL3) for confidentiality and integrity, and up to IL4 for availability.
• Physical security – a multi-layered approach provides the highest level of physical security for data centres. It should be planned as a single entity and include fences, gates, lighting, CCTV and robust access control measures. The perimeter must also be demarcated and secured with a fence or other physical measures supported by appropriate surveillance and monitoring systems.
• Logical security – the protection of VMs must be assured in a highly granular fashion. Look for capabilities including Stateful Firewall, Web Application Firewall, and Anti-virus; as well as Encryption services, Host based Intrusion Protection, Virtual Patching Technology, File Integrity Monitoring, and SIEM.
• People – service providers should use pre-employment screening and include security terms and conditions in their conditions of service. An effective personnel security review process and a formal process for managing staff leaving the business are also necessary to ensure the highest level of security.
• Connectivity – look for MSPs / CSPs that can offer carrier neutral and fully managed broadband connectivity from their data centres to the Internet.
Cloud Migration Score Card
Based on our deep knowledge and experience in Managed Hosting, Cloud Infrastructure, and Data Storage, we have prepared a simple scorecard to help you assess the most appropriate components for meeting your outsourcing requirement.
1) What are the key drivers for your Cloud migration?
A. Additional security and high availability
B. Faster time to market / additional functionality
C. Cost efficiency / flexibility / ability to scale 2) What data is being migrated?
A. Personal records / transactional data
B. Sensitive corporate data / IP
C. Non-sensitive / ancillary 3) Which applications are being migrated?
A. Business-critical / customer-facing
B. Back-office / Test and dev
C. Non-business critical / ancillary
4) How does the physical or legal location of your data affect its use?
A. My data is subject to regulatory mandates
B. Some of my data is subject to regulatory mandates
C. My data is not subject to regulatory mandates
5) Have you adopted a risk-based approach?
A. Yes I have carried out a risk assessment, identified mitigating controls, and implemented an on-going risk management programme
B. I would like to adopt a risk-based approach, but need guidance
C. No, I do not need a risk assessment
Cloud Migration Score Card
6) Business Continuity Planning (BCP) and Disaster Recovery
A. I require documented plans for availability, BCP and DR that meet my RPT/RTO requirements
B. I may require some form of BCP and DR that meet my RPT/RTO requirements
C. I already have my own BCP and DR facilities 7) What level of support do you require?
A. I need a 24x7x365 ITIL based support and service desk
B. I have an internal IT team that is highly capable but that would also benefit from specialist support
C. I am confident my internal team can manage my Cloud migration 8) Data residency and security
A. I need auditable evidence of where my data resides and how it is protected
B. Auditable evidence on data residency and access controls are required for some of the assets I am looking to migrate
C. I am not migrating business-critical or sensitive applications and data
9) Availability of applications and data
A. I require clearly defined service level availability guarantees and penalties
B. Service level agreements should address aspects of availability
C. Availability and security are not primary concerns 10) Auditing and forensics
A. I require a full audit trail of everything technical teams do when accessing my environment, with all log data kept totally secure and available for forensics should an incident occur
B. Some of my applications and data being migrated will need to be monitored 24x7x365, with security event logs available for inspection should an incident occur
C. I do not need access to event logs or granular reporting
Interpreting Your Results
Concluding Remarks: Phil Bindley, CTO, The Bunker
• Mostly A’s – A Private Cloud infrastructure is recommended.
• Mostly B’s – A Private Cloud complemented by Community and Public Cloud can meet your migration requirements. • Mostly C’s – Public Cloud should enable you to realise the benefits of Cloud, but a risk assessment is recommended. Still not sure which options are right for you? Contact The Bunker to book a free consultation with one of our cloud infrastructure experts to help explore your options further.
The benefits that Cloud services bestow are such that Cloud strategy today is a question of how, not when or if. But while the value proposition is well understood, the myriad options in respect of infrastructure, delivery models and service provider capabilities are not.
Certainly, it can be hard to identify exactly what you’re getting unless you are well versed in the nuances of Cloud technologies, not to mention Information Security and regulatory mandates.
The typical Cloud buyer isn’t helped by the fact that service providers are not known for their transparency when it comes to tricky topics such as data sovereignty, security models, and the roles and responsibilities assumed by those in the supply chain.
Outsourcing with The Bunker however, means you can be part of a community of likeminded businesses that like you understand the value of security. You can scale up and down quickly and seamlessly, and build dedicated and virtual environments within a single, high availability infrastructure that is secure by design.
Delivered as a service with an exceptionally high standard of digital, physical and human security, The Bunker’s Secure Cloud eliminates the need to over specify computing power up front and ensures you only pay for what you need, when you need it.
Crucially, we can provide you with demonstrable evidence on how regulatory needs are met, and are happy to invite independent auditors to ‘look under the hood’ to see why we are the UK’s trusted partner to security conscious outsourcers of IT infrastructure and data storage.
For a full feature set and solution overview of The Bunker’s DRaaS, please download our DRaaS Factsheet.
To find out more about The Bunker’s services:
