Hide Notes 

Slide 1: Due Diligence Guidelines for Cloud Computing Providers and Services John P. Morency Research Director, IT Operations Management (978)-901-4123 (office) John.Morency@gartner.com (e-mail) Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.
Slide 2: Agenda • Cloud 101 • Platform, Service & Vendor Overview • Application & Service Styles • Cloud-specific Security & Privacy Risks • Third Party Due Diligence Recommendations: • People & Process • Infrastructure • Application Services • Data
Slide 3: What Is Cloud Computing? Gartner's Definition Gartner defines cloud computing as "A style of computing in which massively scalable IT-related capabilities are provided as a service using Internet technologies, to multiple external customers." It would be easy to add a refining statement to this definition — to wit, "where the consumers of the services need care only about what the service does for them, not how they are implemented." • The cloud vs. cloud computing? • Private clouds and the public cloud? • Lowered barriers to entry; higher risk? Things to Consider • Increased scale and elasticity potentially at lower cost? • Global class — not just enterprise class?
Slide 4: Styles of Cloud Computing SaaS Browser Cloud Desktop Browser Personal application Personal application Client hardware Server application Server/ storage salesforce.com Cloud Desktop Infrastructure Cloud Server Browser/ personal application Cloud Infrastructure Browser/ personal application Personal application Client hardware Server application Server/ storage GoogleDocs, Web search Client hardware Server application Server/ storage Desktone, (VDI in the cloud) Client hardware Server application Server/ storage ITunes, Exchange Hosted Services Client hardware Server application Server/ storage Amazon EC2
Slide 5: A Range of Platforms, Services and Potential Vendors Technology Providers and Assemblers ConsumerFocused BusinessFocused (GBS) (SWG, STG) Infrastructure Widgets Content Applications Ecosystem Management Business Process
Slide 6: What's Feeding the Cloud Computing Phenomenon? Data-Intensive Applications: From massively parallel (e.g., Google) to large data files (e.g., YouTube) Infrastructure Technologies: Virtualization and automation Alternate Client Application Devices: Explosion of form Technologies: From parallel factors, mobility, processing (grid, connected MapReduce, Hadoop) to Web 2.0, SOA Data Centre Pressures: Growing costs of power and space, server sprawl Networking: Growth in connectivity and bandwidth through the Internet Industrialization of IT: Standardization and commoditization (e.g., e-mail), open source Business Model: Advertising subsidized, on the Internet Web Applications and Platforms: Mashable applications and services built on WOA (e.g., REST, RSS/ATOM)
Slide 7: Making Sense of the Cloud Alphabet Soup Fixed, dedicated resources Hardware managed by others Shared applications Elastic Internet resources Provider-dedicated Web applications and Web content Off-Premises Cloud Native Web Applications Hosting SaaS Cloud Web Hosting Platform Infrastructure Utility APaaS IaaS AIaaS Shared application infrastructure as a service (AIaaS) Application platform as a service (APaaS) Integration as a service (IaaS) Hosted dedicated Web applications and Web content Commodity (industrialized) computing resources Programmable or programmatically accessible resources Size of the cloudlets and overlap shown is not to scale.
Slide 8: Privacy, Security and the Cloud • Which privacy policy applies? • Who is responsible? • Can the provider confine personal data to a country? • How are cross-jurisdictional legal conflicts resolved? • Is breach notification implemented efficiently? • Are operational controls sufficient (encryption, data masking, access control and monitoring, DLP)? • How is this assessed (privacy impact assessment, Web site privacy audit, privacy seals)?
Slide 9: Security and Sourcing: Who Gets Decision Rights and Roles? • Security is typically brought in after the fact, but this is starting to change. • Sourcing needs security expertise to determine evaluation criteria and to conduct diligence and assessment • Audit/regulatory drivers are shifting more power to security • Sell your services and expertise. Work with procurement and legal departments to ensure security language is inserted into every contract and sourcing process • Establish ongoing assessment process where you vet controls once contract is signed
Slide 10: Country Risk Ratings for Security and Privacy Z AN t yp Eg tic al r. B Eu ia s E. us Ph Low Medium High a Br In l zi ilip ne pi a di C an ad C a R Ire U na hi nd la EU .S s . Security Risks National Information Security Standards Track Record Privacy Protection Data Privacy Laws Enforcement of Privacy Laws Government Interception Risks Govt. Access/Interception Regs. Encryption Controls IP Risks Patent Laws and Enforcement Trade Secrets, Enforcement Copyright, Enforcement Employee/Labor Laws Contractual Legal Risks Overall Climate
Slide 11: Create and Manage the Third-Party Process • Define security and privacy policies and requirements for third parties • Put in place a process for "tiering" vendors (criticality of relationship, type of data, vendor risk profile) • Assemble surveys, assessments and draft language for typical outsourcing or SaaS • Manage FTE and assessment requirements — look at automated tools for network and application assessments, role of services/tools for managing workflow
Slide 12: Security Requirements to Negotiate: People and Process • Security certifications — Is your provider BS 7799 Part 2 or ISO 27001 certified, across all relevant data center locations? • Security assessments — Customers should have the ability to conduct their own security assessments or use a third party to do so, at least annually. • Security personnel and training — Gartner recommends that 50% to 75% of security staff should hold a security certification or credential, and average experience should be at least four years. • Employee screening practices — Understand how your provider screens or conducts background checks for employees; third-party services can be requested to augment the provider's baseline practices, although you may have to pay for it. • Identity management — How quickly the provider can create and delete accounts for new and terminated employees is critical, especially with the high turnover rates among providers. • Ethics, security and privacy training — Do policies match yours? How are they conducted? • Remote access, e-mail, Web filtering and data leak prevention policies and enforcement — Which products are used, how are events dealt with, who does the monitoring? • Subcontractor's right to inspect and refuse
Slide 13: Security Terms to Negotiate: Infrastructure Business continuity • Require quarterly testing for each site • Understand how access to "hot site" services is allocated • Are insurance limits sufficient? Security monitoring • Understand the provider's definitions and processes for monitoring irregular activity • How are privileged users monitored? Incident management • Develop details on access to data, forensics assistance, cooperation with law enforcement and other partners in the event of an incident. Must have SLAs for security incident notification. Preferably in real time, but at least within 12 to 24 hours Antivirus and patch management • Four- to six-hour SLAs for antivirus signatures • Vulnerability management and patch deployment - Specific schedule and testing requirements Application and code security • Protection of sensitive data during application testing • Code and binaries testing for vulnerabilities
Slide 14: Application Security and Outsourcing: What Enterprises Should Do • Application security expertise should become a criterion in ESP selection. Look at training and SDLC process. • Applications developed by ESPs should not be accepted unless they are tested for security vulnerabilities. Define which tools should be used, and by whom. • Application security testing should be included in the SLA. Define which type of vulnerabilities will be fixed, and when.
Slide 15: Data Breach and Privacy Laws and Issues • Validate the vendor's privacy processes, and document the process for alerting you if any breach occurs • Evaluate the provider's privacy incident response plan, training and procedures • Costs and expenses related to dealing with a security incident coinsurance and limits discussion • If customer or employee data is being hosted outside its legislative region, ensure that contract terms are in place so the vendor is complying with any security or privacy requirements • EU: Safe Harbor or model contract terms? Safe Harbor is weak in terms of enforcement and auditability, and because of the vagueness of some terms • Many EU-based companies prefer to use model contract terms; these terms require the provider to agree to be subject to an EU jurisdiction or authority, require security and privacy audits, and require the provider to adhere to restrictions of onward transfer
Slide 16: Key Recommendations • Negotiate for specific security-related terms and conditions before sealing the deal with any provider. • Customize security requirements for the type of service being sourced. • Allocate resources effectively when evaluating third parties. Tier your suppliers and partners according to the risk profile and business impact. Spend more (on-site assessments, services) on the high impact relationships. • Due diligence and ongoing assessment costs should be "baked" into sourcing analysis. If more controls/tools are needed, security needs budget from the business unit. • A good security due diligence process, coupled with oversight and/or deployment of additional security tools, can not only mitigate increased risk when sourcing, but provide much-higher levels of security than when delivered internally.