Cloud computing dummies phần 7
- 33 trang
- file .pdf
176 Part IV: Managing the Cloud
a company building or accesses corporate information, either from within
the company’s perimeters or from any external location.
A company planning to secure its IT environment will generally focus on the
broad range of potential vulnerabilities to its data center as well as ways to
safeguard sensitive corporate, customer, and partner information wherever
it is located. A company’s software applications may include lots of built-in
application and data level protections (such as authentication, authoriza-
tion, and encryption), but there are many situations where these protections
aren’t enough. The following section provides an overview of the types of
security risks that companies should consider in any IT environment, includ-
ing the cloud.
Even when cloud operators have good security (physical, network, OS, appli-
cation infrastructure), it is your company’s responsibility to protect and
secure your applications and information.
Security services at both the application and the infrastructure level must be
a top consideration for organizations.
Given the importance of security in the cloud environment, you might
assume that a major cloud services provider would have a set of comprehen-
sive service level agreements for its customers. In fact, many of the standard
agreements are intended to protect the service provider — not the customer.
Therefore, a company really must understand the contract.
The risks are lower if you’re using storage on a temporary basis than if you’re
using a cloud service as a replacement for a critical service that touches your
customers.
Currently, the IT industry faces a problem: Security approaches (including
perimeter security) are becoming less effective. To understand why, you
must know how security threats arise. About 70 percent of security breaches
are caused by insiders (or by people getting help from insiders). Insiders
rarely get caught. The cloud environment can have some of the same issues.
After all, a cloud is managed by people who might be tempted to breach
security. If your company is going to use a cloud service, you need to have a
plan to deal with inside as well as outside threats.
The possibility that insiders will open a door for hackers or mount an inside
attack makes it clear that perimeter security on its own will never be enough.
Chapter 15: Managing and Securing Cloud Services 177
Secure history
PCs had no security at all initially, but a lines), are also perimeter-security products.
password-and-permissions system was added They improve the security of the perimeter,
for networkwide security based on login. In IT which is a bit like plugging holes in the castle
security circles, this system is called perim- walls. With the advent of networks, however, an
eter security because it establishes a secure operating system could be artificially extended
perimeter around the network, the applications to work across a network. With virtualization of
it runs, and the data stored within. Many of the everything from servers to networks, storage,
security products that organizations deploy, and applications, the problem gets even more
such as firewalls and virtual private networks complicated.
(VPNs, which are encrypted communication
Reducing Cloud Security Breaches
Make sure that the cloud provider has taken a structured approach to its
own security model. In general, follow these steps to reduce the risk of
suffering security breaches:
1. Authenticate all people accessing the network.
2. Frame all access permissions so users have access only to the applica-
tions and data that they’ve been granted specific permission to access.
3. Authenticate all software running on any computer — and all changes
to such software.
This includes software or services running in the cloud.
Your cloud provider needs to automate and authenticate software patches
and configuration changes, as well as manage security patches in a pro-
active way. Why is this so important to understand? Many cloud service
provider outages typically come from configuration mistakes. If a cloud pro-
vider doesn’t update security, your intellectual property could be at risk.
4. Formalize the process of requesting permission to access data or
applications.
This applies to your own internal systems and the services that require
you to put your data into the cloud.
178 Part IV: Managing the Cloud
5. Monitor all network activity and log all unusual activity.
In most cases, you should deploy intruder-detection technology.
Although your cloud services provider may enable you to monitor activ-
ities on its environment, you should have an independent view. This is
especially important for compliance.
6. Log all user activity and program activity and analyze it for unexpected
behavior.
7. Encrypt, up to the point of use, all valuable data that needs extra
protection.
8. Regularly check the network for vulnerabilities in all software
exposed to the Internet or any external users.
If you think these steps are easy, you don’t know how complex it is to imple-
ment all these rules across a large network. Very few networks come close to
this level of protection. When you consider a cloud provider, this list will give
insight into how sophisticated the provider is.
Point solutions usually cover specific vulnerabilities:
✓ Firewalls protect the internal network from the Internet.
✓ Antivirus software protects individual computers against known viruses.
✓ VPNs protect external connections coming into the network.
Such products reduce the risk of specific threats, but aren’t an integrated
approach to IT security. Right now, that approach doesn’t exist outside the
realm of government organizations such as the National Security Agency,
and it may not exist inside such organizations, either. As the cloud services
market matures, successful vendors will have to provide this type of
comprehensive approach.
But some important products can make a significant contribution to building
an integrated IT security platform. They come in three categories:
✓ Identity management
✓ Detection and forensics
✓ Data encryption
We discuss these products separately in the following sections.
Chapter 15: Managing and Securing Cloud Services 179
Implementing Identity Management
Identity management is a very broad topic that applies to most areas of the
data center. However, it’s particularly important in protecting the cloud
environment. Because the cloud is about sharing and virtualizing physical
resources across many internal (and often external) users, you must know
who has access to what services.
Identity management’s primary goal is managing personal identity information
so that access to computer resources, applications, data, and services is con-
trolled properly. Identity management is the one area of IT security that offers
genuine benefits beyond reducing the risk of security breaches.
Benefits of identity management
Identity management helps prevent security breaches and plays a significant
role in helping your company meet IT security compliance regulations. The
benefits of keeping your customer or company financial data safe from unau-
thorized access can be huge.
In addition, you reap many benefits from identity management that occurs
every day, not just during a major threat.
✓ Improved user productivity: Productivity improvement comes from
simplifying the sign-on interface (see “Single sign-on,” later in this chapter)
and the ability to quickly change access rights. Productivity is likely to
improve further where you provide user self-service.
✓ Improved customer and partner service: Customers and partners also
benefit from a more streamlined, secure process when accessing
applications and data.
✓ Reduced help desk costs: IT help desks typically experience fewer calls
about forgotten passwords when an identity management process is
implemented.
✓ Reduced IT costs: Identity management enables automatic provisioning —
providing or revoking users’ access rights to systems and applications.
Provisioning happens whether you automate it or not. When provisioning
is manual, normally it’s carried out by members of the IT operational
staff or departmental staff. Considerable time and cost savings are
possible when you automate the process (see “Provisioning,” later in
this chapter).
180 Part IV: Managing the Cloud
After you grasp the basics of identity management, you need to understand
the special conditions needed for the cloud. Because the cloud is a highly dis-
tributed environment, identity management needs to be federated for you to
benefit from the process. Federated identity management lets people keep the
same identification across different applications, services, and networks of dif-
ferent companies.
This eliminates some of the boundaries to access for your employees,
customers, and partners so they can use the applications and information
from multiple environments (including the cloud).
Aspects of identity management
In this section, we cover the various aspects of an identity management
program.
Corralling the data
Identity data generally is scattered around systems. Establish a common
database or directory as a first step in gaining control of this information.
This step involves inputting data to and gathering data from various user
directories.
Integrating
An identity management system must integrate effectively with other applica-
tions. In particular, the system must have a direct interface to the following:
✓ Human resources system, where new joiners and leavers are first
recorded
✓ Supply-chain systems, if partners and suppliers use corporate systems
✓ Customer databases (if customers require access to some systems),
although customer identity management normally is handled by a
separate component of an identity management system
Beefing up authentication
When you require authentication stronger than passwords, the identity man-
agement system must work with products that provide that authentication,
such as biometric systems (fingerprints, handprints, iris verification, and the
like) and identity token systems.
Provisioning
When you link all systems that use identity information, you can automate
provisioning. If this process is automated, a single status change (of an
Chapter 15: Managing and Securing Cloud Services 181
employee or anyone else with access rights) can be defined in the identity
management system and sent across all affected systems from that point.
When provisioning is automated, users rarely (or never) get more access than
necessary. Providing broad levels of access happens frequently in manual
provisioning because it’s easier to specify broad access. Additionally, an auto-
mated process never fails to revoke former employees’ access to the network.
Single sign-on
Single sign-on means providing all users an interface that validates identity as
soon as a user signs on anywhere; this interface requires the user to enter a
single password. Thereafter, all systems should know the user and her
permissions.
Some single sign-on products don’t provide the full gamut of identity manage-
ment capabilities, but all identity management products deliver single sign-on
capability.
Instead of being assigned to individuals, permissions are often assigned to
roles (accounts clerk, sales assistant, programmer, and so on). Therefore,
single sign-on also means capturing information about the administration
hierarchy. Single sign-on naturally goes with portal technology, with the user
having a Web-based initial interface that provides access to all applications
that he’s entitled to access. Thus, single sign-on may need to interface with a
portal product.
Security administration
Identity management reduces security administration costs because security
administrators don’t have to manually authorize; the identity management
system handles that workflow automatically.
The automatic ID management handling is particularly useful for organizations
that have distributed security administration over several locations because it
enables security administration to be centralized.
Analyzing data
After you centralize all user data, you can generate useful reports on
resource and application use or carry out security audits. For example:
✓ If you’re having problems with internal hacking you can check a log that
lists every user’s activity (see the following section).
✓ If you have logging software for databases and files, you can monitor who
did what to any item of data and when, including who looked at specific
items of data. This audit capability is important for implementing data
privacy and data protection compliance.
182 Part IV: Managing the Cloud
Playing Detective: Detection
and Forensics
In this section, we discuss three specific groups of IT security products:
✓ Activity logs
✓ Host-based intrusion protection systems and network-based intrusion
protection systems
✓ Data audit
No one — intruder or legitimate user — should be able to use the preceding
resources without leaving evidence. You want to detect any illegitimate activity
as soon as it happens, but in many situations, you can’t separate the legitimate
from the illegitimate. If you don’t detect an attack while it’s happening, at least
you have a record of what took place.
Activity logs
Many logging capabilities are included in operating systems, applications,
databases, and devices such as hardware firewalls and network monitors. It
costs to invoke logging capabilities: Turning on logging requires the system
to write log records constantly, and it also involves managing and archiving
such data until it’s no longer needed.
Log files often provide some evidence of how fraud was perpetrated, how-
ever. Perpetrators of digital fraud often escape justice simply because the
victim doesn’t have sufficient evidence to prove what they did.
HIPS and NIPS
Companies that would like to see a cloud service provider take over their
internal platform and infrastructure services need to take a careful look at
infrastructure protection.
Host-based intrusion protection systems (HIPS) and network-based intrusion pro-
tection systems (NIPS) are the same thing: a collection of capabilities that make
it tough to penetrate a network.
HIPS and NIPS can include the following elements:
✓ System and log-file monitors: This software looks for traces of hackers
in log files. The monitors can watch login accounts, for example, and
Chapter 15: Managing and Securing Cloud Services 183
issue alerts when account permissions change — often an indication
that something untoward is going on.
✓ Network intrusion-detection systems (NIDS): These security programs
monitor data packets that travel through a network, looking for any
telltale signs of hacker activity. The effectiveness of a NIDS depends on
whether it can sort real dangers from harmless threats and from legiti-
mate activity. An ineffective NIDS raises too many false alarms and, thus,
wastes time.
✓ Digital deception software: This software deliberately misleads anyone
who’s attempting to attack the IT network. It can range from the simple
spoofing of various service names to setting up traps known as honeypots
or honeynets. (For more information, see the nearby sidebar “Fooling
attackers by spoofing.”)
Setting security traps is unusual and can be expensive. It’s normally
done by government sites or by companies that suspect digital industrial
espionage.
✓ White-listing software: This software inventories valid executable pro-
grams running on a computer and prevents any other executables from
running. White-listing severely hampers hackers, because even if they
access a computer, they can’t upload their own software to run on it.
White-listing software reports on any attempt to run unauthenticated
software. It also stops virus software stone dead.
✓ Unified threat management: This central function takes information
from all the preceding components and identifies threats by analyzing
the combined information.
Fooling attackers by spoofing
As a technical IT term, spoofing means pre- When you use spoofing as a defense, your aim
tending to be something else. In a so-called is to confuse attacking software. Hackers use
phishing attack, a false Web site pretends to sniffing software to look for servers running
be a genuine one. A phishing Web site might specific versions of, say, Microsoft Windows.
pretend to be a bank’s Web site, for example, If you set the operating system to give out false
and try to tempt users to reveal their financial information, which is easy enough to do, that
details. It’s possible to spoof email addresses false information confuses the attacking soft-
and, under some circumstances, Internet proto- ware into passing on by. Honeypots work by
col (IP) addresses, but mounting an attack this spoofing, too. They pretend to be vulnerable
way is difficult because a computer responds servers and thereby trick attackers into reveal-
directly to the real address rather than to the ing details on where they’re attacking from.
spoofed address.
184 Part IV: Managing the Cloud
Data audit
Although databases do log the name of the individual who changed data,
they normally don’t log who read any piece of data. But read data is easily
stolen. If you plan on storing data in a cloud environment, you must address
this issue.
Enthusiasm for filling this gap increased considerably after the Sarbanes-Oxley
legislation was enacted in 2002, specifically demanding that financial data be
secured from unauthorized eyes. Consequently, a series of software products
that log who looks at what quickly came into existence. These products gener-
ally are referred to as data audit products.
Encrypting Data
The IT world has a whole set of encryption techniques that can be regarded
as completely safe. Thus, you can easily encrypt data and ensure that only
the intended recipient can decrypt it.
You could encrypt everything. You could encrypt data when you write it
to disc, when you send it down a wire, when you send it through the air by
radio, and so on. Encrypting everything in a comprehensive way consider-
ably reduces your exposure to data theft. Hackers aren’t able to cover their
tracks because they’re not able to decrypt the log files.
Encryption poses a performance penalty, so be sure to focus encryption on
specific data that needs protection.
Think about how you use encryption. A fairly recent case of data theft included
data that was encrypted until it was delivered to the application that needed
to use it. At that point, the data was decrypted for use — and that’s exactly
where the hacker struck. The loss could have been prevented if the receiving
application itself had controlled the decryption on a record-by-record basis.
Because of the complexities it adds, encryption is used less frequently than
perhaps it should be. The media have covered many cases of stolen laptops
containing valuable data — including military secrets. Those thefts wouldn’t
have been problems if all the data on those laptops had been encrypted
properly.
Data encryption becomes even more important when using cloud services.
But keep in mind that your company is still responsible for the quality and
integrity of your information.
Chapter 15: Managing and Securing Cloud Services 185
Creating a Cloud Security Strategy
This book isn’t Cloud Security For Dummies, so we won’t go into creating a
comprehensive security strategy. We do want to provide some pointers, though:
✓ In most circumstances, approach cloud security from a risk-manage-
ment perspective. If your organization has risk-management specialists,
involve them in cloud security planning.
✓ IT security monitoring has no simple key performance indicators, but be
aware of what similar organizations spend on IT security. It also makes
sense to keep track of time lost due to any kind of attack — a useful mea-
surement of cost that you may be able to reduce over time.
✓ You need identity management for many reasons, and identity manage-
ment offers many benefits. Give priority to improving identity manage-
ment if your current capability is poor.
✓ Try to create general awareness of security risks by educating and
warning staff members about specific dangers. It is easy to become com-
placent, especially if you’re using a cloud service provider. However,
threats come from within and from outside the organization.
✓ Regularly have external IT security consultants check your company’s IT
security policy and IT network and the policies and practices of all your
cloud service providers.
✓ Determine specific IT security policies for change management and
patch management, and make sure that policies are well understood by
your service management staff and by your cloud service provider.
✓ Stay abreast of news about IT security breaches in other companies and
the causes of those breaches.
✓ Review backup and disaster-recovery systems in light of IT security.
Apart from anything else, IT security breaches can require complete
application recovery.
When a security breach occurs on a specific computer, the applications run-
ning on that computer will likely have to be stopped. Consequently, security
breaches can be the direct causes of service interruptions and can contribute
to lower service levels. Also, data theft resulting from a security breach could
result in a real or perceived breach of customers’ trust in your organization.
Security is a very complex area for both internal IT organizations as well as
the cloud service providers. Many organizations will have hybrid environ-
ments that include public as well as private clouds. Internal systems will be
connected to cloud environments. New frontiers add complexity and risk.
186 Part IV: Managing the Cloud
Chapter 16
Governing the Cloud
In This Chapter
▶ Defining governance inside the cloud
▶ Knowing what governance to expect for your provider
▶ Knowing the risks of monitoring inside the cloud
▶ Making cloud governance work
W hen you move a workload to the cloud, there is a good chance, depend-
ing on the kind of workload, that you’re no longer responsible for the
care and feeding of that workload. You might move email or archived data to a
storage cloud, for example. Wait! You turned over control of your assets to the
cloud provider, but you’re still ultimately responsible for its wellness. In other
words, make sure that your assets are managed in a way that meets your
business objectives.
This is where governance comes in.
At the end of the day, governance is about making good decisions regarding
performance predictability and requiring accountability. This is the case
whether you’re governing your own data center or thinking about the cloud.
We know there must be a myriad of questions in your head about governing
in the cloud: How do I make sure that the other guy is following my rules and
policies? When does it matter if he doesn’t follow my rules? What’s the role
of trust in this situation?
An overarching principle behind governance is trust. All parties involved in
the cloud — you, the cloud provider, and other service providers — must be
able to trust that each party will do what it’s supposed to in accordance with
established policies and procedures. Think about what would happen with-
out these policies and procedures; the cloud environment might be chaos,
which isn’t appealing.
In this chapter, we cover the ins and outs of cloud governance, including
understanding the risks.
188 Part IV: Managing the Cloud
Looking at IT Governance
At its most basic, governance is about applying policies relating to using services.
It’s about defining the organizing principles and rules that determine how an
organization should behave.
Did you know that the word governance derives from the Latin word for
“steering”? It is important to have a steering process because, well, it helps
to make sure that you stay on the road!
Before diving in, take a step back and look at the IT governance process in
general because many of the same principles are relevant to the cloud environ-
ment. IT manages a complex infrastructure of hardware, data, storage, and
software environments. The data center is designed to use all assets efficiently
while guaranteeing a certain service level to the customer. A data center has
teams of people responsible for managing everything from the overall facility:
workloads, hardware, data, software, and network infrastructure.
In addition to the data center itself, your organization may have remote
facilities with technology that depends on the data center. IT management
has long-established processes for managing and monitoring individual IT
components, which is good.
IT governance does the following:
✓ Ensures that IT assets (systems, processes, and so on) are implemented
and used according to agreed-upon policies and procedures.
✓ Ensures that these assets are properly controlled and maintained.
✓ Ensures that these assets are providing value to the organization
(actually supporting your organization’s strategy and business goals).
IT governance, therefore, has to include the techniques and policies that
measure and control how systems are managed. However, IT doesn’t stand
alone in the governance process. In order for governance to be effective,
it needs to be holistic. It is as much about organizational issues and how
people work together to achieve business goals as it is about any technology.
Therefore, the best kind of governance occurs when IT and the business are
working together.
Governance defines who is responsible for what and who is allowed to take
action to fix whatever needs fixing. Governance also sets down what policies
people are responsible for and puts in place means to determine whether
the responsible person or group has, in fact, acted responsibly and done the
right thing.
Chapter 16: Governing the Cloud 189
A critical part of governance is establishing organizational relationships
between business and IT, as well as defining how people will work together
across organizational boundaries.
How does IT governance typically work? IT governance usually involves
establishing a board made up of business and IT representatives. The board
creates rules and processes that the organization must follow to ensure that
policies are being met. This might include
✓ Understanding business issues such as regulatory requirements or
funding for development
✓ Establishing best practices and monitoring these processes
✓ Responsibility for things like programming standards, proper design,
reviewing, certifying, and monitoring applications from a technical
perspective, and so on
A simple example of IT governance in action is making sure that IT is meeting
its obligations in terms of computing uptime. This uptime obligation is nego-
tiated between the business and IT, based on the criticality of the application
to the business.
Deciding on a Governor
Cloud governance is a shared responsibility between the user of cloud
services and the cloud provider. Understanding the boundaries of respon-
sibilities and defining an appropriate governance strategy within your orga-
nization require careful balance. You must consider many factors, ranging
from the performance levels of the IT environment’s components to the key
performance indicators (KPIs), which measure the effectiveness of a business
process — of your business. Your governance strategy needs to reflect the
mix of IT services provided by your internal data center, as well as private
and public clouds.
Cloud governance requires governing your own infrastructure as well as infra-
structure that you don’t totally control. For example, your organizations must
monitor performance across all components in a way that reflects the overall
impact of all IT performance on the business. You may not have as much
insight into the cloud environment, which could create challenges when you
need to satisfy governance requirements.
Here are two examples of how governance may become more complicated
when you add cloud services into your IT environment.
190 Part IV: Managing the Cloud
Imagining a scenario
Say that you move some of your processing to the cloud and expect to get
the same uptime that you had in your data center. You rely on your cloud
provider for the availability of virtualized servers. Chances are, however, that
you don’t have a good view into that environment.
What do you need to be concerned about from a governance perspective?
✓ Can you enforce this same availability policy with your cloud provider?
✓ Will your cloud provider have tools that allow you to monitor whether
service targets are being met?
✓ Your cloud provider may be meeting predefined service levels, but will
the provider communicate this information to you?
Imagining another scenario
You’re developing a new application on a cloud provider’s platform. You
expect a certain set of services to be available; in fact, you’re planning
your development around it.
What are some of the potential issues in this scenario?
✓ Does your cloud provider have a service registry or catalog that enables
you to have good visibility into the management and availability of
services?
✓ Will the services you want be available in the service catalog when you
need them?
✓ Does your cloud provider have a policy for enforcing the service you
want to be maintained and available in the service catalog?
Knowing the Risks of
Running in the Cloud
IT governance is tightly woven with business goals and policies to ensure
that services are optimized for customer expectations. Because IT and
business goals are tightly woven in a governance strategy, we think it is
important for you to also look at cloud governance from a holistic business
perspective.
Chapter 16: Governing the Cloud 191
Your governance strategy needs to be supported in two key ways:
✓ Understanding the compliance and risk measures the business must
follow: What does your business require to meet IT, corporate, industry,
and government requirements? For example, can your business share
data across country lines? These requirements would need to be supported
through technical controls; automation and strict governance of processes,
data, and workflows.
✓ Understanding the performance goals of the business: You may measure
your business performance in terms of sales revenue, profitability, stock
price, quality of product or service provided, and time to delivery. Your
cloud provider must be able to support service delivery to
optimize business performance.
Look at each of these in a bit more detail.
Understanding risk
Each industry has a set of governance principles based on its regulatory and
competitive environment and its view of risk. There are different levels of
risk. For example, in certain companies, information cannot be shared across
international boundaries. In financial services, certain data practices need to
be followed. In software development, there are risks associated with getting
the product out in the market on time. The healthcare industry has patient
privacy concerns.
For example, suppose you have a corporate policy that states that no data
from a credit card system can be used by the company’s marketing analysis
systems. If the CIO later discovers, for example, that this information has
been used by the system, the business is put at risk and IT governance has
failed. Others besides the CIO needed to know that this information was not
to be used by marketing because of privacy concerns.
Deducing IT risk
In the heterogeneous IT environment, IT needs to juggle various tasks: meet-
ing customer expectations, optimizing business goals, recognizing resource
constraints, and adhering to rules and requirements. The cloud can further
complicate this juggling act because it is yet another resource that IT is
responsible for. This means that the governing body is responsible for over-
seeing the provider relationship.
Of course, the level of involvement and risk around governance might vary
with how your organization is using the cloud. For example, the cloud can be
192 Part IV: Managing the Cloud
used in the following ways, each of which you must evaluate — separately —
to determine the level of governance that your company feels comfortable with:
✓ For temporary computing power
✓ As a SaaS model
✓ As a platform to build a service
Risk list
Consider these risks as you move into the cloud:
✓ Audit and compliance risks including issues around data jurisdiction,
data access control, and maintaining an audit trail.
✓ Security risks including data integrity, data confidentiality, and privacy.
✓ Information risks (outside of security), including protection of
intellectual property.
✓ Performance and availability risks, including availability and perfor-
mance levels that your business requires to successfully operate. This
includes alerts, notifications, and provider business continuity plans.
Along with this, does the provider have forensic information in case
something does go wrong?
✓ Interoperability risks, which are associated with developing a service
that might be composed of multiple services. Will the infrastructure
continue supporting your service? What if one of the services that
you’re using changes? What policies are in place to ensure that you’ll
be notified of a change?
✓ Contract risks associated with not reading between the lines of your
contract. For example, who owns your data in the cloud? If the service
goes down, how will you be compensated? What happens if the provider
goes out of business?
✓ Billing risks associated with ensuring that you’re billed correctly and
only for the resources you consume.
Remember when we said that governance was all about trust? Well, the reality
is that, if you move into the cloud, you need to trust the cloud provider and
every other provider that the cloud provider is working with. Currently, there
are no professional standards or laws related to cloud computing.
Managing risk can’t be emphasized enough; unlike internal IT governance where
all parties work for the same legal entity, the cloud relationship is with an
external provider and governance agreements need to be contractually stated.
Chapter 16: Governing the Cloud 193
Measuring and monitoring performance
Measuring performance as a means to help improve performance is a con-
cept that is well understood by competitive athletes. Imagine the countless
hours spent during training measuring, recording, and monitoring changes
in time and distance. But what if the runner were taking steroids? Was she in
compliance? Clearly, even if all other measurements were positive, breaking
the rules changes everything.
How does this example apply to cloud governance?
Although measuring and monitoring may help you improve performance, that
performance is irrelevant if you don’t follow the company’s governance rules.
Measurement methods
You can measure business performance by comparing production, sales, rev-
enue, stock price, and customer satisfaction with your goals. You can mea-
sure IT performance by comparing server, application, and network uptime;
service resolution time; budgets; and project completion dates with your
goals. Businesses use all these measures to rate their performance compared
with that of competitors and the expectations of customers, partners, and
shareholders.
In cloud computing, you need to measure the impact of IT performance on the
business that, by definition, now includes the performance of the cloud provider.
Of course, your own internal governance committee needs to answer the
following questions to get started:
✓ How can IT performance measures support the business?
✓ What should management measure and monitor to ensure successful IT
governance?
✓ Can customers get responses to requests in the expected amount
of time?
✓ Is customer transaction data safe from unauthorized access?
✓ Can management get the right information at the right time?
✓ Can IT demonstrate to business management that your organization can
recover from anticipated outages without damaging customer loyalty?
194 Part IV: Managing the Cloud
✓ Can your company monitor systems proactively so you can make
repairs before faulty services affect rules and regulations?
✓ Can you justify your IT investments to business management?
Making Governance Work
We believe that effective cloud management is accomplished partly through
people and processes, and partly through technology. It’s really a three-part
solution:
✓ Your organization needs a governance body to deal with cloud issues
(this can be your existing governance board, if you like) and processes
to work with the business around these issues. This board should have
oversight and collaborate with the business (it should include business
members as well) around cloud issues that directly impact your organiza-
tion. It can also develop best practices for managing cloud environments.
✓ The cloud needs governance bodies that deal with standardization
of services and other shared infrastructure issues. Your organization
needs some sort of interface to this group. Your level of involvement
depends on your level of involvement in the cloud.
✓ Your organization needs technology that helps you automatically
monitor what happens in the cloud.
Establishing your governance body
You need your own group of people who understand your business to deal
with the business of the cloud. This governance board might consist of repre-
sentatives of corporate, departmental, and IT management to help encourage
communication — the kind necessary to link IT management and the business.
This board may also create other groups responsible for different aspects of
governance. For example, it might create a group that needs to understand
cloud standards, or it may leverage an IT security group.
Of course, an important part of this governance structure will be a group of
individuals who actually deal with the cloud providers to negotiate terms and
conditions and to be the point group(s) for managing the cloud provider(s).
This governing body should be ongoing, with authority across the enterprise
and with a mechanism for communicating business objectives and changes
to IT management. Ideally, it will have executive-level endorsement to make
its job easier.
Chapter 16: Governing the Cloud 195
Monitoring and measuring IT
service performance
In addition to interacting with your cloud provider(s), you must also monitor
what these cloud providers are doing. Depending on the situation, this may
mean investing in technology that sees into cloud operations.
Many companies use a dashboard, which is an interface that holds the
different services and shows how your performance measures up to your
goals. This dashboard also needs to include information from the cloud. Quite
a few emerging vendors provide tools that enable companies to monitor their
cloud providers.
Monitoring can help answer questions like these:
✓ What are we aiming for?
✓ What are our KPIs?
✓ How are we performing according to our established KPIs?
✓ How does our performance compare with last week’s or last year’s?
✓ Are rules and processes implemented correctly?
✓ Does each service meet technical standards?
Cataloging control and compliance data
Many organizations use a service catalog as a record of IT services. This
should be extended to the cloud. The catalog can include information such as
✓ Whom to contact about a service
✓ Who has authority to change the service
✓ Which critical applications are related to the service
✓ Outages or other incidents related to the service
✓ Information about the relationships among services
✓ Documentation of all agreements between IT and the customer/service user
a company building or accesses corporate information, either from within
the company’s perimeters or from any external location.
A company planning to secure its IT environment will generally focus on the
broad range of potential vulnerabilities to its data center as well as ways to
safeguard sensitive corporate, customer, and partner information wherever
it is located. A company’s software applications may include lots of built-in
application and data level protections (such as authentication, authoriza-
tion, and encryption), but there are many situations where these protections
aren’t enough. The following section provides an overview of the types of
security risks that companies should consider in any IT environment, includ-
ing the cloud.
Even when cloud operators have good security (physical, network, OS, appli-
cation infrastructure), it is your company’s responsibility to protect and
secure your applications and information.
Security services at both the application and the infrastructure level must be
a top consideration for organizations.
Given the importance of security in the cloud environment, you might
assume that a major cloud services provider would have a set of comprehen-
sive service level agreements for its customers. In fact, many of the standard
agreements are intended to protect the service provider — not the customer.
Therefore, a company really must understand the contract.
The risks are lower if you’re using storage on a temporary basis than if you’re
using a cloud service as a replacement for a critical service that touches your
customers.
Currently, the IT industry faces a problem: Security approaches (including
perimeter security) are becoming less effective. To understand why, you
must know how security threats arise. About 70 percent of security breaches
are caused by insiders (or by people getting help from insiders). Insiders
rarely get caught. The cloud environment can have some of the same issues.
After all, a cloud is managed by people who might be tempted to breach
security. If your company is going to use a cloud service, you need to have a
plan to deal with inside as well as outside threats.
The possibility that insiders will open a door for hackers or mount an inside
attack makes it clear that perimeter security on its own will never be enough.
Chapter 15: Managing and Securing Cloud Services 177
Secure history
PCs had no security at all initially, but a lines), are also perimeter-security products.
password-and-permissions system was added They improve the security of the perimeter,
for networkwide security based on login. In IT which is a bit like plugging holes in the castle
security circles, this system is called perim- walls. With the advent of networks, however, an
eter security because it establishes a secure operating system could be artificially extended
perimeter around the network, the applications to work across a network. With virtualization of
it runs, and the data stored within. Many of the everything from servers to networks, storage,
security products that organizations deploy, and applications, the problem gets even more
such as firewalls and virtual private networks complicated.
(VPNs, which are encrypted communication
Reducing Cloud Security Breaches
Make sure that the cloud provider has taken a structured approach to its
own security model. In general, follow these steps to reduce the risk of
suffering security breaches:
1. Authenticate all people accessing the network.
2. Frame all access permissions so users have access only to the applica-
tions and data that they’ve been granted specific permission to access.
3. Authenticate all software running on any computer — and all changes
to such software.
This includes software or services running in the cloud.
Your cloud provider needs to automate and authenticate software patches
and configuration changes, as well as manage security patches in a pro-
active way. Why is this so important to understand? Many cloud service
provider outages typically come from configuration mistakes. If a cloud pro-
vider doesn’t update security, your intellectual property could be at risk.
4. Formalize the process of requesting permission to access data or
applications.
This applies to your own internal systems and the services that require
you to put your data into the cloud.
178 Part IV: Managing the Cloud
5. Monitor all network activity and log all unusual activity.
In most cases, you should deploy intruder-detection technology.
Although your cloud services provider may enable you to monitor activ-
ities on its environment, you should have an independent view. This is
especially important for compliance.
6. Log all user activity and program activity and analyze it for unexpected
behavior.
7. Encrypt, up to the point of use, all valuable data that needs extra
protection.
8. Regularly check the network for vulnerabilities in all software
exposed to the Internet or any external users.
If you think these steps are easy, you don’t know how complex it is to imple-
ment all these rules across a large network. Very few networks come close to
this level of protection. When you consider a cloud provider, this list will give
insight into how sophisticated the provider is.
Point solutions usually cover specific vulnerabilities:
✓ Firewalls protect the internal network from the Internet.
✓ Antivirus software protects individual computers against known viruses.
✓ VPNs protect external connections coming into the network.
Such products reduce the risk of specific threats, but aren’t an integrated
approach to IT security. Right now, that approach doesn’t exist outside the
realm of government organizations such as the National Security Agency,
and it may not exist inside such organizations, either. As the cloud services
market matures, successful vendors will have to provide this type of
comprehensive approach.
But some important products can make a significant contribution to building
an integrated IT security platform. They come in three categories:
✓ Identity management
✓ Detection and forensics
✓ Data encryption
We discuss these products separately in the following sections.
Chapter 15: Managing and Securing Cloud Services 179
Implementing Identity Management
Identity management is a very broad topic that applies to most areas of the
data center. However, it’s particularly important in protecting the cloud
environment. Because the cloud is about sharing and virtualizing physical
resources across many internal (and often external) users, you must know
who has access to what services.
Identity management’s primary goal is managing personal identity information
so that access to computer resources, applications, data, and services is con-
trolled properly. Identity management is the one area of IT security that offers
genuine benefits beyond reducing the risk of security breaches.
Benefits of identity management
Identity management helps prevent security breaches and plays a significant
role in helping your company meet IT security compliance regulations. The
benefits of keeping your customer or company financial data safe from unau-
thorized access can be huge.
In addition, you reap many benefits from identity management that occurs
every day, not just during a major threat.
✓ Improved user productivity: Productivity improvement comes from
simplifying the sign-on interface (see “Single sign-on,” later in this chapter)
and the ability to quickly change access rights. Productivity is likely to
improve further where you provide user self-service.
✓ Improved customer and partner service: Customers and partners also
benefit from a more streamlined, secure process when accessing
applications and data.
✓ Reduced help desk costs: IT help desks typically experience fewer calls
about forgotten passwords when an identity management process is
implemented.
✓ Reduced IT costs: Identity management enables automatic provisioning —
providing or revoking users’ access rights to systems and applications.
Provisioning happens whether you automate it or not. When provisioning
is manual, normally it’s carried out by members of the IT operational
staff or departmental staff. Considerable time and cost savings are
possible when you automate the process (see “Provisioning,” later in
this chapter).
180 Part IV: Managing the Cloud
After you grasp the basics of identity management, you need to understand
the special conditions needed for the cloud. Because the cloud is a highly dis-
tributed environment, identity management needs to be federated for you to
benefit from the process. Federated identity management lets people keep the
same identification across different applications, services, and networks of dif-
ferent companies.
This eliminates some of the boundaries to access for your employees,
customers, and partners so they can use the applications and information
from multiple environments (including the cloud).
Aspects of identity management
In this section, we cover the various aspects of an identity management
program.
Corralling the data
Identity data generally is scattered around systems. Establish a common
database or directory as a first step in gaining control of this information.
This step involves inputting data to and gathering data from various user
directories.
Integrating
An identity management system must integrate effectively with other applica-
tions. In particular, the system must have a direct interface to the following:
✓ Human resources system, where new joiners and leavers are first
recorded
✓ Supply-chain systems, if partners and suppliers use corporate systems
✓ Customer databases (if customers require access to some systems),
although customer identity management normally is handled by a
separate component of an identity management system
Beefing up authentication
When you require authentication stronger than passwords, the identity man-
agement system must work with products that provide that authentication,
such as biometric systems (fingerprints, handprints, iris verification, and the
like) and identity token systems.
Provisioning
When you link all systems that use identity information, you can automate
provisioning. If this process is automated, a single status change (of an
Chapter 15: Managing and Securing Cloud Services 181
employee or anyone else with access rights) can be defined in the identity
management system and sent across all affected systems from that point.
When provisioning is automated, users rarely (or never) get more access than
necessary. Providing broad levels of access happens frequently in manual
provisioning because it’s easier to specify broad access. Additionally, an auto-
mated process never fails to revoke former employees’ access to the network.
Single sign-on
Single sign-on means providing all users an interface that validates identity as
soon as a user signs on anywhere; this interface requires the user to enter a
single password. Thereafter, all systems should know the user and her
permissions.
Some single sign-on products don’t provide the full gamut of identity manage-
ment capabilities, but all identity management products deliver single sign-on
capability.
Instead of being assigned to individuals, permissions are often assigned to
roles (accounts clerk, sales assistant, programmer, and so on). Therefore,
single sign-on also means capturing information about the administration
hierarchy. Single sign-on naturally goes with portal technology, with the user
having a Web-based initial interface that provides access to all applications
that he’s entitled to access. Thus, single sign-on may need to interface with a
portal product.
Security administration
Identity management reduces security administration costs because security
administrators don’t have to manually authorize; the identity management
system handles that workflow automatically.
The automatic ID management handling is particularly useful for organizations
that have distributed security administration over several locations because it
enables security administration to be centralized.
Analyzing data
After you centralize all user data, you can generate useful reports on
resource and application use or carry out security audits. For example:
✓ If you’re having problems with internal hacking you can check a log that
lists every user’s activity (see the following section).
✓ If you have logging software for databases and files, you can monitor who
did what to any item of data and when, including who looked at specific
items of data. This audit capability is important for implementing data
privacy and data protection compliance.
182 Part IV: Managing the Cloud
Playing Detective: Detection
and Forensics
In this section, we discuss three specific groups of IT security products:
✓ Activity logs
✓ Host-based intrusion protection systems and network-based intrusion
protection systems
✓ Data audit
No one — intruder or legitimate user — should be able to use the preceding
resources without leaving evidence. You want to detect any illegitimate activity
as soon as it happens, but in many situations, you can’t separate the legitimate
from the illegitimate. If you don’t detect an attack while it’s happening, at least
you have a record of what took place.
Activity logs
Many logging capabilities are included in operating systems, applications,
databases, and devices such as hardware firewalls and network monitors. It
costs to invoke logging capabilities: Turning on logging requires the system
to write log records constantly, and it also involves managing and archiving
such data until it’s no longer needed.
Log files often provide some evidence of how fraud was perpetrated, how-
ever. Perpetrators of digital fraud often escape justice simply because the
victim doesn’t have sufficient evidence to prove what they did.
HIPS and NIPS
Companies that would like to see a cloud service provider take over their
internal platform and infrastructure services need to take a careful look at
infrastructure protection.
Host-based intrusion protection systems (HIPS) and network-based intrusion pro-
tection systems (NIPS) are the same thing: a collection of capabilities that make
it tough to penetrate a network.
HIPS and NIPS can include the following elements:
✓ System and log-file monitors: This software looks for traces of hackers
in log files. The monitors can watch login accounts, for example, and
Chapter 15: Managing and Securing Cloud Services 183
issue alerts when account permissions change — often an indication
that something untoward is going on.
✓ Network intrusion-detection systems (NIDS): These security programs
monitor data packets that travel through a network, looking for any
telltale signs of hacker activity. The effectiveness of a NIDS depends on
whether it can sort real dangers from harmless threats and from legiti-
mate activity. An ineffective NIDS raises too many false alarms and, thus,
wastes time.
✓ Digital deception software: This software deliberately misleads anyone
who’s attempting to attack the IT network. It can range from the simple
spoofing of various service names to setting up traps known as honeypots
or honeynets. (For more information, see the nearby sidebar “Fooling
attackers by spoofing.”)
Setting security traps is unusual and can be expensive. It’s normally
done by government sites or by companies that suspect digital industrial
espionage.
✓ White-listing software: This software inventories valid executable pro-
grams running on a computer and prevents any other executables from
running. White-listing severely hampers hackers, because even if they
access a computer, they can’t upload their own software to run on it.
White-listing software reports on any attempt to run unauthenticated
software. It also stops virus software stone dead.
✓ Unified threat management: This central function takes information
from all the preceding components and identifies threats by analyzing
the combined information.
Fooling attackers by spoofing
As a technical IT term, spoofing means pre- When you use spoofing as a defense, your aim
tending to be something else. In a so-called is to confuse attacking software. Hackers use
phishing attack, a false Web site pretends to sniffing software to look for servers running
be a genuine one. A phishing Web site might specific versions of, say, Microsoft Windows.
pretend to be a bank’s Web site, for example, If you set the operating system to give out false
and try to tempt users to reveal their financial information, which is easy enough to do, that
details. It’s possible to spoof email addresses false information confuses the attacking soft-
and, under some circumstances, Internet proto- ware into passing on by. Honeypots work by
col (IP) addresses, but mounting an attack this spoofing, too. They pretend to be vulnerable
way is difficult because a computer responds servers and thereby trick attackers into reveal-
directly to the real address rather than to the ing details on where they’re attacking from.
spoofed address.
184 Part IV: Managing the Cloud
Data audit
Although databases do log the name of the individual who changed data,
they normally don’t log who read any piece of data. But read data is easily
stolen. If you plan on storing data in a cloud environment, you must address
this issue.
Enthusiasm for filling this gap increased considerably after the Sarbanes-Oxley
legislation was enacted in 2002, specifically demanding that financial data be
secured from unauthorized eyes. Consequently, a series of software products
that log who looks at what quickly came into existence. These products gener-
ally are referred to as data audit products.
Encrypting Data
The IT world has a whole set of encryption techniques that can be regarded
as completely safe. Thus, you can easily encrypt data and ensure that only
the intended recipient can decrypt it.
You could encrypt everything. You could encrypt data when you write it
to disc, when you send it down a wire, when you send it through the air by
radio, and so on. Encrypting everything in a comprehensive way consider-
ably reduces your exposure to data theft. Hackers aren’t able to cover their
tracks because they’re not able to decrypt the log files.
Encryption poses a performance penalty, so be sure to focus encryption on
specific data that needs protection.
Think about how you use encryption. A fairly recent case of data theft included
data that was encrypted until it was delivered to the application that needed
to use it. At that point, the data was decrypted for use — and that’s exactly
where the hacker struck. The loss could have been prevented if the receiving
application itself had controlled the decryption on a record-by-record basis.
Because of the complexities it adds, encryption is used less frequently than
perhaps it should be. The media have covered many cases of stolen laptops
containing valuable data — including military secrets. Those thefts wouldn’t
have been problems if all the data on those laptops had been encrypted
properly.
Data encryption becomes even more important when using cloud services.
But keep in mind that your company is still responsible for the quality and
integrity of your information.
Chapter 15: Managing and Securing Cloud Services 185
Creating a Cloud Security Strategy
This book isn’t Cloud Security For Dummies, so we won’t go into creating a
comprehensive security strategy. We do want to provide some pointers, though:
✓ In most circumstances, approach cloud security from a risk-manage-
ment perspective. If your organization has risk-management specialists,
involve them in cloud security planning.
✓ IT security monitoring has no simple key performance indicators, but be
aware of what similar organizations spend on IT security. It also makes
sense to keep track of time lost due to any kind of attack — a useful mea-
surement of cost that you may be able to reduce over time.
✓ You need identity management for many reasons, and identity manage-
ment offers many benefits. Give priority to improving identity manage-
ment if your current capability is poor.
✓ Try to create general awareness of security risks by educating and
warning staff members about specific dangers. It is easy to become com-
placent, especially if you’re using a cloud service provider. However,
threats come from within and from outside the organization.
✓ Regularly have external IT security consultants check your company’s IT
security policy and IT network and the policies and practices of all your
cloud service providers.
✓ Determine specific IT security policies for change management and
patch management, and make sure that policies are well understood by
your service management staff and by your cloud service provider.
✓ Stay abreast of news about IT security breaches in other companies and
the causes of those breaches.
✓ Review backup and disaster-recovery systems in light of IT security.
Apart from anything else, IT security breaches can require complete
application recovery.
When a security breach occurs on a specific computer, the applications run-
ning on that computer will likely have to be stopped. Consequently, security
breaches can be the direct causes of service interruptions and can contribute
to lower service levels. Also, data theft resulting from a security breach could
result in a real or perceived breach of customers’ trust in your organization.
Security is a very complex area for both internal IT organizations as well as
the cloud service providers. Many organizations will have hybrid environ-
ments that include public as well as private clouds. Internal systems will be
connected to cloud environments. New frontiers add complexity and risk.
186 Part IV: Managing the Cloud
Chapter 16
Governing the Cloud
In This Chapter
▶ Defining governance inside the cloud
▶ Knowing what governance to expect for your provider
▶ Knowing the risks of monitoring inside the cloud
▶ Making cloud governance work
W hen you move a workload to the cloud, there is a good chance, depend-
ing on the kind of workload, that you’re no longer responsible for the
care and feeding of that workload. You might move email or archived data to a
storage cloud, for example. Wait! You turned over control of your assets to the
cloud provider, but you’re still ultimately responsible for its wellness. In other
words, make sure that your assets are managed in a way that meets your
business objectives.
This is where governance comes in.
At the end of the day, governance is about making good decisions regarding
performance predictability and requiring accountability. This is the case
whether you’re governing your own data center or thinking about the cloud.
We know there must be a myriad of questions in your head about governing
in the cloud: How do I make sure that the other guy is following my rules and
policies? When does it matter if he doesn’t follow my rules? What’s the role
of trust in this situation?
An overarching principle behind governance is trust. All parties involved in
the cloud — you, the cloud provider, and other service providers — must be
able to trust that each party will do what it’s supposed to in accordance with
established policies and procedures. Think about what would happen with-
out these policies and procedures; the cloud environment might be chaos,
which isn’t appealing.
In this chapter, we cover the ins and outs of cloud governance, including
understanding the risks.
188 Part IV: Managing the Cloud
Looking at IT Governance
At its most basic, governance is about applying policies relating to using services.
It’s about defining the organizing principles and rules that determine how an
organization should behave.
Did you know that the word governance derives from the Latin word for
“steering”? It is important to have a steering process because, well, it helps
to make sure that you stay on the road!
Before diving in, take a step back and look at the IT governance process in
general because many of the same principles are relevant to the cloud environ-
ment. IT manages a complex infrastructure of hardware, data, storage, and
software environments. The data center is designed to use all assets efficiently
while guaranteeing a certain service level to the customer. A data center has
teams of people responsible for managing everything from the overall facility:
workloads, hardware, data, software, and network infrastructure.
In addition to the data center itself, your organization may have remote
facilities with technology that depends on the data center. IT management
has long-established processes for managing and monitoring individual IT
components, which is good.
IT governance does the following:
✓ Ensures that IT assets (systems, processes, and so on) are implemented
and used according to agreed-upon policies and procedures.
✓ Ensures that these assets are properly controlled and maintained.
✓ Ensures that these assets are providing value to the organization
(actually supporting your organization’s strategy and business goals).
IT governance, therefore, has to include the techniques and policies that
measure and control how systems are managed. However, IT doesn’t stand
alone in the governance process. In order for governance to be effective,
it needs to be holistic. It is as much about organizational issues and how
people work together to achieve business goals as it is about any technology.
Therefore, the best kind of governance occurs when IT and the business are
working together.
Governance defines who is responsible for what and who is allowed to take
action to fix whatever needs fixing. Governance also sets down what policies
people are responsible for and puts in place means to determine whether
the responsible person or group has, in fact, acted responsibly and done the
right thing.
Chapter 16: Governing the Cloud 189
A critical part of governance is establishing organizational relationships
between business and IT, as well as defining how people will work together
across organizational boundaries.
How does IT governance typically work? IT governance usually involves
establishing a board made up of business and IT representatives. The board
creates rules and processes that the organization must follow to ensure that
policies are being met. This might include
✓ Understanding business issues such as regulatory requirements or
funding for development
✓ Establishing best practices and monitoring these processes
✓ Responsibility for things like programming standards, proper design,
reviewing, certifying, and monitoring applications from a technical
perspective, and so on
A simple example of IT governance in action is making sure that IT is meeting
its obligations in terms of computing uptime. This uptime obligation is nego-
tiated between the business and IT, based on the criticality of the application
to the business.
Deciding on a Governor
Cloud governance is a shared responsibility between the user of cloud
services and the cloud provider. Understanding the boundaries of respon-
sibilities and defining an appropriate governance strategy within your orga-
nization require careful balance. You must consider many factors, ranging
from the performance levels of the IT environment’s components to the key
performance indicators (KPIs), which measure the effectiveness of a business
process — of your business. Your governance strategy needs to reflect the
mix of IT services provided by your internal data center, as well as private
and public clouds.
Cloud governance requires governing your own infrastructure as well as infra-
structure that you don’t totally control. For example, your organizations must
monitor performance across all components in a way that reflects the overall
impact of all IT performance on the business. You may not have as much
insight into the cloud environment, which could create challenges when you
need to satisfy governance requirements.
Here are two examples of how governance may become more complicated
when you add cloud services into your IT environment.
190 Part IV: Managing the Cloud
Imagining a scenario
Say that you move some of your processing to the cloud and expect to get
the same uptime that you had in your data center. You rely on your cloud
provider for the availability of virtualized servers. Chances are, however, that
you don’t have a good view into that environment.
What do you need to be concerned about from a governance perspective?
✓ Can you enforce this same availability policy with your cloud provider?
✓ Will your cloud provider have tools that allow you to monitor whether
service targets are being met?
✓ Your cloud provider may be meeting predefined service levels, but will
the provider communicate this information to you?
Imagining another scenario
You’re developing a new application on a cloud provider’s platform. You
expect a certain set of services to be available; in fact, you’re planning
your development around it.
What are some of the potential issues in this scenario?
✓ Does your cloud provider have a service registry or catalog that enables
you to have good visibility into the management and availability of
services?
✓ Will the services you want be available in the service catalog when you
need them?
✓ Does your cloud provider have a policy for enforcing the service you
want to be maintained and available in the service catalog?
Knowing the Risks of
Running in the Cloud
IT governance is tightly woven with business goals and policies to ensure
that services are optimized for customer expectations. Because IT and
business goals are tightly woven in a governance strategy, we think it is
important for you to also look at cloud governance from a holistic business
perspective.
Chapter 16: Governing the Cloud 191
Your governance strategy needs to be supported in two key ways:
✓ Understanding the compliance and risk measures the business must
follow: What does your business require to meet IT, corporate, industry,
and government requirements? For example, can your business share
data across country lines? These requirements would need to be supported
through technical controls; automation and strict governance of processes,
data, and workflows.
✓ Understanding the performance goals of the business: You may measure
your business performance in terms of sales revenue, profitability, stock
price, quality of product or service provided, and time to delivery. Your
cloud provider must be able to support service delivery to
optimize business performance.
Look at each of these in a bit more detail.
Understanding risk
Each industry has a set of governance principles based on its regulatory and
competitive environment and its view of risk. There are different levels of
risk. For example, in certain companies, information cannot be shared across
international boundaries. In financial services, certain data practices need to
be followed. In software development, there are risks associated with getting
the product out in the market on time. The healthcare industry has patient
privacy concerns.
For example, suppose you have a corporate policy that states that no data
from a credit card system can be used by the company’s marketing analysis
systems. If the CIO later discovers, for example, that this information has
been used by the system, the business is put at risk and IT governance has
failed. Others besides the CIO needed to know that this information was not
to be used by marketing because of privacy concerns.
Deducing IT risk
In the heterogeneous IT environment, IT needs to juggle various tasks: meet-
ing customer expectations, optimizing business goals, recognizing resource
constraints, and adhering to rules and requirements. The cloud can further
complicate this juggling act because it is yet another resource that IT is
responsible for. This means that the governing body is responsible for over-
seeing the provider relationship.
Of course, the level of involvement and risk around governance might vary
with how your organization is using the cloud. For example, the cloud can be
192 Part IV: Managing the Cloud
used in the following ways, each of which you must evaluate — separately —
to determine the level of governance that your company feels comfortable with:
✓ For temporary computing power
✓ As a SaaS model
✓ As a platform to build a service
Risk list
Consider these risks as you move into the cloud:
✓ Audit and compliance risks including issues around data jurisdiction,
data access control, and maintaining an audit trail.
✓ Security risks including data integrity, data confidentiality, and privacy.
✓ Information risks (outside of security), including protection of
intellectual property.
✓ Performance and availability risks, including availability and perfor-
mance levels that your business requires to successfully operate. This
includes alerts, notifications, and provider business continuity plans.
Along with this, does the provider have forensic information in case
something does go wrong?
✓ Interoperability risks, which are associated with developing a service
that might be composed of multiple services. Will the infrastructure
continue supporting your service? What if one of the services that
you’re using changes? What policies are in place to ensure that you’ll
be notified of a change?
✓ Contract risks associated with not reading between the lines of your
contract. For example, who owns your data in the cloud? If the service
goes down, how will you be compensated? What happens if the provider
goes out of business?
✓ Billing risks associated with ensuring that you’re billed correctly and
only for the resources you consume.
Remember when we said that governance was all about trust? Well, the reality
is that, if you move into the cloud, you need to trust the cloud provider and
every other provider that the cloud provider is working with. Currently, there
are no professional standards or laws related to cloud computing.
Managing risk can’t be emphasized enough; unlike internal IT governance where
all parties work for the same legal entity, the cloud relationship is with an
external provider and governance agreements need to be contractually stated.
Chapter 16: Governing the Cloud 193
Measuring and monitoring performance
Measuring performance as a means to help improve performance is a con-
cept that is well understood by competitive athletes. Imagine the countless
hours spent during training measuring, recording, and monitoring changes
in time and distance. But what if the runner were taking steroids? Was she in
compliance? Clearly, even if all other measurements were positive, breaking
the rules changes everything.
How does this example apply to cloud governance?
Although measuring and monitoring may help you improve performance, that
performance is irrelevant if you don’t follow the company’s governance rules.
Measurement methods
You can measure business performance by comparing production, sales, rev-
enue, stock price, and customer satisfaction with your goals. You can mea-
sure IT performance by comparing server, application, and network uptime;
service resolution time; budgets; and project completion dates with your
goals. Businesses use all these measures to rate their performance compared
with that of competitors and the expectations of customers, partners, and
shareholders.
In cloud computing, you need to measure the impact of IT performance on the
business that, by definition, now includes the performance of the cloud provider.
Of course, your own internal governance committee needs to answer the
following questions to get started:
✓ How can IT performance measures support the business?
✓ What should management measure and monitor to ensure successful IT
governance?
✓ Can customers get responses to requests in the expected amount
of time?
✓ Is customer transaction data safe from unauthorized access?
✓ Can management get the right information at the right time?
✓ Can IT demonstrate to business management that your organization can
recover from anticipated outages without damaging customer loyalty?
194 Part IV: Managing the Cloud
✓ Can your company monitor systems proactively so you can make
repairs before faulty services affect rules and regulations?
✓ Can you justify your IT investments to business management?
Making Governance Work
We believe that effective cloud management is accomplished partly through
people and processes, and partly through technology. It’s really a three-part
solution:
✓ Your organization needs a governance body to deal with cloud issues
(this can be your existing governance board, if you like) and processes
to work with the business around these issues. This board should have
oversight and collaborate with the business (it should include business
members as well) around cloud issues that directly impact your organiza-
tion. It can also develop best practices for managing cloud environments.
✓ The cloud needs governance bodies that deal with standardization
of services and other shared infrastructure issues. Your organization
needs some sort of interface to this group. Your level of involvement
depends on your level of involvement in the cloud.
✓ Your organization needs technology that helps you automatically
monitor what happens in the cloud.
Establishing your governance body
You need your own group of people who understand your business to deal
with the business of the cloud. This governance board might consist of repre-
sentatives of corporate, departmental, and IT management to help encourage
communication — the kind necessary to link IT management and the business.
This board may also create other groups responsible for different aspects of
governance. For example, it might create a group that needs to understand
cloud standards, or it may leverage an IT security group.
Of course, an important part of this governance structure will be a group of
individuals who actually deal with the cloud providers to negotiate terms and
conditions and to be the point group(s) for managing the cloud provider(s).
This governing body should be ongoing, with authority across the enterprise
and with a mechanism for communicating business objectives and changes
to IT management. Ideally, it will have executive-level endorsement to make
its job easier.
Chapter 16: Governing the Cloud 195
Monitoring and measuring IT
service performance
In addition to interacting with your cloud provider(s), you must also monitor
what these cloud providers are doing. Depending on the situation, this may
mean investing in technology that sees into cloud operations.
Many companies use a dashboard, which is an interface that holds the
different services and shows how your performance measures up to your
goals. This dashboard also needs to include information from the cloud. Quite
a few emerging vendors provide tools that enable companies to monitor their
cloud providers.
Monitoring can help answer questions like these:
✓ What are we aiming for?
✓ What are our KPIs?
✓ How are we performing according to our established KPIs?
✓ How does our performance compare with last week’s or last year’s?
✓ Are rules and processes implemented correctly?
✓ Does each service meet technical standards?
Cataloging control and compliance data
Many organizations use a service catalog as a record of IT services. This
should be extended to the cloud. The catalog can include information such as
✓ Whom to contact about a service
✓ Who has authority to change the service
✓ Which critical applications are related to the service
✓ Outages or other incidents related to the service
✓ Information about the relationships among services
✓ Documentation of all agreements between IT and the customer/service user