Thinking Smartly About Cloud ComputingSurvey Analysis: Taking a Deliberate Approach in Executing Cloud Use
CSC's Sam Visner sees organizations, in growing numbers, thinking more intelligently about cloud computing, its security and architecture. Yet, he says, they're being very deliberate in their approach in adopting cloud computing.
"While everybody is very interested in the kind of economy the cloud provides, the kind of cost savings the cloud can give us, people are proceeding carefully and incrementally, says Visner, vice president and cyber lead executive at the IT and business solutions provider, analyzing Information Security Media Group's 2012 Cloud Security Survey, which CSC sponsored.
"They're prepared to put some things in the cloud, but they're not prepared to put everything into the cloud, quite yet. For if they are prepared, they're going to be looking for third-party attestation and they're going to move in a very deliberate way."
In the interview, Visner also discusses how organizations can assuage their concerns about protecting data on the cloud. He offers three ways to best address the security concerns of diverse organizations and help them gain the wide variety of benefits cloud computing furnishes:
- Cloud providers taking a rigorous approach to cloud cybersecurity;
- IT professionals in general, CIOs in particular, need to be informed about the controls necessary to protect their operations and the providers' approach to meet those controls;
- Organizations need to have in place a long-term strategy that encompasses using the cloud incrementally.
As CSC's lead cyber executive, Visner is responsible for the development of CSC's cyber position, intellectual capital, market development and delivery of cybersecurity services. He served as a member of the Defense Science Board Intelligence Task Force supporting the under secretary of defense for intelligence and is an associate of the National Intelligence Council supporting the director of national Intelligence.
Visner previously served as a senior vice president at SAIC and as a consultant to the president's Commission on Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction.
He holds a master's degree in telecommunications from George Washington University and a bachelor's degree in international politics from Georgetown University, where he teaches as an adjunct professor.
INFORMATION SECURITY MEDIA GROUP: First off, what struck you most about the survey's findings?
SAM VISNER: A couple of things about the survey I think are very interesting that struck me. First, it seems to me that the people who responded are thinking very intelligently about cloud, cybersecurity and about the cybersecurity of cloud architectures. They're being very deliberate, and by that I mean if you take a look at the results, the results break down very carefully in terms of what people are prepared to put into the cloud and where people still have some concerns that have to be addressed. There's a very careful and I think increasingly well-informed discussion and that discussion is evidenced in the survey results.
Secondly, it appears that while everybody's very interested in the kind of economies that cloud provides, the kinds of cost savings that cloud can give us, people are proceeding carefully and incrementally. They're prepared to put some things in the cloud, but they're not prepared to put everything in the cloud quite yet, or if they're prepared they're going to be looking for third-party attestation and they're going to move in a very deliberate way.
The third thing that strikes me, however, is that even over a similar survey done about a year and a half or two years ago, some basic concerns persist. What has changed however is the extent to which those concerns are being offset by, what I think people believe as, things that can be done to address those concerns such as third-part attestation or incremental and deliberate approach to implementation. A couple of years ago we didn't see those approaches as much in the evidence, and now we really do.
ISMG: As you point out in an article you wrote about the survey, which can be found in the webinar that was based on the survey, nearly one-third of survey respondents indicate their organizations had not employed any cloud architecture whatsoever, despite the powerful lure of cloud's economic model. What do you make of this?
VISNER: I think there are several things. First, the economic model doesn't automatically come into effect. There are models today that don't require a lot of CapEx and I think those who are thinking of cloud have a number of choices. One reason they may not have acquired cloud architecture is that they're still doing a trade as to which of the various architectures make the most sense. But in addition, depending on the kind of security that they believe they require - whether or not they're safeguarding financial services information, credit card information or key intellectual property - they may not yet be prepared to put that kind of information in the cloud.
One of the things that really struck me is that there are specific concerns that attach to very specific kinds of data. For example, 54 percent of respondents said that they were worried about credit card data and 51 percent said that they were very concerned about key intellectual property. If a client's principle need for cloud relates to those areas, they would be perhaps more concerned and less prepared to go forward. On the other hand, for those who are looking at enterprise applications like, for example, e-mail or enterprise database applications where the data's not necessarily more sensitive than it would be in other cases, then we see a higher adoption rate.
Here are the things that we saw. If you take a look, applications hosting, 34 percent said they're ready to go right now. The same thing for e-mail and messaging and data storage - about a third are ready to go right now. Collaboration software - about 25 percent are ready to go right now. All told, therefore, a lot of organizations have a lot of reasons to go. What I think is interesting [is] it's not that roughly a third are reluctant but about two-thirds of the respondents are ready to go right now or in fact have started to, and as I said earlier, are being incremental. They're not doing it all, but they're starting. Even as they start down the path, they're going to hold off on some things until they feel that security architecture and third-party attestation have come up to speed, and they're coming up to speed.
ISMG: According to the survey, protecting data on the cloud remains a primary concern of organizations. Yet as you point out, organizations have a long way to go to allay this concern. How can concerns of data protection be assuaged?
VISNER: A couple of things can be done. First, I think that those who are acquiring cloud ought to be [as] informed as possible. They ought to become smart buyers and that means they need to ask, "What requirements do I have? How sensitive is the information? How valuable is the information? What would happen if I lost it?" They ought to ask, "What's the track record of the cloud provider?" They ought to interview the cloud provider and ask, "What security features have you made evident in the architecture of that particular cloud?" If third-party attestation is a concern, they ought to ask, "Who's doing the third-party attestation," and find out what that attestation looks like. If there are specific standards, for example, in the federal government, FISMA moderate, they ought to ask what FISMA moderate controls have been met by this design. It's detailed work but it's very straight forward, and if they do this work and they are straight forward about it they can allay a number of these concerns.
If on the other hand they're rushing into the acquisition of cloud architecture or cloud services based entirely on the economic model and they haven't been given the opportunity inside of their organization to ask, "What's the value of my information? What information is most at risk? What cloud architecture might I be selecting? Has that cloud architecture met the various design controls of FISMA or some other applicable standard?" then they have reason to be concerned and they shouldn't move. But I think the right questions are now available to them, and I think if they ask those questions they can address some of those concerns.
ISMG: In your article you ask, "How can we best address the security concerns of diverse organizations and help them gain the wide variety of benefits all provided in the cloud?' Then you write, "Here are some things to keep in mind." Let's explore more deeply about each of the three items you point out. First, "Cloud providers must take a rigorous approach to cloud security."
VISNER: I absolutely do believe this. I think that cloud offers a great opportunity to get security right from the get-go. If one is re-engineering an organization and re-engineering an organization's infrastructure around cloud, it's more than cost savings that are important. You can do other things. You may be able to enable better business process services and better collaboration. Cloud might give you an environment for big data that you wouldn't ordinarily have.
There are reasons for adopting cloud that go beyond cost savings. Security might be one of them as well. The assumption that you're better off keeping valuable information on a laptop or keeping valuable information out of the cloud and on a thumb drive doesn't necessarily appear to me to be correct. But if on the other hand you're going to entrust a lot of your key corporate intellectual property and information in the cloud, having good security engineering's important. Ask the tough questions. Was security engineering part of the cloud design? Who did the security engineering? What standard was employed? What are the controls associated with those standards? Show me how you met those standards and you closed on those controls. That's what I mean by being rigorous. Be rigorous in the questions you ask and insist that the cloud architect and cloud provider's equally as rigorous in how they answer those questions.
ISMG: Second, "IT professionals in general and CIOs in particular need to be informed about the controls necessary to protect their operations and the provider's approach to meeting those controls."
VISNER: I think that's particularly important today. Not every security standard is applicable to everything, but I think it's important to realize that there are security standards that may be applicable in ways that are not expected. For example, the fact that some information is public doesn't mean that it doesn't need to be safeguarded. The integrity of public information relating to financial markets or climate data may be public but we still have to be able to trust it. We have to know where it comes from. We have to know that it was generated correctly. We have to know that it hasn't been altered. That's an area in which we ought to know, "Are there security controls necessary to safeguarding even public data?"
If we're going to be operating in the law enforcement space, there are standards associated with law enforcement data. If we're going to be operating in the space where we're dealing with national security information, there are standards related to the Federal Information Security Management Act - FISMA - and we ought to know what the controls are related to that. The financial services industry has very rigorous standards, so if one's thinking of employing cloud, ask, "What are the standards that are appropriate to my industry? Have those standards been kept current? Do I know what they are and has my cloud provider addressed those standards in the design?"
As I said before, this is straight forward and I think the onus is not only on the provider to demonstrate that they've paid attention, but buyers have to be informed buyers. The fact that cloud can be implemented easily doesn't mean that the decision to buy cloud ought to be a simple decision. It ought to be done in a sophisticated way. People ought to be very well informed consumers.
ISMG: Third, "Organizations need to have in place a long-term strategy that encompasses using the cloud incrementally."
VISNER: I think that's particularly important. Here's the reason why I say that. Cybersecurity issues are going to persist for a while. This is not a problem we're going to solve all at once. The threat landscape changes all the time. New threat actors emerge - different nation states, non-nation states actors, cyber criminals and hacktivists - all the time. In addition, the threats that they're able to develop and to present change all the time. So we're not going to have a cloud solution that will secure cloud architecture in perpetuity. You need a cloud architecture that can be secured incrementally that can keep up with changes in the threat landscape, some of which may be difficult to anticipate.
In addition, we may change the requirements for cloud architecture. Today, the cloud architecture that we ask for might do e-mail and collaboration. Tomorrow the cloud architecture might be used to improve a global supply chain or a manufacturing base. Next week that cloud architecture might even be extended into embedded systems, industrial control systems used to control the factory or control industrial processes. It's important to think about a cloud as something that has to evolve, and one question I would ask a cloud provider is, "Do you have a path to build your cloud capabilities and to improve security as new requirements are presented?"
And I ask the cloud to do new things. That means that we have to be able to do this over time. The best way to do it is to have both a strategic road map for the use of information technology, including cloud, as well as what we call an enterprise security road map which is a strategic document that says over time, as new requirements are presented, this is how we address them, and over time as new threats are presented this is how we mitigate them as opposed to trying to do it all at once. And since resources are always going to be limited and requirements will always outstrip resources, trying to anticipate some of the things strategically and lay in resources that can be employed not all at once up front, but over time in a rational and more modest pace, that's what makes sense. That's why we use the term enterprise security road map.
ISMG: Finally, do you have any closing thoughts?
VISNER: Cloud represents a powerful new set of opportunities for information technology, but beyond that I think it represents new and powerful opportunities for business. It does more than make IT cheaper or make IT easier to own. Done right, it can create a better environment for big data. Done right, it can extend IT all the way out to the edge. It can extend IT all the way into mobile devices and it can allow us to do things in information technology in the future that we don't really get to do today. It can allow us to build better online collaboration, better global supply chains. It could even be used for national security operations.
I think the U.S. Defense Advanced Research Projects Agency is exploring how cloud can be used all the way out to embedded military systems. If we can do that, think of what we can do in transportation systems, financial systems, manufacturing systems and the manufacturing of chemicals or research for pharmaceuticals. We can go all the way out to the edge of an enterprise, but if we do so it's going to present some tough security challenges because just as we go all the way out to the enterprise, that makes the information that we're manipulating more valuable because we can use it for a wider range of things.
If that information is more valuable, it's likely to be more targeted. If it's more targeted, it's more at risk. Cloud provides an unprecedented opportunity for information technology to add value, and as it does it provides an unprecedented opportunity for others to try to threaten that value by impairing our cybersecurity, stealing our information and damaging our systems. That's why I think the adoption of cloud and the application of cybersecurity should go hand-in-hand and that the strategic approach should encompass coupling those two things together explicitly right at the beginning and at every step.