How to assess if a cloud application model is right for your organisation?28 July 2020 | Shivani Jariwala
As I discussed in an earlier blog, Cloud Security Governance Considerations for Organisations, its critical to understand security governance considerations and recommendations. In today's blog, I'll discuss how you can determine if a particular cloud model is right for your organisation. One size does not fit all, and it some cases, one size doesn't even fit an entire organisation.
To highlight this, a recent Equinox survey conducted in 2019 – 2020, found that nearly half of IT decision-makers around the world are planning to move to a multi-cloud architecture. Many organisations understand that a single public or private cloud will not serve all business needs. Unfortunately, fewer than one in five businesses are currently deploying across multiple clouds.
Forty-nine percent of IT decision-makers surveyed globally see perceived cybersecurity risks around cloud adoption as being considerably threatening to their business – in the UAE, this number stands at 58%. The reasons behind these concerns are broad, spanning numerous areas, many of which are vital reasons for cloud migrations failing, such as:
In fact, 74% of IT decision-makers surveyed moved an application back from the cloud to their internal on-premise infrastructure due to performance or security issues. This can have a significant impact on the organisation. It can result in the disruption of critical and essential services, considerable cost variance and project delays, and most importantly, lessen stakeholder confidence and support.
Before you go ahead with your cloud migration, ensure critical decisions have been reviewed and agreed upon at an organisational level—considerations around cloud strategy, cloud policy, data classification, handling policy and guidelines, and more. The business case must be evaluated and justified for the business, IT, and operations.
First, it must be mandatory that a security assessment needs to be conducted throughout each project phase, from initiation, design, implementation, post-production, through support and maintenance. While the approach remains the same, the assessment criteria differ depending upon the stage within the project.
Second, the assessment is a shared activity and conducted with the help of responses received from business leaders, operations, IT, and the cloud service provider.
I'll focus this blog on the evaluation at the initiation phase, utilising a phase-wise approach.
The information asset to be processed and stored by the cloud application must be identified and evaluated to determine the asset classification and criticality. The business process must also be assessed to understand the criticality and its availability requirements.
Several aspects need to be considered, such as the following:
This is where the key decision is evaluated, and a determination is made whether a specific business process can be migrated to the cloud versus left and maintained on your internal infrastructure. When a process is migrated, a decision on the level of control must be made, specifying the aspects to be left in-house.
The evaluation is based on the responses received for components within a business context, application layers and security/privacy context (shown below). The scores are weighted based on the organisational cloud policy, data sovereignty requirements and risk appetite for each component. Results are calculated, and an analytical decision is derived.
In this stage, the cloud service provider and the proposed cloud application or model is evaluated against the essential compliance requirements of the organisation. Things like the objective of the assessment, the decision framework and UAE cybersecurity requirements will be analysed. Other aspects which are evaluated such as architecture, encryption, availability, data sovereignty, and data privacy will vary, as they are dependent on the stage of the project. Several industry standards such as CCM, CAIQ and ISO 27017 have good guidelines for assessing cloud applications and cloud service providers. Responses which are not fully compliant will need to be documented and assessed for risk.
A useful analysis technique in this phase is the development of organisation-specific impact criteria. Impact criteria should, at a minimum, include financial, productivity, business availability, tangible losses, physical security, life, health and safety, non-compliance fines, and legal penalties and reputational loss.
Risk mitigation – reduction, acceptance, or transfer – will also be dependent on the organisational risk tolerance threshold. If a risk is out of tolerance with the impact criterion (developed previously), the risk is added to the risk register, and a plan of action for a next step or response can be determined. This step in the risk management process often requires further analysis of the risk factors to establish a practical course of action or cost-justification for a plan of remediation.
Upon completion of the above phase, the residual risk must be presented to the management, including risk owners and a decision made for cloud adoption.
Responsibility for security must be shared throughout the organisation. A Critical Success Factor for the assessment is to ensure all stakeholders, including Business, IT, Security and Cloud service provider are part of the assessment and the eventual findings and remediations.
Security must also be addressed from the beginning of the project and continue to be evaluated throughout the project, even after its completion. This will ensure the organisation proactively manages its network and cloud environments, rather than putting out fires as they arise after deploying new technologies.
Connect with us