Authors: Dean Fantham, Partner and CTO and Sean Deuby, Senior Architect
February 2, 2017
Choosing a cloud service provider is simple, right? After all, there are only a few major players left in the market, right? Before you make any quick decisions and start making a list as you might for an on-premises solution, it’s worth thinking about how your relationship with a cloud service provider differs from a traditional solution provider. With a traditional on-premises product, your and your staff’s old job was to design, deploy, and then maintaining the solution yourself. When you subscribe to a cloud service, the bulk of your work will be in configuration, managing continuous changes, and monitoring the service.
Software products vs. partner services
The fundamental difference between a traditional on-premises software provider and a cloud service provider is hidden right in the names: the former is a software relationship with a product, while the latter is a service relationship with a partner.
In a software relationship, the software vendor provides the software to do with as you see fit. The vendor is important, but it’s the product that counts. You can fully deploy the product or leave it shrink-wrapped in its original boxes (when it came in boxes). You can design the solution architecture yourself or pay experienced consultants to design it for you. You usually have complete control over the environment the product is deployed in because it’s your data center.
In a service relationship, you cede almost all these choices and their commensurate responsibilities to the cloud service provider. As a result, you’re far more dependent upon a cloud service provider than you were a software vendor (even while the subscription model makes relationships easier to begin and end). Though the product – in this case the service – remains important, the relationship with the cloud service provider is critical.
Why is your relationship and trust in a cloud service provider so important? Unlike buying a software product from a traditional ISV, with a cloud service provider you aren’t merely buying the set of static features and functions they have today. You are selecting a partner on the premise that they will evolve fast enough, with you, to address your future needs. By the time you’re ready to take advantage of a capability, it’s likely that a good cloud service provider has it. This points out a lesson that many IT executives haven’t learned: the technology is the easy part. The hard parts are the change management, business process, and cultural impacts associated with the new technology.
As a CISO you are no longer deploying products and tools to patch holes or address risk. Rather, you are now managing your risk and security model, mapping this to your service provider capabilities backlog and feature rollouts, dealing with change management, and ensuring that your application teams have the correct security and risk solutions integrated into their DevOps (Ci/CD) pipelines.
Have a strategy and framework
When looking at cloud service providers it’s important to have both a strategy, and a framework to clarify the details of your strategy. This framework will allow you to map your security requirements and regulations into a cloud service provider’s controls and configurations that you can measure and manage continuously moving forward. It will also and point out when you need to look other places to fill capability gaps.
For example, a strategy may be to move your identity management from a collection of disparate, interconnected systems to a few cloud services. But you also need a framework that will show you a complete set of capabilities in this area, such as provisioning, or attestation through access reviews. This framework will point out capabilities that you don’t have and perhaps haven’t through of, but should be looking at. It will also allow you to assign a priority to each capability, and thus an order in which they can be addressed. Not every IAM capability can or should be top priority.
Different pieces of your cloud solution may require different capabilities. For real time or inline security controls and operations (such as threat detection and risk-based, adaptive authentication) you need a large-scale provider with large teams and data sets to provide the best results. The best providers now analyze terabytes of data daily, and use multiple machine learning functions to constantly create new, dynamic rules in response to evolving threats. However, out-of-band controls and management processes (such as GRC controls and processes) can be performed by more specialized providers where features and functions make sense.
Strong identity is more important than ever. Cloud computing has driven a shift from a “networks and servers that have users” computing model to a “users and data that have devices” model. Because network perimeters and servers are now buried in the cloud service, identity processes are now significantly more important to your security posture than they were in your data center. As a result, the cloud service provider’s identity model should be a key consideration.
Don’t forget the unstructured data. Before you can allow your users to begin creating, storing, and sharing documents in the cloud, you must have controls in place to prevent data leakage. And of course, the cloud service provider must have those controls available before you can use them.
Explore using multiple cloud service providers in targeted areas to provide resiliency against failure. If your company can spread risk across multiple cloud service providers – for example hosting Active Directory VMs in several different IaaS providers – you’ll have provided some insulation against “biblical” scale cloud service failures. Components and standardized interfaces (so you can move things around) are important to achieve this.
Choosing a cloud service provider may seem to be a simple process, but you need to examine a vendor’s offering in different ways than you have in the past. Look to see if their path and yours converges, if they have a track record and set of capabilities that your organization can grow into, and the identity and controls that will be a critical part of protecting your assets in the future.