ARN

Roundtable: Security Guide for the Cloud - right here, right now

The cloud 'security strategy' involves adopting security solutions that seamlessly span physical, virtual and private/hybrid/public cloud environments while simplifying operational and management complexities. Roundtable attendees got down to business, discussion the 'practical steps' and issues and opportunities involved in securing the cloud environment. Jennifer O'Brien reports.

JO: With IT infrastructures becoming complex and the growing interest in cloud computing, let’s discuss the specific steps involved in moving customers towards the cloud?

ROLF JESTER (RJ): I’d like to start with the big picture because when we say the cloud it means an enormous number of things. We define it as a series of services that includes everything from business process services that are delivered via the cloud: payroll services, advertising (and the vast bulk of the money spent today is on those two functions), as well as application services, platform services, and infrastructure services. We’re either implicitly talking about applications, services delivered via the cloud or about infrastructure services for a lot of this delivered via the cloud.

JO: Is security still the number one challenge or hindrance for customers?

RJ: Yes, if you use it very generically. Mostly what they’re actually worried about is data, data sovereignty. Where is my data physically located and is it in my country, is it in my state, in my city, can I wrap my arms around it? That may be a legal concern, regulatory concern or it may just be purely a visceral, emotional concern.

LOUIS ABDILLA (LA): When you’re talking about state government we’ve talked to some councils recently and whenever the data has to be within Australia it has to be within the state itself, so if you want NSW council you have to have the data stored in New South Wales, so I thought that is quite important.

CAM WAYLAND (CW): We’re working with a couple of hosting (datacentre) companies at the moment who want to channelise their product, create cloud as a SKU or virtual service as a SKU and one of these companies was not doing anything until they built another datacentre in Victoria because they realised their presence of where they are currently located would prevent them from being able to offer a complete solution because of exactly that point. When they have done that then they will look into the rest of their processes to decide that they’re then ready to go to the market with a product.

AHMED LATIF (AL): It’s really interesting how every state is coming up with their own recommendation. The privacy commissioner of Victoria, Helen Versey, came out today and said that they cannot guarantee anything that resides outside of Victoria. That’s really a limited view of the opportunity that cloud gives customers. She has also warned that the cost of improving security, and guaranteeing the security, far outweighs the benefits of the services, so it’s a real interesting time between our industry and people coming out in a government situation and government department.

CW: And it’s often the case that the IT industry is way ahead of the legislative framework – the legislative framework is trying to play catch-up all the time regardless of whether it’s one state just staking their claim or whether it’s a state that doesn’t want to be outdone by another state.

RJ: I’ve become aware that, in fact, legislation and regulation may specify that certain pieces of data have to reside in certain places whether it’s customer data, or maybe employee data, but it’s typically a small subset of all the data that companies keep. And that brings us to a conversation about government structures and, in general, the issues surrounding IT architecture that then flow from that. It may bring us back to a discipline that has sort of fallen into abeyance with many organisations which is information architecture and information management and an understanding of what needs to be protected to what level, what needs to reside in a particular location and what doesn’t. When people begin to look at that more sensibly with less emotion maybe they will realise that the problem is much smaller than they currently think.

JOHN DONOVAN (JD): The actual philosophy hasn’t changed much since the early days of general IT security which is the level of security that we apply to certain assets. It doesn’t have to be 100 per cent for everything to maintain the network. At what point should organisations start considering security as part of their shift from a private datacentre into a virtualised datacentre, or private cloud and then bursting through from a hybrid model into public? It should be at the very beginning. It shouldn’t be seen as something that gets added to the cloud infrastructure or architecture once you’ve actually put that to bed. It forms an indelible part of what should be considered at the point you’re going through the discovery process, answering ‘what assets do I want to virtualise and what servers do I want to virtualise and how do they manage those workloads that go through from a private environment and bursting into a public environment? The question is, ‘What is the process people go through? It’s the same as their understanding about how they apply security to different assets. It’s understanding what assets they have, what they want to do with them and then what does their cloud look like? It’s not ‘the cloud, it’s actually ‘their cloud.’ More organisations are starting to understand what they have available is an environment, an architectural process that helps them better apply a degree of agility and cost control to how they want to build their own clouds rather than having it dictated to them - and the same applies to security policy controls and infrastructure.

RICHARD METCALFE (RM): Dimension Data’s approach for the last few years has been around governance, risk and compliance and I don’t see that changing with regards to cloud - just like I don’t see it changing in regards to mobility or virtualisation or any other business initiative. Security needs to be built into the fabric of those decisions. The three core elements we work with our customers around are: ‘What are your governance requirements? What governance is mandated by the board, by the business? Secondly it is around compliance, so the things that we have to do whether that’s internal or external. The third element, which is the area from a cloud perspective that we need the most rework, is around the risk. We’ve seen some incidents over the last few months and number of years around organisational compromise. As security professionals we haven’t done a great job of taking the jargon out of security and helping elevate the conversation to the board and to the business levels to demystify all of this to help articulate what is the impact, what is the risk to the business as certain incidents occur? Once the risk is understood then the cloud decisions around what are we going to put in the cloud, how can we leverage the cloud with virtualisation becomes a given. Security needs to be enabling that process rather than being the preventative block to it exactly like it is with mobility and all the other business initiatives.

JD: It’s putting the power back in the hands of the customers who are dictating, and not the suppliers saying, ‘This is what we can give you,’ but the customer saying, ‘This is what I want and this is what I want you to build, and if you can’t do it I’ll find someone who can.’ I’m confident we’re able to architect the solutions that the customer is looking for, but they possibly don’t know what to ask for yet.

LIONG ENG (LE): It’s about education. Cloud computing is the new terminology that people are using, but we’ve been providing similar sorts of services for years under a different term. When you go out and talk to a company, big or small, and you’re dealing with them about cloud services and talking about security, a lot of them don’t understand what’s involved. We have to assure them that when you put up cloud services within your organisation you educate them on dealing with the secure access by people through the web to the server. The traditional method of doing security (applying to the physical server) is long gone. The key here is to put education to these people and make them aware of the new way of dealing with security. We should be all talking about compliance. With regards to cloud services educate customers how you’re going to apply those services in a constant manner and in a user-friendly and performance manner that you can manage it well. I think Trend, in my opinion, has got the solution there.

DAVID HIGGINS (DH): It’s an education process mainly because the world has changed with virtualisation - how we used to do it, legacy security, doesn’t cut it anymore. That’s not something you can bolt on. We need to be talking to the person who owns that infrastructure whether it’s moving to virtualisation, whether it’s moving into the cloud - somebody other than the security manager owns it and has the KPIs around that. What we need to do is talk to those people and educate them that security has changed. The way you used to do it is not going to cut it anymore. There are other ways to do it and I think there is still an education process because security gets bolted on later, and once you move your data interstate, offshore or wherever your old ways of doing it just won’t work anymore.

JD: What is the level of capability within the partner community to be able to help end users understand the solutions?

MICHAEL COSTIGAN (MC): One of the things that we do as a solutions distributor globally and now we’re bringing this to Australia is education. We educate the partners at different junctions with our suppliers not only around the technology, but how do you position those with the end users, with the end user’s customers, and certain segments of the market? Right now we’re seeing growing demand in the SMB market. We have two practices. One called Virtual Path, which was launched with VMware that is all around virtualisation. Another practice called Secure Path which we do with Trend Micro in the US around securing those environments, but it’s all about educating the partners, enabling our valuable business partners on how they can go and do that with less investment for these guys. That’s the real challenge we see right now.

LE: There is another education process that needs to be done for the end user. The end user has heard a lot about cloud computing. They also know that it is unavoidable. One day they have to actually go and do it, but the key here is that the understanding on security (and looking at the content that can be located overseas) is tripping them up. More important is, how are you going to secure your environment to deliver that service to the end user? If they understand that from the partner’s point of view it’s a lot easier for us to go in and sell that solution to them.

CW: At an enterprise level I think that’s absolutely the case. There are great opportunities in what I call the greater SMB. The greater SMB up to the mid-market and the customers don’t understand security practices, what good security is in the non-virtualised world let alone when you’re actually going and adding a virtualised world on top of that in terms of the next level of complexity. The industry hasn’t yet got it right in terms of the customer understanding what they have to do, how they need to do it and demystifying security to the point where these are things that you absolutely need to do and these are the things that are nice to have, and depending upon your business these are the things that you potentially should be thinking about regardless of whether it’s physical or then virtual. As you go to the cloud that’s where people start to get more and more scared off because they don’t understand what the cloud is about, let alone the security aspects of that.

JD: Who are their trusted advisors? Who do they go to and say, ‘I trust you to help me understand this better, not necessarily to architect the solution, but someone I trust?’

CW: That’s where I draw the difference between the greater SMB market and the enterprise. In enterprise, they’ve got their internal resources that can do the research, roll it out and can use their muscle to work with and partner with the vendors, the distributors and to create the solution. But as you’re a smaller organisation you don’t have that same degree of resources, knowledge internally and you have to rely on your partner. You hope that the partner you’ve chosen has the depth to have a security practice, to have a virtualisation practice and chosen the right vendors to be able to work with who can bring it all together.

MC: A lot of our partners who operate in what we call the SMB market space, they’re coming to us and they’re asking, ‘What is the cloud all about? They read all the hype, heard all the hype. Practically, what solutions can they go out to customers with? The feedback they’re getting from customers is, ‘We don’t want to have four or five servers in the background, we don’t want to have three or four IT people running this stuff, we want to have some applications that work, we don’t care what they are, how they work, as long as they come into work in the morning, and they’ve got accounting, billing, as long as it all works for me. They come and ask, ‘Can you provide that right now’, so our role as a distributor is to be a link with the suppliers and grab those best of breed solutions from the suppliers, VMware, Trend Micro, other key suppliers, and bundle those up and aggregate those services to the partners, so they can offer that solution to their customers. That’s the role that we see us as a distributor playing. CW: How many of your partners have the ability to be able to do that today?

MC: We have great partners like Klikon Solutions and Corporate Express who have all the skills. So we have the larger partners who are very skilled technically and from the sales point, right down to our smaller partners, who look to us to provide that service for them.

DAVID ABOUHAIDAR (DA): So is itX/Avnet building the cloud to sell, to provide a service for the end users and have your resellers resell that bit?

MC: Our vision for the cloud is to build or aggregate that service so we give that to you. So then you build it for the end user customer yourself and you can pick and choose key solutions from the vendors that compliment that offering.

DA: Who runs the service, the management of that whole structure?

MC: That will reside with you, the business partner. You guys will go and deliver that, but then we aggregate from the suppliers.

RJ: So you might actually link up multiples of your partners - one being an infrastructure service provider, one being someone with a solution that they take to the end customer. Is that how you envisage it?

MC: What we envisage here is much like an app store down the track. So the partner can come in, click and ‘I need this, I need this and I need that’.

LA: In addition to the reseller aspect, I’m also thinking like an end user. I’ve been hit by the cloud given the recent security breach with Sony PlayStation. I’ve never ever had any of my information compromised in my life, but it has been now, with my credit card and my address. The details of two million people in Australia have been leaked. It has happened because it was a cloud service. I think it should be a hybrid solution. I think important information such as customer information and financial information should be stored locally on a network, not up in the cloud. I believe the cloud is a pot of gold if you can’t break into it. If you think people can’t break into a cloud that’s not true because in a lot of ways it will happen, maybe by human error. It could be from patching a server. It could be from the wrong policy, but whatever it is, it will be from human error and that cloud will be vulnerable. So the way we like to represent to our customers is telling them, ‘Put information in the cloud that you think isn’t so sensitive to your network or to your company and the rest is probably a good idea to keep it in your own network for now.’

RM: Breaches will always occur to one degree or another. As an organisation you need to take appropriate steps to reduce the frequency and the impact of those breaches. Most breaches are caused through not being configured correctly —they typically have the right security control in place, it’s just not configured correctly or there has been a human error or a patching error. The same security principles apply regardless of where the information is actually stored. Once organisations get their head around that and once we’ve helped them come to terms with what those considerations are and focus on the risk element, it is actually the same discussion. It may involve new additions of engaging the legal team to understand what the penalties are that can apply if your cloud provider is breached and what recourse you have as an organisation.

MATTHEW SAINSBURY (MS}: Do resellers need to have their own legal team to be able to advise around the legalities as we move towards the cloud?

RM: Never say never, especially with cloud virtualisation. One of the key points is there isn’t an agreed framework for cloud security. There are upwards of 20 different variations on security models for the cloud, but there isn’t a de facto cloud security standard like there is for the payment card industry. Whilst there isn’t that de facto standard there is always going to be the huge amount of grey area. As a partner, our role is to help customers perform those risk assessments on said cloud providers so the business can then make the right decision. You’re not going to mitigate every element of risk. You could never do that with any organisation regardless of what they are or what they’re trying to achieve, but our role should be around the ability to demonstrate strengths, weaknesses, pros, cons of various cloud provider’s security infrastructure. Security threats emerge and evolve continually. What is a cloud provider’s commitment to continually evolve and review their current security infrastructure and their processes and policies? Without that formal agreed framework it’s consummate with the level of maturity that cloud provision is sitting at the moment.

JD: How significantly different is that from the historical policy based security approach? This involves: What do my endpoints look like? What do my servers look like? What does my datacentre look like? Then you need an agreed policy in place for all of that and response times within an organisation. All you’re really doing is saying, ‘Okay I need to apply that outside of the organisation to a third party now because the way that we look at securing the infrastructure and securing the workloads - whether they’re virtual workloads or physical workloads in physical datacentres - the technology is there to do that.’ That is there. Trend and VMware have got a great relationship and are co-developing products and policy and compliance systems to handle workloads whether they’re in physical datacentres, private clouds, public clouds and beyond. It is not so different from how you would manage your general security portfolio anyway. For example, I want to do this therefore this is the policy level that I need to apply.

RM: The security principles remain the same, but there is a huge difference. There is often a significant difference between a security policy and security reality within organisations. It’s that risk assessment of once you understand the governance, risk and compliance obligations, how do you actually assess as an organisation or as a cloud provider what is the delta between your ideal state and where you are today? It’s that risk management piece to bring those two bars together, which is absolutely key. It’s absolutely right whether you talk about a customer’s own network or whether you’re talking about a cloud provider. With a cloud provider you don’t own that infrastructure, so how do you go about investigating it?

JD: How different is that to the proposition awhile ago, which was basically security is not a core competency of most organisations, therefore outsource it to organisations that do have it through a security operations centre? From that perspective you are outsourcing the responsibility for building, managing, monitoring and reporting on your IT security infrastructure to an external organization.

RJ: You can’t outsource the responsibility.

JD: When you’re outsourcing security management you’re outsourcing the responsibility to an external organisation.

RJ: But you’re still responsible. As the director of the business your head is still on the block. You may outsource it, but you still own the thing at the end of day and what I’m really concerned about is while corporations (enterprise) does a halfway decent job of sorting all that out I’m very concerned that the information isn’t filtering down to SMBs. Are the SMBs getting what you’re saying? Are the partners that they deal with have the capabilities, sufficient critical mass of security expertise to apply? That’s my real concern.

DH: SMBs are the very people who will probably have the most to gain out of it because most of the small business guys I talk to say, ‘If I could just get rid of my IT and let somebody else do it, and the benefits the cloud gives them,’ but the security piece is still there.

CW: If it’s the reseller’s responsibility to educate the customer that means that you’ve got a higher cost of acquisition potentially for a cloud-based customer than a traditional, ‘Here is the physical infrastructure and go and do that.’

DA: Unless you want to go with a pure resell model, so you want to go with an HP or an IBM or with somebody that has got their own cloud that you can just tap into and resell their kit, but to me you’re not a cloud provider. You’re a cloud reseller.

LA: But there are big risks if you’re a provider.

DA: If we didn’t have a dedicated security division we wouldn’t even think about entering into the cloud.

RJ: So that raises the question of reselling the clouds. There are plenty of providers now out there with a channel model willing to sign you guys up as resellers. What do you think about that?

DA: It’s much less risk. The reward obviously is not as great. The ownership is on the provider as opposed to the reseller, so it all depends how you want to drive your business. If you’re just a pure procurement reseller who has got an opportunity to resell somebody’s cloud, I think it’s a fantastic option.

RJ: But if you’ve got a good relationship with the customer and you can keep that despite reselling somebody else’s service, you might think about it.

DA: It’s still annuity revenue to a certain degree. It’s not annuity revenue that you own. It’s not going to put that extra value onto your business.

LE: And also as a partner you lose that little bit of extra control because you’re basically now putting your business, channel your business to a hosted services provider that perhaps you don’t have a good relationship with.

JO: In helping organisations secure the fort, what are the steps involved in providing a secure infrastructure?

DH: The first thing we need to do is go and talk to the person who actually owns the infrastructure, whether it’s a datacentre whether it’s private or whether it’s public. Whoever owns that project is the person we need to be talking to and we need to educate them on security because at the moment they’re looking for KPIs – the number of guests per host or whatever the delivery term is. But we need to educate them on the security side of it. Understand the security person and the infrastructure person aren’t necessarily going to agree. I don’t think going to the cloud in terms of security is more complex. It’s just different. 