Key considerations for building a Trusted Cloud Framework


In a recent survey by Gartner the top barriers to businesses adopting Cloud centred on trust. This should hardly be surprising. The perception that Cloud is inherently insecure still colours the perspective of many business decision makers. This holds them back from embracing Cloud because of their (quite understandable) concerns about the security of information and systems once they are taken outside the enterprise. In fact, I firmly believe that Cloud can actually be more secure than its given credit for if the right governance, controls, policies and infrastructure is correctly in place.


As is often the case, the issue is not  so much with the technology itself but rather  the persistence of serious questions and concerns about how the business ultimately uses cloud, as well as the people and processes that are built around it. Therefore, having the right governance in place is essential. As part of that endeavour, you must ensure that the appropriate checks and balances are soundly in place from an architectural and administrative perspective. No system is secure if it doesn't address such fundamental governance aspects as monitoring and reporting, enforcing policies, procedures and controls, and establishing roles and responsibilities for who is using the environment.


While governance is vitally important, a stout approach towards trust in the cloud should also consider business requirements for compliance, risk management, availability, integrity, confidentiality and privacy.  Establishing such a trust framework may sound like a mammoth project, but such a methodology assures the organization's leaders that business requirements for trust can be consistently met, whether provided by the enterprise's own private cloud, or by service providers offering public cloud services to the business.


The irony over concerns around cloud security is that these days, businesses already have very little control over what their employees access and where and how. Gone are the days when the physical walls of a business held the same fortification and protection as the virtual ones. Tablets, smart phones and laptops mean that most employees are already freely accessing applications like email and CRM remotely and they have been for quite some time.


The crux of the problem  with the term 'Cloud' is that it creates a sense of something fluffy, hard to navigate and difficult to control. In actuality, today's Cloud environments are anything but that. From a security perspective, private Clouds are often more secure than the current on-premise infrastructure because security can be built into the virtual environment form the ground up - starting from scratch. This means not having to bolt extra bits onto an already complicated structure. Therefore cloud can be easier to manage, much more scalable and more flexible.


You may recall the discussion in my last blog about mapping application workloads to the optimal cloud model based on economics, trust and functionality requirements. For a trusted computing environment, whether cloud-based or not, there are six sets of requirements you need to satisfy: compliance, governance, risk management, availability, integrity, and confidentiality/privacy.


For many organizations, trust requirements will vary by application, and the sensitivity of the information handled by those applications.  For example, e-mail and collaboration applications typically contain less sensitive information than applications containing customer information or company financial data and thus should be treated differently.  The nearby chart shows illustrates how trust criteria can vary by applications.


Thumbnail image for Workload Trust Requirements 2.JPG


The key point to remember in all of this is that security is no longer about building barriers and erecting walls - it is about ensuring employees are empowered to work wherever and whenever they desire - is a secure manner. Being able to safely grant flexibility and agility to a workforce in essence is a prime way to also protect the business. This is as much about education as it is about bolstering security systems. You need to make sure employees understand the risks they face and know what the acceptable boundaries are. The very same principles apply to the Cloud when it comes to data protection. It's basically about weighing up risks and dependent upon close evaluation, deciding which ones are worth taking and which aren't given the potential impact that failure would have on the business.