The Clear Path to Cloud Security, Compliance, and Cost Control
-
Upload
saksbjorn-ihle -
Category
Documents
-
view
219 -
download
0
Transcript of The Clear Path to Cloud Security, Compliance, and Cost Control
-
8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control
1/4
The Clear Path to Cloud Security,Compliance, and Cost Control
WHITEPAPER|VMWARECLOUDCREDITSPROGRAM
Businesses are unquestionably excited about cloud
computing, but according to Ryan Hefele, theyre
also more than a little concerned about security.
Hefele is a cloud security specialist at Mountain State
Networking Communications Inc., an IT integrator
based in Englewood, Colo. Companies love the
clouds efciency and exibility, he says, but worry
about condential information falling into the wronghands. Thats their biggest fear, Hefele states. You
dont hear about an outage at a company on the
evening news, but you hear about security breaches.
Hefeles customers arent the only ones with such
anxieties. Some 66 percent of IT decision makers
cite security concerns as a barrier to implementing a
cloud computing strategy, and 56 percent say they
wont fully embrace the cloud until theyre more con-
dent in cloud service providers ability to meet their
compliance requirements, according to a 2013 IDG
Enterprise cloud computing research study.
Sadly, those concerns are far from misplaced. For all
its game-changing power, cloud computing exposes
businesses to substantial security and compli-
ance concerns. Yet experts say any company can
capitalize on the cloud safely and cost-effectively if
it employs the right techniques, tools, and technolo-
gies.
Signicant Risks
Well-managed cloud environments are as secure
if not more so than their on-premises equivalents.
Yet the clouds potential dangers are legion just
the same. The Cloud Security Alliance, a Seattle,
Wash.-based not-for-prot, has assembled the most
serious potential risks into a list it calls the notorious
nine. Some, like data breaches and malicious insider
attacks, are familiar perils that the cloud can make
even riskier, because cloud solutions are often hosted
off-site and managed by third parties. Youre losing
some of the security control that weve kind of gotten
used to having, notes Dave Shackleford, a CloudSecurity Alliance contributor who is also principal
consultant at Voodoo Security LLC, of Roswell, Ga.
Other members of the notorious nine are exclusive
to the cloud. For example, few of the application
programming interfaces that cloud vendors provide
to help customers manage and integrate online
resources have been carefully checked for security
aws. People are taking advantage of those APIs,
but nobodys really evaluating them from a software
perspective, Shackleford says. Also, most public
clouds are multitenant solutions in which many
companies share the same underlying resources.
Vulnerabilities introduced by any one of those rms
can potentially compromise the entire infrastructure.
Cloud computing can pose signicant regulatory
compliance risks as well. For starters, some cloud
vendors cant provide all of the auditing and repor ting
data that regulated businesses are often legally
required to collect. Furthermore, while anyone can
say their offerings meet a given laws standards,
some cloud providers offer so little visibility into their
infrastructure that verifying such assertions can be
difcult. This is the clouds biggest compliance-
related headache, says Allen Shortnacy, alliances
With the help of the right tools and technologies, any business can address the risk
and budgeting complexity often associated with cloud computing.
-
8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control
2/4
2
partner architect for business development at cloud
and virtualization leader VMware Inc., of Palo Alto,
Calif. How do you monitor a cloud operators stack
closely enough to track everything they did and
conrm that youve met all of your legal require-
ments?
The cloud can also complicate IT budgeting. Atmany companies, multiple business units are buying
services from multiple vendors, making it hard to
assemble a complete picture of cloud spending
patterns. Additionally, cloud vendors typically bill
in monthly, usage-based installments instead of
collecting big up-front payments. That helps compa-
nies simplify cash ow management and reduce
capital expenditures, but also puts IT departments
with unused funds in an uncomfortable spot as the
scal year draws to a close. Youve got money that
youre authorized to spend, but cant use because
you cant pay your vendors in advance, Shortnacy
observes. Most IT leaders end up losing that money,
not only now but in future budgets as well.
So-called rogue cloud deployments, in which
business groups purchase cloud services without IT
involvement, neatly encapsulate many of the clouds
security, compliance, and budgeting challenges.
According to Sam Cattle, security practice lead for
Southborough, Mass.-based consulting rm Glass-
House Technologies Inc., most companies today
have rogue clouds, whether their IT leaders know
it or not. Its massively common, he says. Its also
massively dangerous, because technicians cant
protect cloud-based data that they dont know about,
or include it in compliance processes. And since
business units often pay for rogue clouds with credit
cards, spending reports end up reecting only part
of a companys total cloud outlays. All of the internal
mechanisms for tracking whats going on with the
budget are sidestepped, Cattle states.
State-of-the-Art Solutions
Mitigating the clouds security, compliance, and
budgeting risks begins with what Shackleford calls
a hugely boring but all-important topic: policy.
Companies must draft clear rules about who can set
up new cloud-based solutions, how those systems
At many companies, multiple business units
are buying services from multiple vendors,making it hard to assemble a complete picture
of cloud spending patterns.
How VMware Can Help
For all its efciency and power, cloudcomputing also raises a host of complex secu-
rity, compliance, and budgeting challenges.
VMware has the software and partnerships to
make tackling those challenges easier.
VMwares vCloud Suite infrastructure solution is
the cornerstone of the companys cloud secu-
rity and compliance offerings. The industrys
only integrated end-to-end cloud platform,
vCloud Suite includes a rich set of sophisti-
cated rewall and gateway security services. It
also equips companies to divide a single cloud
environment into mixed modes of trust that
exibly apply security policies in dif ferent waysto different user populations and data types.
On the compliance side, vCloud Suite comes
with powerful data scanning functionality that
automatically identies regulatory violations,
as well as robust management and reporting
capabilities that give IT managers the opera-
tional visibility they need to verify that theyre
meeting legal obligations.
Add in advanced functionality for provisioning,
networking, disaster recovery, and more, and
the result is a package thats hard to match.
VMware has the most complete set of tools, the
most integrated set of tools, and basically thebest set of tools for cloud delivery, says Ryan
Hefele, of VMware Premier Solution Provider
Mountain State Networking Communications Inc.
Partners are another big part of how VMware
keeps companies secure and compliant. By
choosing VMware vCloud Powered Services
and VMware vCloud Datacenter Services
from partners in the VMware Service Provider
Program, vCloud Suite users can ensure that
their external cloud resources are every bit as
safe and legal as their internal ones. Youve
got a common architecture and a common set
of controls on both sides of the rewall, which
means everything works consistently regard-
less of whose data center its in, says Allen
Shortnacy, alliances partner architect for busi-
ness development at VMware.
Thats just one example of how VMware positions
its customers for success in the cloud. Sure,
cloud computing adds new complexities to
security, compliance, and budgeting, Shortnacy
says. With the help of VMware and its partners,
however, you can conquer all of them.
-
8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control
3/4
are paid for, and what can or cant be stored in them.
Then they must disseminate those rules broadly
with vocal support from senior leadersand enforce
them vigorously.
Yet policy alone is just a start. Businesses must also
use state-of-the-art cloud platform technologies, andensure that their vendors do as well. Key features to
look for in such systems are comprehensive security
protections for hosts, networks, virtual machines,
applications, and data, as well as consistent applica-
tion of those safeguards across public and private
clouds. Visibility into virtual workloads, thorough
auditing capabilities, and robust reporting and
management tools are all musts too, as is function-
ality for embedding authentication, access control,
privacy, and condentiality policies within virtual
machines. That way your security and compliance
policies follow your VMs as they move across the
cloud and the data center, Shortnacy says.
Partnering with qualied cloud vendors is every bit
as important as using sophisticated cloud software,
so savvy companies maintain a list of preapproved
service providers and ban employees from working
with anyone else. According to Chris Richter, building
such a list properly means asking lots and lots of
questions. We always tell customers to dig deeper
and really get underneath the hood, observes
Richter, who is vice president of managed security
products and services at Savvis, a managed hosting
and co-location provider headquartered in Town &
Country, Mo.
At a minimum, he continues, ask to see an architec-
tural diagram showing how the provider locks down
its environment. Study the providers security policies
carefully as well, and compare them to your own. If
theres a disconnect, the cloud provider should be
willing to recommend a way to address that gap,
Richter notes. The provider should also be willing and
equipped to deliver detailed reporting information to
compliance auditors, he adds.
The Consensus Assessments Initiative Questionnaire,
available free on the Cloud Security Alliance website,
outlines the essential topics businesses should
Partnering with qualied cloud vendors is
every bit as important as using sophisticatedcloud software, so savvy companies maintain
a list of preapproved service providers and
ban employees from working with anyone else.
Charge It toMy Account:
the VMware CloudCredits PurchasingProgram
To make consuming public cloud services
from VMware partners easier, VMware
offers the VMware Cloud Credits Purchasing
Program. The program enables technology
managers to buy credits through their favorite
VMware Solution Provider and then allocate
them to the companys various business and
IT units through the My VMware management
portal. Then, via that same intuitive interface,
users can redeem their credits with approved
VMware vCloud Service Providers on a self-
serve basis.
From a security standpoint, youre limiting
people to approved VMware partners without
decreasing their business agility, Shortnacy
says. You can also restrict specic busi-
ness units with compliance responsibilities
to providers with relevant expertise and
capabilities.
The VMware Cloud Credits Purchasing
Program enhances your budgeting exibility
too. You can protect your IT funding by
buying now and redeeming later, Shortnacy
explains. And by centralizing all of your cloud-
related transactions in one place, you can
also monitor and control cloud spending with
greater precision.
The end results are a simpler, faster cloud
procurement process, more accurate
budgeting, and signicantly improved secu-
ritya combination anyone concerned about
cloud security, compliance, and funding
issues can appreciate.
cover when evaluating cloud service providers.
Shackleford, for his part, advises businesses to pay
particular attention to whether a potential vendor has
industry-standard security accreditations, such as the
ISO 27001 and Service Organization Control (SOC) 2
certications, and to conrm the vendor has experi-
ence in your industry and knowledge of its regula-
tory requirements. If you have to meet compliance
standards like PCI or HIPAA, then [your vendors] have
to meet those standards internally, Shackleford says.
-
8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control
4/4
Dont forget to inspect a cloud providers service-
level agreement (SLA) thoroughly e ither, adds Noah
Weisberger, director of professional services at Coal-
re Systems Inc., an IT governance, risk, and compli-
ance adviser with headquarters in Louisville, Colo.
There should absolutely be contractual language in
there that they acknowledge their obligation to meet
all of your security and compliance requirements, he
says.
Centralized Payments
Of course, none of those actions is likely to do you
much good if employees continue setting up rogue
clouds. To rein in that problem, start by establishing
a dialogue with your non-IT counterparts. Users
often dont realize that IT can provide exactly whatthey would otherwise buy on their own, only far more
securely.
Users are more likely to choose IT-endorsed cloud
services if identifying and paying for them is simple,
so creating a portal that provides direct access to
cloud-related funds as well as self-serve tools for
spending that money with preapproved vendors is
an important best practice. VMwares Cloud Credits
Purchasing Program, for instance, utilizes the My
VMware portal to let IT managers allocate cloud
funds and business managers spend them quickly
and easily. The result is that business decision
makers get the agility they crave while helping IT
better protect the business. It just makes the whole
procurement and budgeting process easier, Richter
observes.
It also lowers administrative overhead by reducing the
cloud sprawl that results when multiple business
groups procure services independently, and allows
greater control over budgeting by centralizing all of
your cloud payments in one place.
Just one more reason, if any were needed, to make
mastering cloud security, compliance, and budgeting
a top priority. These are somewhat scary prob-
lems, but you can solve all of them, Shortnacy says.
Theres no reason to let your fears about the cloud
keep you from realizing its benets. n
For more information please visit
http://vcloudproviders.vmware.com/
http://vcloudproviders.vmware.com/http://vcloudproviders.vmware.com/