KuppingerCole Analysts' View on Cloud Risk & Security



CSP vs. tenant - Understanding shared responsibilities

Matthias Reinwarth

Running an application or a service implies covering a large set of diverse responsibilities. Many requirements have to be fulfilled: the actual infrastructure has to be provided, which means that bare metal (computers, network and storage devices) as the foundation layer has to be installed and made available. On the next logical level operating systems have to be installed and appropriately maintained, including patches and updates. Appropriate mechanisms for virtualization have to be implemented.

Any layer of the provided infrastructure has to be implemented in an adequately scalable, stable, available and accessible way, at an at least sufficient level of performance. Service level agreements have to be defined and met which involves responsibilities for availability, accessibility, again scalability. This also requires the allocation of appropriate administrative or user services, e.g. implementing help desks and/or self-service infrastructure.

Security is of utmost importance for every application, service or infrastructure. This includes for example platform security, the reliable and robust management of users and privileged accounts and their individual roles, fine-grained access control and network security including intrusion detection. In a shared, virtualized environment this also demands strong requirements for the separation of individual, parallely operated platforms and the isolation of software, processes and data across the network, the storage and the computing environments. The provisioning of appropriate management interfaces, the implementation of change processes and maintaining stable, reliable and auditable systems operation procedures is a key responsibility within an application system or infrastructure environment.

The aspect of overall application security defines another set of responsibilities which focuses on logical and functional aspects and the business processes implemented. Ensuring all required aspects regarding the IT security of an application or infrastructure system, including the confidentiality, integrity and availability of the computer system and a proper implementation of the underlying business processes are important challenges, no matter which deployment scenario is chosen.

Whenever an application or a service is running on premises, determining who is responsible for which aspects of the infrastructure typically is a straightforward task. All vital building blocks ranging from the infrastructure to the operating system and from the application modules to the stored data and the underlying business processes is in the responsibility of the organization itself, i.e. the internal customer. Many organizations assign individual responsibilities and tasks along the lines of the ITIL service management processes with typical roles like the "application owner" or the "system owner", reflecting different functional aspects and responsibilities within the organization.

Moving services into the cloud or creating new services within the cloud changes the picture substantially and introduces the Cloud Service Provider (CSP) as a new stakeholder to the network of functional roles already established. Cloud services are characterized by the level of services provided. Individual services in the cloud are organized as layers building upon each other. Although the terms are not used consistently across different CSPs, cloud service offerings are often characterized as e.g. "Infrastructure as a Service" (IaaS) or "Platform as a service" (PaaS). Depending on the fact which parts of the services are provided by the CSP on behalf of the customer and which parts are implemented by the tenant on top of the provided service layers, the responsibilities are to be assigned to either the Cloud Service Provider (CSP) or the tenant.

The following image gives a rough overview which responsibilities are to be assigned to which partner within a cloud service provisioning contract in which cloud service model. While an "Infrastructure as a Service" (IaaS) scenario puts the responsibility for only the infrastructure on the Cloud Service Provider (CSP), the only responsibility left to the tenant in a "Software as a service" (SaaS) scenario is the responsibility for the actual business data. This is obvious as the data ownership within an organisation is an inalienable responsible and thus cannot be delegated to anybody outside the actual organisation.

Shared responsibilities between the Cloud Service Provider (CSP) and the tenant are a key characteristic of every deployment scenario of cloud services. The above image gives a first idea of this new type of shared responsibilities before between service providers and their customers. For every real-life cloud service model scenario all responsibilities identified have to be clearly assigned individually to the adequate stakeholder. This might be drastically different in scenarios where only infrastructure is provided, for example the provisioning of plain storage or computing services, compared to scenarios where complete "Software as a service" (SaaS, e.g. Office 365) or even "Business process as a Service" (BaaS) is provided in the cloud, for example an instance of SalesForce CRM. A robust and complete identification of which responsibilities are to be assigned to which contract partner within a cloud service scenario is the prerequisite for an appropriate service contract between the Cloud Service Provider (CSP) and the tenant.



Getting the Cloud under Control

Mike Small

Many organizations are concerned about the use of cloud services; the challenge is to securely enable the use of these services without negating and the benefits that they bring. To meet this challenge it is essential to move from IT Management to IT Governance.

Cloud services are outside the direct control of the customer’s organization and their use places control of the service and infrastructure in the hands of the Cloud Service Provider (CSP). The service and its security provided cannot be ensured by the customer – the customer can only assure the service through a governance process. A governance based approach allows trust in the CSP to be assured through a combination of internal processes, standards and independent assessments.

Governance is distinct from management in that management plans, builds, runs and monitors the IT service in alignment with the direction set by the governance body to achieve the objectives. This distinction is clearly defined in COBIT 5. Governance ensures that business needs are clearly defined and agreed and that they are satisfied in an appropriate way. Governance sets priorities and the way in which decisions are made; it monitors performance and compliance against the agreed objectives.

The starting point for a governance based approach is to define the organizational objectives for using cloud services; everything else follows from these. Then set the constraints on the use of cloud services in line with the organization’s objectives and risk appetite. There are risks involved with all IT service delivery models; assessing these risks in a common way is fundamental to understanding the additional risk (if any) involved in the use of a cloud service. Finally there are many concrete steps that an organization can take to manage the risks associated with their use of cloud services. These include:

  • Common governance approach – the cloud is only one way in which IT services are delivered in most organizations. Adopt a common approach to governance and risk management that covers all forms of IT service delivery.
  • Discover Cloud Use – find out what cloud services are actually being used by the organization. There is now a growing market in tools to help with this. Assess the services that you have discovered are being used against the organization’s objectives and risk appetite.
  • Govern Cloud Access – to cloud services with the same rigour as if they were on premise. There should be no need for you to use a separate IAM system for this – identity federation standards like SAML 2.0 are well defined and the service should support these. The service should also support the authentication methods, provide the granular access controls and monitor individuals’ user of the services that your organization requires.
  • Identify who is responsible for each risk relating to the cloud service – the CSP or your organization. Make sure that you take care of your responsibilities and assure that the CSP meets their obligations.
  • Require Independent certification – an important way to assure that a cloud service provides what it claims is through independent certification. Demand the CSP provides independent certification and attestations for the aspects of the service that matter to your organization.
  • Use standards – standards provide the best way of avoiding technical lock-in to a proprietary service. Understand what standards are relevant and require the service to support these standards
  • Encrypt your data – there are many ways in which data can be leaked or lost from a cloud service. The safest way to protect your data against this risk is to encrypt it. Make sure that you retain control over the encryption keys.
  • Read the Contract – make sure you read and understand the contract. Most cloud service contracts are offered by the CSP on a take it or leave it basis. Make sure that what is offered is acceptable to your organization.

KuppingerCole has extensive experience of guiding organizations through their adoption of cloud services as well as many published research notes. Remember that the cloud is only one way of obtaining an IT service – have a common governance process for all. If a cloud service meets your organization’s need then the simple motto is “to trust your Cloud Provider but verify everything they claim”.



Reading Might Help: What You Should Consider before Closing a Cloud Computing Contract

Martin Kuppinger

As with most other contracts, be it about a large purchase or an insurance, you should read (standard) contracts with your cloud provider very carefully. Chances are good that you will detect some points that border on insolence. There are certainly good reasons for using the cloud in business of any size, among them cost reductions and the ability to concentrate on the core business. By providing rapid adoption of new services, the cloud also enables quick innovation. But since your whole business will be influenced by the services delivered, they might sooner or later become disruptive to your daily workflow if not properly implemented.

"Uneven" relationship Clearly, the relationship between cloud service provider (CSP) and tenant is "uneven" from the beginning. The latter first of all has to pay for all extras, frequently called Managed Services - even for those that should be naturally included in any cloud contract. This way the customer has to pay more for letting the provider take over more of his normal responsibility. Delivering those kinds of "value-added service" only for much and more money can't be the unique selling point. I wonder what the provider's legal department says to those offers. The providers should be liable for breakdowns in service and data breach or loss. Most if not all deny that responsibility.

Reading the contract carefully can help avoiding the most obvious pitfalls. Make it a game: Find the aspects that could become a challenge for your daily business. There are some, trust me. Begin with the parts of the contract dealing with end-of-service, changes or availability. Don't be surprised if there is a clause that gives your CSP the freedom to go out of business with you at any time. He can also change services flexibly - mind you, flexibility should be on your side in the cloud, not on his - without having to announce it long in advance. Some CSPs think they don't need to announce it at all. Even if the change means that an important application won't run any longer.

Feature changes can pose problems Feature changes can evolve to a massive problem, when employees can't find some data again or see a completely altered user interface. This will lead to an increase in costs for help desk calls. Or imagine you customer relied on a certain feature that suddenly doesn't exist anymore. Just that the CSP thinks it is useless doesn't mean that you do so too.

Another issue concerns availability: Surely it is not always the CSP's fault if a service is not accessible. But where it is, availability guarantees amount to nothing if they are not connected to penalties. CSPs regularly disinclude liability in their contracts for damages on the tenant's side as a consequence of a longer outage - which is understandable. However, like this guarantees are relatively worthless. It should be added in this context that if you really need high availability you'll probably get it a lot cheaper in the cloud than with your internal IT. The cloud idea is not bad in itself.

Customization and the Cloud API (Application Programming Interface) changes might affect the integration between different cloud services or a cloud service and on-premise applications. It might as well affect customized solutions. Customized solutions? Is cloud computing not all about standards? Aren't the greatest benefits to be found in areas where customization won't mean a competitive advantage? Yes, maybe. But most business solutions - CRM, ERP, HR etc. - don't exist in isolation from other applications. They need to be integrated to work optimally. Last but not least APIs have to be upwards compatible. If they change or features will be turned down, the CSP client has to be informed long in advance to be able to prepare for it and to tell his customers in time.

How to find a good CSP So, how do you recognize a good CSP for your business? First of all, he should see the cloud benefits from your perspective, not only from his. For this he has to understand your main issues and challenges. Customers on the other side should always be prepared that things might not run as they expected. Therefore there should always an exit strategy fixed in the contract. This also helps to avoid the problem of a vendor lock-in which often is the result of long-term initial contracts. If a contract ends, the user should get his full data back immediately without any further costs.

Naturally not everybody running a business understands the concept of the cloud and how it works. It suffices to know how to find a good CSP and what elements a contract should contain that's beneficial to the customer.

What are your thoughts on #cloudsecurity?

Join the discussion and share your comments
on KuppingerCole Blogs or on Twitter @KuppingerCole

Related KuppingerCole Events

Related KuppingerCole Research

Related KuppingerCole Podcasts