By Peter HJ van Eijk, Head Coach and Cloud Architect, ClubCloudComputing.com
How can the financial industry innovate faster? Why do non-technical people need to have a basic understanding of cloud technology?
Imagine this scenario. Davinci is a company providing a SaaS solution to banks to process loans and mortgage applications. Davinci runs its own software on an AWS platform, and a significant number of large mortgage providers depend on the service. As you can imagine, the loan approval process involves a lot of personal and financial data, which naturally presents a tremendous privacy risk. This raises the question of who is going to take care of these and other risks.
Cloud security: Who does what?
Cloud distributes responsibility for IT services across an IT supply chain. This supply chain is composed of independent providers, which implies that companies have technical boundaries that are matched by organizational and contractual boundaries. The concept of having technical boundaries is new—this issue didn’t exist before the digital revolution.
In our example, there is both an organizational and a technical boundary between the mortgage providers and the SaaS provider. So the question is, what happens on either side?
Amazon Web Services calls this the shared responsibility model for cloud security. I would simplify that as: What do I do, and what do you do? For example, who is responsible for patching the Operating System in an IaaS service model? Who is responsible for protecting customer data in a SaaS model? The answer will vary from company to company, technology to technology, and even from threat to threat.
Allocation of shared responsibility
Legal contracts must address the allocation of responsibilities, otherwise they are not enforceable. But, who is going to check those contracts? Who needs to make sure the contracts actually specify those tasks and lays out who is responsible for doing them and how to monitor and enforce them? Typically, this is a job for procurement and legal.
Because of this, people (in this case: procurement and legal) need to have a solid understanding not only of the given service, but also of which (technical) tasks are not part of that service.
A baseline understanding of cloud responsibilities is critical. Insufficient understanding delays the entire assessment process and reduces its quality. As one of my legal course students once said:
“When I go into a conversation with a cloud provider I have time for, let’s say, 10 questions. If all these questions go to understanding basic cloud terminology and technology, I have missed the opportunity to talk about the real risk and opportunity for our company.”
My takeaway from this is the following: Educate your lawyers, procurement and so on. Help them understand the cloud well enough to ask educated questions. Help them know where technical boundaries need to be translated into legal controls. Help them understand the technical and organizational shared responsibility model.
When adopting cloud (and thereby sharing responsibility with providers) make sure that everyone involved in the decision-making, implementation and enforcement has a basic understanding of:
- cloud services and service models;
- how these services map to technical infrastructure and software; and
- how each of these can be located in different places and be under the control of different organizations.
Better understanding of the shared responsibility model leads to faster cloud adoption because it reduces fruitless back and forth on ‘who does what.’
There are several ways to better understand the shared responsibility model. But in my opinion, the best way to gain deeper understanding, speed up dialogue, and accelerate profitable and secure cloud adoption is to study a vendor-neutral body of knowledge such as that demonstrated by CSA’s Certificate of Cloud Security Knowledge (CCSK). The CCSK tests for a broad foundation of knowledge about cloud security, with topics ranging from architecture, governance, compliance, operations, encryption, virtualization and much more, and elaborates on understanding cloud models, risks and appropriate controls, as well as the Cloud Controls Matrix, which is a very effective tool in cloud provider evaluation.
Interested in learning more about drivers and barriers to cloud adoption in the financial industry? Here a few posts and articles to get you started.
Peter van Eijk is one of the world’s most experienced cloud trainers. He has worked for 30+ years in research, with IT service providers and in IT consulting (University of Twente, AT&T Bell Labs, EDS, EUNet, Deloitte). In more than 100 training sessions, he has helped organizations align on security and speed up their cloud adoption. He is an authorized CSA CCSK and (ISC)2 CCSP trainer, and has written or contributed to several cloud training courses.