Building Effective Frameworks to Safeguard Public Sector Cloud Environments
Resiliency, Agility and Responsiveness: Exploring the Benefits of Cloud Security
Fred Thiele
Chief Information Security Officer
Transport NSW
Using and understanding the cloud
Government agencies tend to produce a lot of data and use a lot of applications. The cloud is a way of storing all that information in one place, and making it available to all who need it wherever they are without clogging up data centres or engaging complicated infrastructure. However, the cloud is also complicated, both in terms of how it operates and in terms of how it should be set up in the first place. Fred Thiele , the Chief Information Security Officer at Transport NSW , says that the cloud is often confronting for people initially, but there are “a few key pointers that will hopefully help us all on our cloud journey.”
Across NSW Government there is a cloud strategy which “states that we must use public cloud first, as the default. We should only use the traditional data centres if it makes sense for our businesses or if we have no other alternative.” However, there are numerous ways to interpret this and there are a number of public cloud platforms. Before delving further, it is therefore important to understand these, and one way to do so is to think of them as “a cloud pizza model.” This was the model that “helped us to overcome and understand it at Transport NSW.” Essentially there are four types of services, each corresponding to a different type of pizza-making analogy:
- Made at home / Traditional on-prem – “This is where everything is managed in-house. In terms of pizza making, it’s a DIY model where you buy the ingredients, make the pizza, put it in the oven and serve it at home. In an IT set up, you manage everything, and it’s about legacy data centres.”
- Take and bake / Infrastructure-as-a-Service (IaaS) – “This is when you buy a frozen, pre-made pizza, but you still have to go and cook it when you get home. You’ve got all the infrastructure, but you still have to manage it.”
- Pizza delivery / Platform-as-a-Service (PaaS) – “This takes the previous model to another level. This is when a delivery courier service delivers you a freshly made pizza to your door. You don’t really have to do anything other than put it on the kitchen table and clean up after yourself.”
- Dining out / Software-as-a-Service (SaaS) – “This is the full service model where everything is outsourced, except the eating. It’s an end-to-end service where you don’t even have to clean up, but you do have to make the booking. From a cloud perspective, everything is managed by the vendor, but you still have to configure it properly and make sure it’s configured with your company’s policies. You still have to be somewhat involved. It’s not an entirely full service.”
Although SaaS is the pinnacle, few companies or agencies are in that space. Most are somewhere between IaaS and PaaS. These two work best if there are CIOs who know what they are doing and can leverage the cloud to “deliver value to the customer.” For this to work, it is really important to “understand the business and the solution.” In other words, with so many options, the right one for each business should be sought.
Debunking some cloud myths
There are a number of “out-of-the-box cloud solutions,” however, it is never a process of simply uploading applications to the cloud and forgetting about them. Without preparation, customisation and maintenance, the cloud is likely to be “more difficult, more expensive and less secure.” Care should therefore be taken, and then these challenges and myths can be overcome.
Cloud is more difficult – In many ways it is true that cloud is a difficult transition process because “it is a major paradigm shift. Everything changes. The language, the architecture and people have to change the way they work. So there’s a lot of change that needs to happen and it does take time. But when you get it right, it’s beautiful.” Usually the biggest success factor is in the planning. It is possible to simply take everything and move it to the cloud with little forethought. But sometimes that will cause more problems than it solves, so planning is necessary. As part of the planning, some questions need to be answered, like “does it make sense to completely transition all the services and applications to the cloud, or is it best keep some of them on-prem?” Answering these and other similar questions will make the whole process much less difficult.
Concluding point – “Cloud is difficult initially, but it does get easier with time. Build in time into your strategy to make sure you get the efficiencies that you need.”
Cloud is more expensive – Like any new product or service, there is an initial outlay which is quite expensive. Plus, at the outset there will be “a period of time where you are double running: paying for both the traditional data centre and the cloud platform.” In most cases it takes quite some time to transition everything. When everything is fully transitioned, then it will be clear how much data is in the cloud and “what size cloud servers are required, from the very small to the extra-large, all with different configurations in terms of memory settings, CPU, utilisation and storage.”
For instance, some servers might be turned off at night, whilst others will be configured to turn on during peak usage times. All of this, once it is set up, will save money. At the same time, “when you first move to cloud, you’ll be inexperienced if this is your first cloud” so there will further expenses, but with experience, there are savings to be made. In most cases, “it is a two to three year learning curve to gain efficiencies, so make sure you build that into your business case so you’re not showing value too early.”
Concluding point – “Cloud is expensive at first but it is absolutely cheaper in the long run.”
Cloud is less secure – If a business transitions to cloud without preparation or planning, then it is likely that the cloud will be “less secure in certain things.” This is expected because it won’t have been customised or configured to the needs of the business. Therefore “you might have to do control a bit differently.” For instance, it is likely that even an experienced CIO who hasn’t worked with cloud may not know how to set it up. “So they may need to upskill or go to a third party. Either way, the CIO will probably be taking on a lot more accountability and responsibility,” and the business needs to be prepared for that. Moreover, the whole business will “require a massive amount of governance change.” Rather than security being controlled centrally, “with decentralisation, security needs to have really strong touch points and really strong enforcement points to make sure that a consistent set of security controls is deployed.” This means having rules and good relationships.
Concluding point – “There’s also a lot of physical security that you no longer have to worry about in the cloud so overall, security is better. But don’t forget the governance, which is not built in by default.”