Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Managing cloud services risk throughout a supplier lifecycle relationship.

Managing cloud services risk throughout a supplier lifecycle relationship.

Ratings: (0)|Views: 47|Likes:
Published by BT Let's Talk
Security experts Mark Becker, senior security consultant and Bryan Fite, security portfolio manager at BT discuss their thoughts on the importance of managing cloud services risk throughout a supplier lifecycle relationship.
Security experts Mark Becker, senior security consultant and Bryan Fite, security portfolio manager at BT discuss their thoughts on the importance of managing cloud services risk throughout a supplier lifecycle relationship.

More info:

Published by: BT Let's Talk on Sep 06, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/18/2013

pdf

text

original

 
Managing cloud services risk throughouta supplier lifecycle relationship
By Mark Becker, Senior security consultant, BT andBryan Fite, Security portfolio manager, BT
 
Managing cloud services risk throughout a supplier lifecycle relationship
2
Introduction
Cloud services have proliferated. New, virtual servicesand repositioned hosted services deliver the agility andpay-for-use objectives cloud proponents expect. Projectteams and organizational units have found the cloud to be ahighly responsive option to immediate needs.While the cloud as a service delivery model has madesubstantive advances in the past two years, companion riskand governance models have not matured at a similar rate.Risk Management and Information Security teams shouldbe concerned. Who has the responsibility to provide asustainable management and governance infrastructure thatminimizes business risk? Who will assure that compliance,privacy and long-term service continuity controls areadequate? Who will guarantee that the level of trustextended to a service provider is warranted?In an ideal world, the tactics used to engage a Cloud ServicesProvider (CSP) would be commensurate with the level of riskto which the enterprise is exposed. The tactics to establishwhether the CSP is worthy of trust, the scope of technicalcontrol to mitigate threats, and the quality managementgovernance model would be dictated by a simple to use andeasily-understood risk management framework.
 
Managing cloud services risk throughout a supplier lifecycle relationship
3
Today, the focus is on the service outcome
BT provides network consulting services for which thecloud is often a delivery option. We have noticed that
many cloud programs are directed at a specic problem
that can be solved by a widget or service provided by a
CSP. The good news is that if the widget ts, the result is
generally of high quality. The bad news is, far too oftenthere is very little:
1)
Oversight of the CSP relationship,
2)
Data protection,
3)
Operational and business continuityassurance, and / or
4)
Integrated change management.While not as egregious as buying a “Rolex” watch from aNew York street vendor, there are similarities: the watchdoes tell the time, for a while anyway, the credentials of the supplier are assumed adequate, and the purchasecomes with no warranty. Urgency, responsiveness and theshort-term nature of the vendor relationship are the
 justication for risk management shortcuts.
Reality check – CSP selection is risky business
The more sensitive the data and / or the more criticalthe process, the more important supplier selectiontactics and trust management become to the success of the relationship and the value it provides. A successfulrelationship will be grounded in a shared understanding of accountabilities and expectations. The choice will not besolely whether someone else can provide a service withindesired cost and time parameters. Rather, the choice
will conrm that they will do it with the same care you
provide when doing it yourself as well. As the relationshipdevelops from prospect to partner, risk mitigation mustchange from assessment to in-life control. The focal pointmust change from ‘me’ to ‘we’.
Figure 1
looks at the various stages of a providerrelationship lifecycle. At each point, a share of the activityshould include risk management activities.
Deneusecase
must declare the relative riskassociated with data sensitivity and processcriticality - the service is to support.
QualifyCSP
must build trust based on a verication
that the service provider provides adequate security
controls for the use case, the business benets, and
the cost of entry.
Deneservice
should summarize the human andsecurity controls aligned with use case risk,document the technical and process integrationwith the CSP, and provide the quality controlframework to manage the in-life operation.
•Contractforservice
must include the termsunder which the use case and service aremanaged to contain risk including SLAs,roles/responsibilities, and terms that could beinvoked upon service failure such as informationdisclosure and service interruption.
•Managein-lifeservice
includes the required levelof joint management and control.
•Terminateservice
is the unavoidable but mutuallyagreed end of the relationship.
Figure 1
: Cloud Services Relationship Lifecycle
 
CSP RelationshipLifecycle
Dene use case
QualityCSP
Dene service
Contact for serviceManage in-lifeserviceTerminateservice

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->