Transcript of a BriefingsDirect podcast on the role of security in moving to the cloud and how sound security practices can make adoption easier.

1. Expert Chat with HP on How Understanding Security Makes it
an Enabler, Rather than an Inhibitor, of Cloud Adoption
Transcript of a BriefingsDirect podcast on the role of security in moving to the cloud and how
sound security practices can make adoption easier.
Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP
View the full Expert Chat presentation on cloud adoption best practices.
Dana Gardner: Welcome to a special BriefingsDirect presentation, a sponsored podcast created
from a recent HP Expert Chat discussion on best practices for protecting
cloud-computing implementations and their use.
Business leaders clearly want to exploit the cloud values that earn them
results fast, but they also fear the risks perceived in moving to cloud models
rashly. It now falls to CIOs to not only rapidly adapt to cloud, but find the
ways to protect their employees and customers – even as security threats
grow.
This is a serious but not insurmountable challenge.
This is Dana Gardner, Principal Analyst at Interarbor Solutions. To help find out how to best
implement protected cloud models, I recently moderated an HP Expert Chat session with Tari
Schreider, HP Chief Architect of HP Technology Consulting and IT Assurance Practice. Tari is a
Distinguished Technologist with 30 years of IT and cyber security experience, and he has
designed, built, and managed some of the world’s largest information protection programs.
In our discussion, you’ll hear the latest recommendations for how to enable and protect the many
cloud models being considered by companies the world over. [Disclosure: HP is a sponsor of
BriefingsDirect podcasts.]
As part of our chat, we're also joined by three other HP experts, Lois Boliek, World Wide
Manager in the HP IT Assurance Program; Jan De Clercq, World Wide IT Solution Architect in
the HP IT Assurance Program; and Luis Buezo, HP IT Assurance Program Lead for EMEA.
Our discussion begins with a brief overview from me of the cloud market and current adoption
risks. We'll begin by looking at why cloud and hybrid computing are of such great interest to
businesses and why security concerns may be unnecessarily holding them back.

2. If you understand the security risk, gain a detailed understanding of your own infrastructure, and
follow proven reference architectures and methods, security can move from an inhibitor of cloud
adoption to an enabler.
Cloud has sparked the imagination of business leaders clearly, and many see it now as essential.
Part of that is because the speed of business execution, especially the need for creating
innovations that span corporate boundaries and extend across business ecosystems, has made this
a top priority for corporations.
Every survey that I've seen and every panelist that I've talked to is saying that the cloud is
elevating in terms of priority, and a lot of it has to do with the agility benefits. There's is a rush to
be innovative and to be a first mover. That also puts a lot of pressure on the business people
inside these companies, and they have been intrigued by cloud computing as a mean of getting
them where they need to go fast.
This now means that the center of gravity for IT services is shifting towards the enterprise’s
boundaries, moving increasingly outside of their firewalls, and therefore beyond the traditional
control of IT.
Protection risks
Business leaders want to exploit the cloud values that bring them productivity results fast, but
IT leaders think that the protection risk perceived in moving to cloud models could
come back to bite them. They need to be aware and maybe even put the brakes on
in order to do this correctly.
So it now falls on CIOs and other leaders in IT not only to rapidly adopt cloud
models, but to quickly find the means to make cloud use protected for
operations, data, processes, intellectual property, their employees, and their
customers, even as security and cyber threats ramp up.
We'll now hear from HP experts from your region about meeting these challenges and obtaining
the business payoffs by making the transition to cloud enablement securely. Now is the time for
making preparation for successful cloud use.
We're going to be hearing specifically about how HP suggests that you best understand the
transition to cloud-protected enablement. Please join me now in welcoming our main speaker,
Tari Schreider. Tari, please tell us more about how we can get into the cloud and do it with low
risk.
Tari Schreider: It's always a pleasure to be able to sit with you and chat about some of the
technology issues of the day, and certainly cloud computing protection is the topic that’s top of
mind for many of our customers.

3. I want to begin talking about the four immutable laws of cloud security. For those of you who
have been involved in information security over time, you understand that there
is a certain level of immutability that is incumbent within security. These are
things that will always be, things that will never change, and it is a state of
being.
When we started working on building clouds at HP a few years ago, we were
also required to apply data protection and security controls around those
platforms we built. We understood that the same immutable laws that apply to
security, business continuity, and disaster recovery extended into the cloud
world.
First is an understanding that if your data is hosted in the cloud, you no longer directly control its
privacy and protection. You're going to have to give up a bit of control, in order to achieve the
agility, performance, and cost savings that a cloud ecosystem provides you.
The next immutable law is that when your data is burst into the cloud, you no longer directly
control where the data resides or is processed.
One of the benefits of cloud-based computing is that you don’t have to have all of the resources
at any one particular time. In order to control your costs, you want to have an infrastructure that
supports you for daily business operations, but there are ebbs and flows to that. This is the whole
purpose of cloud bursting. For those of you who are familiar with grid-based computing, the
models are principally the same.
Different locations
Rather than your data being in one or maybe a secondary location, it could actually be in 5, 10,
or maybe 30 different locations, because of bursting, and also be under the jurisdiction of many
different rules and regulations, something that we're going to talk about in just a little bit.
The next immutable law is that if your security controls are not contractually committed to, then
you may not have any legal standing in terms of the control over your data or your assets. You
may feel that you have the most comprehensive security policy that is rigorously reviewed by
your legal department, but if that is not ensconced in the terminology of the agreement with a
service provider, then you don’t have the standing that you may have thought you had.
The last immutable law is that if you don’t extend your current security policies and controls in
the cloud computing platform, you're more than likely going to be compromised.
You want to resist trying to create two entirely separate, disparate security programs and policy
manuals. Cloud-based computing is an attribute on the Internet. Your data and your assets are the
same. It’s where they reside and how they're being accessed where there is a big change. We
strongly recommend that you build that into your existing information security program.

4. Gardner: Tari, these are clearly some significant building blocks in moving towards cloud
activities, but as we think about that, what are the top security threats from your perspective?
What should we be most concerned about?
Schreider: Dana, we have the opportunity to work with many of our customers who, from time
to time, experience breaches of security. As you might imagine, HP, a very large organization,
has literally hundreds of thousands of customers around the world. This provides us with a
unique vantage point to be able to study the morphology of cloud computing platform, security,
outages, and security events.
One of the things that we also do is take the pulse of our customer base. We want to know what’s
keeping them up at night. What are the things that they're most concerned with? Generally, we
find that there is a gap between what actually happens and what people believe could happen.
I want to share with you something that we feel is particularly poignant, because it is a direct
interlock between what we're seeing actually happening in the industry and also what keeps our
clients up late at night.
First and foremost, there's the ensured continuity of the cloud-computing platform. The reason to
move to cloud is for making data and assets available anywhere, anytime, and also being able to
have people from around the world accept that data and be able to solve business needs.
If the cloud computing platform is not continuously available, then the business justification as to
why you went there in the first place is significantly mooted.
Loss of GRC control
Next is the loss of span of governance, risk management, and compliance (GRC) control. In
today’s environment, we can build an imperfect program and we can have a GRC management
program with dominion over our assets and our information within our own environment.
Unfortunately, when we start extending this out into a cloud ecosystem, whether private, public,
or hybrid, we don’t necessarily have the same span of control that we have had before. This
requires some delicate orchestration between multiple parties to ensure that you have the right
governance controls in place.
The next is data privacy. Much has been written on data privacy and protection across the cloud
ecosystem. Today, you may have a data privacy program that’s designed to address the security
and privacy laws of your specific country or your particular state that you might reside in.
However, when you're moving into a cloud environment, that data can now be moved or burst
anywhere in the world, which means that you could be violating data-privacy laws in another
country unwittingly. This is something that clients want to make sure that they address, so it does
not come back in terms of fines or regulatory penalties.

5. Mobility access is the key to the enablement of the power of the cloud. It could be a bring-your-
own-device (BYOD) scenario, or it could be devices that are corporately managed. Basically you
want to provide the data and put it in the hands of the people.
Whether they're out on an oil platform and they need access to data, or whether it’s the sales
force that need access to Salesforce.com data on BlackBerrys, the fact remains that the data in
the cloud has to land on those mobile devices, and security is an integral part.
You may be the owner of the data, but there are many custodians of the data in a cloud
ecosystem. You have to make sure that you have an incident-response plan that recognizes the
roles and responsibilities between owner and custodian.
Gardner: Tari, the notion of getting control over your cloud activities is important, but a lot of
people get caught up in the devil in the details. We know that cloud regulations and laws change
from region to region, country to country, and in many cases, even within companies themselves.
What is your advice, when we start to look at these detailed issues and all of the variables in the
cloud?
Schreider: Dana, that is a central preoccupation of law firms, courts, and regulatory bodies
today. What tenets of law apply to data that resides in the cloud? I want to talk about a couple of
areas that we think are the most crucial, when putting together a program to secure data from a
privacy perspective.
Just as you have to have order in the courts, you have to have order in the clouds. First and
foremost, and I alluded to this earlier, is that the terms and conditions of the cloud computing
services are really what adjudicates the rights, roles, and responsibilities between a data owner
and a data custodian.
Choice of law
However, within that is the concept of choice of law. This means that, wherever the breach of
security occurs, the courts can actually go to the choice of the law, which means whatever is the
law of the land where the data resides, in order to determine who is at fault and at breach of
security.
This is also true for data privacy. If your data resides in your home location, is that the choice of
law by which you follow the data privacy standards? Or if your data is burst, how long does this
have to be in that other jurisdiction before it is covered by that choice of law? In either case, it is
a particularly tricky situation to ensure that you understand what rules and regulations apply to
you.
The next one is transporter data flow triggers. This is an interesting concept, because when your
data moves, if you do a data-flow analysis for a cloud ecosystem, you'll find that the data can
actually go across various borders, going from jurisdiction to jurisdiction.

6. The data may be created in one jurisdiction. It may be sent to another jurisdiction for processing
and analysis, and then may be sent to another location for storage, for intermediate use, and yet a
fourth location for backup, and then possibly a fifth location for a recovery site.
This is not an atypical example. You could have five triggering events across five different
borders. So you have to understand the legal obligations in multiple jurisdictions.
The next one is reasonable security, which is, under the law, what would a prudent person do?
What is reasonable under the choice of law for that particular country? When you're putting
together your own private cloud, in which you may have a federated client base, this ostensibly
makes you a cloud service provider (CSP).
Or, in an environment where you are using several CSPs, what are the data integrity disclaimers?
The onus is predominantly placed on the owner of the data for the integrity of the data, and after
careful crafting of terms and conditions, the CSP basically wants no direct responsibility for
maintaining the integrity of that data.
When we talk about who owns the data, there is an interesting concept, and there are a few test
cases that are coursing their way through various courts. It’s called the Berne Convention.
In the late 1990s, there were a number of countries that got together and said, "Information is
flowing all over the place. We understand copyright protection for works of art and for songs and
those types of things, but let’s take it a step further."
In the context of a cloud, could not the employees of an organization be considered authors, and
could not the data they produce be considered work? Therefore wouldn’t it be covered by the
Berne Convention, and therefore be covered under standard international copyright laws. This is
also something that’s interesting.
Modify policies
The reason that I bring this to your attention is that it is this kind of analysis that you should do
with your own legal counsel to make sure that you understand the full scope of what’s required
and modify your existing security policies.
The last point is around electronic evidence and eDiscovery. This is interesting. In some cases it
can be a dual-edged sword. If I have custody of the data, then it is open under the rules of
discovery. They can actually request that I produce that information.
However, if I don’t directly have control of that data, then I don’t have the right, or I don’t have
the obligation, to turn it over under eDiscovery. So you have to understand what rules and
regulations apply where the data is, and that, in some cases, it could actually work to your
advantage.

7. Gardner: So we've identified some major building blocks for safe and proper cloud, we have
identified the concerns that people should have as they go into this. We understand there is lot of
detail involved. What are the risks in terms of what we should prioritize? How should we create
a triage effect, if you will, in identifying what’s most important from that risk perspective?
Schreider: There are certainly unique risks that are extant to a cloud computing environment.
However, one has to understand where that demarcation point is between a current risk register,
or threat inventory, for assets that have already been classified and those that are unique to a
cloud-computing environment.
Much has been said about uniqueness, but at the end of the day, there are only a handful of truly
unique threats. In many cases, they've been reconstituted from what is classically known as the
top 20 types of threats and vulnerabilities to affect an organization.
If you have an asset, an application, and data, they're vulnerable. It is the manner or the vector by
which they become vulnerable and can be compromised that come from some idiosyncrasies in a
cloud-computing environment.
One of the things that we like to do at HP for our own cloud environment, as well as for our
customers, is to avail ourselves of the body of work that has been done through European
Network and Information Security Agency (ENISA), the US National Institute of Standards and
Technology (NIST), and the Cloud Security Alliance (CSA) in understanding the types of threats
that have been vetted internationally and are recognized as the threats that are most likely to
occur within our environment.
We're strong believers of qualitative risk assessments and using a Facilitated Risk Assessment
Process (FRAP), where we simply want to understand the big picture. NIST has published a
great model, a nine-box chart, where you can determine where the risk is to your cloud
computing environment. You can use it from an impact from a high to low, to the likelihood from
high to low as well.
So in a very graphical form, we can present to executives of an organization where we feel we
have the greatest threats and. You'd have to have several overlays and templates for this, because
you're going to have multiple constituencies in an ecosystem for a cloud. So you're going to have
different views of this.
Different risk profiles
Your risk profile may be different, if you are the custodian, versus the risk profile if you're the
owner of the data. This is something that you can very easily put together and present to your
executives. It allows you to model the safeguards and controls to protect the cloud ecosystem.
Gardner: We certainly know that there is a great deal of opportunity for cloud models, but
unfortunately, there is also significant down side, when things don’t go well. You're exposed.

8. You're branded in front of people. Social media allows people to share issues when they arise.
What can we learn from the unfortunate public issues that have cropped up in the past few years
that allows us to take steps to prevent that from happening to us?
Schreider: These are all public events. We've all read about these events over the last 16-18
months, and some of them have occurred within just the last 30 days or so. This is not to
admonish anybody, but basically to applaud these companies that have come forward in the
interest of security. They've shared their postmortem of what worked and what didn’t work.
What goes up can certainly come down. Regardless of the amount of investment that one can put
into protecting their cloud computing environment, nobody is immune, whether it’s a significant
and pervasive hacking attempt against an organization, where sensitive data is exfiltrated, or
whether it is a service-oriented cloud platform that has an outage that prevents people from being
able to board a plane.
View the full Expert Chat presentation on cloud adoption best practices.
When an outage happens in your cloud computing environment, it definitely has a reverberation
effect. It’s almost a digital quake, because it can affect people from around the world.
One of the things that I mentioned before is that we're very fortunate that we have that
opportunity to look at disaster events and breaches of security and study what worked and what
didn’t.
I've put together a little model that would reanalyze the storm damage. if you look at the types of
major events that have occurred. I've looked at the control construct that would exist, or should
exist, in a private cloud and the control construct that should exist in a public cloud, and of
course in a hybrid cloud. It's the convergence of the two, and we would be able to mix and match
those.
If you have a situation where you have an external threat that infiltrates an application, hacks into
it, compromises an application, in a private cloud environment, you want to make sure that you
have a secure system development lifecycle methodology to ensure that the application is secure
and has been tested for all conventional threats and vulnerabilities.
In a public cloud environment, you normally don’t have that same avenue available to you. So
you want to make sure that you either have presented to you, or on behalf of the service provider,
have a web-application security review, external threat and vulnerability test.
In a cloud environment, where you are dealing in the situation of grouping many different
customers and users together, you have to have a basis to be able to segregate data and operation,
so that one of that doesn’t affect everybody.

9. Multi-tenancy strategies
In a private cloud environment, you would set up your security zone and segmentation, but in
the public cloud environment, you would have your multi-tenancy strategies in place and you
would make sure that you work with that service provider to ensure that they had the right layers
of security to protect you in a multi-tenant environment.
Data encryption is critical. One of the things you're going to find is that the difference between a
private cloud is that it's your responsibility to provide the data encryption.
Most public cloud providers don’t provide data encryption. If they do, then it's on a service. You
end up in a dedicated model as opposed to a shared model, and it's more expensive. But the
protection of that data from the encryption perspective is generally going to lie with the owner.
The difference with disaster recovery is that physical assets need to be recovered from a DR
perspective versus business continuity to make sure that you can cover your business by the CSP.
As you can see, the list goes on. There's a definite correlation with some slight nuances between
cloud computing incidents that affect a private cloud versus a public cloud.
Gardner: Tari, we've talked about the ills. We've talked about cloud protection. What about the
remediation and the prescription? How can we get on top of this?
Schreider: As we get towards the end and open it up for questions for our experts to answer
specific questions for those who have attended, I'll share with you what we do at HP, because we
do believe in eating our own dog food.
First and foremost, we understand that the cloud computing environment can be a bit chaotic. It
can be very gelatinous. You never really know where your perimeter is. Your perimeter is defined
by the mobility devices, and you have many different moving parts.
We're a great believer that you need a structure to bring order to that chaos. So we're very
fortunate to have one of the authors of HP’s Cloud Protection Reference Architecture, Jan De
Clercq, on with us today. I encourage people to please take advantage of that and ask any
architecture questions of him.
But as you can see here, we cleanly defined the types of security that should exist within the
access device zone, the types of security that are going to be unique to the model for software as
a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), how that
interacts with a virtualized environment. Having access to this information is very crucial.

10. Unique perspective
The other thing we also understand is that we have to bring in service providers who have a
unique perspective on security. One of those partners that we've chosen to help build our cloud
reference architecture with is Symantec.
The next thing that I want to share with you is that it's also an immutable law that the level of
investment that you make in protecting your cloud environment should be commensurate with
the value of the assets that are being burst or hosted in that cloud environment.
At HP, we work with HP Labs and our Information Technology Assurance practice. We've put
together what is now a patent-pending model on how to analyze the security controls, their level
of maturity, in contrast to the threat posture of an organization, to be able to arrive at the right
layer of investment to protect your environment.
We can look at the value of the assets. We can take a look at your budget. We can also do a what-
if analysis. If you're going to have a 10 percent cut in your budget, which security controls can
you most likely cut that will have the least amount of impact on your threat posture?
The last point that I want to talk about, before we open it up to the experts, is that we talked a
little bit about the architecture, but I really wanted to emphasize the framework. HP is a founding
member in ITIL, principal provider of ITSM type services. We are on CSA standards bodies.
We've written a number of chapters. We believe that you needs to have a very cohesive
protection framework for your cloud computing environment.
We're a big believer in, whether it's cloud or just in security, having an information technology
architecture that's defined by layers. What is the business rationale for the cloud and what are we
trying to protect? How should it work together functionally? Technically, what types of products
and services will we use, and then how will it all be implemented?
We also have a suite of products that we can bring to our cloud computing environment to ensure
that we're securing and providing governance, securing applications, and then also trying to
detect breaches of security. I've talked about our reference architecture.
Something that's also unique is our P5 Model, where basically we look at the cloud computing
controls and we have an abstraction of five characteristics that should be true to ensure that they
are deployed correctly.
As I mentioned before, we're either a principal member, contributing member, or founding
member of virtually every cloud security standards organization that's out there. Once again, we
can't do it by ourselves, and that's why we have strategic partners with VMwares and the
Symantecs of the world.
Gardner: Okay. Now, we're going to head over to our experts who are going to take questions.

11. I'd like to direct the first one to Luis Buezo joining us from Spain. There's a question here about
key challenges regarding data lifecycle specifically. How do you view that? What are some of the
issues about secure data, even across the data lifecycle?
Key challenges
Luis Buezo: Based on CSA recommendations, we're not only talking about data security related
to confidentiality, integrity, and availability, but there are other key challenges in
the cloud like location of the data to guarantee that the geographical locations are
permitted by regulations.
There's data permanence, in order to guarantee that data is effectively removed,
for example, when moving from one CSP to a new one, or data backup and
recovery schemes. Don't assume that cloud-based data is backed up by default.
There are also data discovery capabilities to ensure that all data requested by
authorities can be retrieved.
Another example is data aggregation on inference issues. This will be implemented to prevent
revealing protected information. So there are many issues with having data lifecycle
management.
Gardner: Our next question should go to Jan. The inquiries about being cloud ready for dealing
with confidential company data, how do you come down on that?
Jan De Clercq: HP's vision on that is that we think that many cloud service today are not always
ready for letting organizations store their confidential or important data. That's
why we recommend to organizations, before they consider moving data into the
cloud, to always do a very good risk assessment.
They should make sure that they clearly understand the value of their data, but
also understand the risks that can occur to that data in the cloud provider’s
environment. Then, based on those three things, they can determine whether
they should move their data into the cloud.
We also recommend that consumers get clear insights from the CSP on exactly where their
organization's data is stored and processed, and where travels inside the network environment of
the job provider.
As a consumer you need to get a complete view on what's done with your data and how the CSP
is protecting them.
Gardner: Okay. Jan, here is another one I'd like to direct to you. What are essential data
protection security controls that they should look for from their provider?

12. Clercq: It’s important that you have security controls in place that protect the entire data
lifecycle. By data lifecycle we mean from the moment that the data is created to the moment that
the data is destroyed.
Data creation
When data is created it’s important that you have a data classification solution in place and that
you apply proper access controls to the data. When the data is stored, you need confidentiality,
integrity, and availability protection mechanisms in place. Then, you need to look at things like
encryption tools, and information rights management tools.
When the data is in use, it’s important that you have proper access control in place,so that you
can make sure that only authorized people can access the data. When the data is shared, or when
it’s sent to another environment, it’s important that you have things like information rights
management or data loss prevention solutions in place.
When the data is archived, it’s important that it is archived in a secured way, meaning that you
have proper confidentiality, integrity, and availability protection.
When the data is destroyed, it’s important, as a consumer, that you make sure that the data is
really destroyed on the storage systems of your CSP. That’s why you need to look at things like
crypto-shredding and other data destruction tools.
Gardner: Tari, a question for you. How does cloud computing change my risk profile? It's a
general subject, but do you really reduce or lose risk control when you start doing cloud?
Schreider: An interesting question to be sure, because in some cases, your risk profile could be
vastly improved. In other cases, it could be significantly diminished. If you find yourself no
longer in a position to be able to invest in a hardened data center, it may be more prudent for you
to move your data to a CSP that is already classified as a data-carrier grade, Tier 1 infrastructure,
where they have the ability to invest the tens of millions of dollars for a hardened facility that
you wouldn’t normally be able to invest yourself.
On the other hand, you may have a scenario where you're using smaller CSPs that don’t
necessarily have that same level of rigor. We always recommend, from a strategic perspective
when you are looking at application deployment, you consider its risk profile and where best to
place that application and how it affects your overall threat posture.
Gardner: Lois, the next question is for you. How can HP help clients get started, as they
determine how and when to implement cloud?
Lois Boliek: We offer a full lifecycle of cloud-related services and we can help clients get started
on their transition to the cloud, no matter where they are in that process.

13. We have the Cloud Discovery Workshop. That’s where we can help customers in a very
interactive work session on all aspects of considerations of the cloud, and it
will result in a high-level strategy and a roadmap for helping to move
forward.
We also offer the Hybrid Delivery Strategy Services. That’s where we drill
down into all the necessary components that you need to gain business and
IT alignment, and it also results in a well-defined cloud service delivery
model.
We also have some fast-start services. One of those is the CloudStart service,
where we come in with a pre-integrated architecture to help speed up the deployment of the
production-ready private cloud, and we can do that in less than 30 days.
We also offer a Cloud System Enablement service, and in this we can help fast track setting up
the initial cloud service catalog development, metering, and reporting.
Gardner: Lois, I have another question here on products or the security issues. Does HP have
the services to implement security in the cloud?
Boliek: Absolutely. We believe in building security into the cloud environment from the
beginning through our architectures and our services. We offer something called HP Cloud
Protection Program, and what we have done is extended the cloud service offerings that I've just
mentioned by addressing the cloud security threats and vulnerabilities.
We've also integrated a defense in depth approach to cloud infrastructure. We address the people,
process, policies, products improved, and the P5 Model that Tari covered, and this is just to help
to address confidently and securely build out the hybrid cloud environment.
We have service modules that are available, such as the Cloud Protection Workshop. This is for
deep-dive discussions on all the security aspects of cloud, and it results in a high-level cloud
security strategy and next steps.
We offer the Cloud Protection Roadmap Service, where we can define the specific control
recommendations, also based on our P5 Model, and a roadmap that is very customized and
specific to our clients’ risk and compliance requirements.
We have a Foundation Service that is also like a fast start, specific to implementing the pre-
integrated, hardened cloud infrastructure, and we mitigate the most common cloud security
threats and vulnerabilities.
Then, for customers who require very specific custom security, we can do custom design and
implementation. All these services are based on the Cloud Reference Architecture that Jan and
Tari mentioned earlier, as well as extensive research that we do ahead of time, before coming out
with customers with our Cloud Protection Research & Development Center.

14. Gardner: Luis Buezo, a fairly large question, sort of a top-down one I guess. Not all levels of
security would be appropriate for all applications or all data in all instances. So what are the
security levels in the cloud that we should be aware of that we might be able to then align with
the proper requirements for a specific activity?
Open question
Buezo: This is a very open question. Understanding the security level as the real capability to
manage different threats or compliance needs, cloud computing has different possible service
models, like IaaS, PaaS, or SaaS, or different deployment models -- public, private, community,
or hybrid.
Regarding service models, the consumer has more potential risk and less control and flexibility
in SaaS models, compared to PaaS and IaaS. But when you go to a PaaS or IaaS, the consumer is
responsible for implementing more security controls to achieve the security level that he
requires.
Regarding deployment models, when you go to a public cloud, the consumer will be able to
contract the security level already furnished by the provider. If consumer needs more capability
to define specific security levels, he will need to go to community, private, or hybrid models.
My recommendation is that if you're looking to move to the cloud, the approach should be first to
define assets for the cloud deployment and then evaluate it to know how sensitive this asset is.
After this exercise, you'll be able to match the asset to potential cloud deployment models,
understanding the implication of each one. At this stage, you should have an idea of the security
level required to transition to the cloud.
Gardner: Jan De Clercq, our solution architect, next question should go to you, and it’s about
CSPs. How can we as an organization and enterprise that consumes cloud services be sure that
the CSP’s infrastructure remains secure?
Clercq: It’s very important that, as a consumer during the contact negotiation phase with the
CSP, you get complete insight into how the CSP secures its cloud infrastructure, how it protects
your data, and how it shields the environments of different customers or tenants inside this cloud.
It’s also important that, as a cloud consumer, you establish a very clear service level agreements
with your cloud provider, to agree on who does exactly what it comes down to security. This
basically boils down to make sure that you know who takes care of things like infrastructure
security controls and data protection controls.
This is not only about making sure that these controls are in place, but it’s also about making
sure that they are maintained and that they are maintained using proper security management and
operation process.

15. A third thing is that you also may want to consider monitoring tools that can cover the CSP
infrastructure for checking things like availability of the service and for things like integrated
security information and event management.
To check the quality of the CSP security controls, a good resource to get you started here is the
questionnaire that’s provided by the CSA. You can download it from their website. It is titled the
"Consensus Assessments Initiative Questionnaire."
Gardner: Tari, it's such a huge question about how to rate your CSP, and unfortunately, we don’t
seem to have a rating agency or an insurance handicapper now to rate these on a scale of 1-5
stars. But I still want to get your input on what should I do to determine how good my service
provider is when it comes to these security issues?
Incumbent on us
Schreider: I wish we did have a rating system, but unfortunately, it's still incumbent upon us to
determine the veracity of the claims of security and continuity of the CSPs.
However, there are actually a number of accepted methods to gauge whether one's CSP is secure.
Many organizations have had what's referred to as an attestation. Formally, most people are
familiar with SAS 70, which is now SSAE 16, or you can have an ISO 27000.
Basically, you have an independent attestation body, typically an auditing firm, that will come in
and test the operational efficiency and design of your security program to ensure that whatever
you have declared as your control schema, maybe ISO, NIST, CSA, is properly deployed.
However, there is a fairly significant caveat here. These attestations can also be very narrowly
scoped, and many of the CSPs will only attach it to a very narrow portion of their infrastructure,
maybe not their entire facility, and maybe not even the application that you're a customer of.
Also, we found that CSPs many application-as-service providers don’t even own their own data
centers. They're actually provided elsewhere, and there also may be some support mechanisms in
place. In some cases, you may have to evaluate three attestations just to have a sense of security
that you have the right controls in place, or the CSP does.
Gardner: And I suppose in our marketplace, there's also an element of self-regulation, because
when things don’t go well, most people become aware of it and they will tend to share that
information with the ecosystem that they are in.
Schreider: Absolutely.
Gardner: There's another question I'd like to direct to you, Tari. This is at an operational process
level, and they are asking about their security policy manual. If they start to do more cloud
activities -- private, public, or hybrid -- should they update or change their security policy
manual and a little bit about how?

16. Schreider: Definitely. As I had mentioned before, one of the things you want to do is make your
security policy manual extensible. Just like a cloud is elastic, you want to make sure that your
policy manual is elastic as well.
Typically one of the missing things that you'll find in a conventional security policy manual is
location of the data. What you'll find is that it covers data classification, the types of assets, and
maybe some standards, but it really doesn’t cover the triggering, the transborder triggering
aspects.
We strongly encourage organizations to add that nuance to make their policy manuals elastic, and
resist creating all new security policies that people have to learn, so you end up with two
disparate programs to try to maintain.
Gardner: Well, we'll have to leave it there. I really want to thank our audience for joining us. I
hope you found it as insightful and valuable as I did.
And I also thank our main expert guest, Tari Schreider, Chief Architect of HP Technology
Consulting and IT Assurance Practice.
I'd furthermore like to thank our three other HP experts, Lois Boliek, World Wide Manager in the
HP IT Assurance Program; Jan De Clercq, World Wide IT Solution Architect in the HP IT
Assurance Program, and Luis Buezo, HP IT Assurance Program Lead for EMEA.
This is Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a special
BriefingsDirect presentation, a sponsored podcast created from a recent HP Expert Chat
discussion on best practices for protecting cloud computing implementations and their use.
Thanks again for listening, and come back next time.
View the full Expert Chat presentation on cloud adoption best practices.
Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP
Transcript of a BriefingsDirect podcast on the role of security in moving to the cloud and how
sound security practices can make adoption easier. Copyright Interarbor Solutions, LLC,
2005-2012. All rights reserved.
You may also be interested in:
• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and
Governance

17. • Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized
IT Environments
• Continuous Improvement and Flexibility Are Keys to Successful Data Center
Transformation, Say HP Experts
• HP's Liz Roche on Why Enterprise Technology Strategy Must Move Beyond the
'Professional' and 'Consumer' Split
• Well-Planned Data Center Transformation Effort Delivers IT Efficiency Paybacks, Green
IT Boost for Valero Energy
• Hastening Trends Around Cloud, Mobile Push Application Transformation as Priority,
Says Research