#CiscoChampion Radio is a podcast series by Cisco Champions as technologists. Today we’re talking with Cisco Compliance and Data Privacy Leader Evelyn De Souza, about Cloud Security. Brian Remmel (@bremmel) moderates and Andres Sarmiento and Denise Fishburne are this week’s Cisco Champion guest hosts.
That is the approximate number of cloud services that Ken Hankoff, Manager of Cisco IT Risk Management’s Cloud and Application Service Provider Remediation (CASPR) Program believes Cisco’s 70,000 employees use. For the last 14 years, this program has assessed and remediated risks associated with using a cloud-hosted service.
An assessment process for new cloud services is a vital step toward reducing the risk of using externally hosted services. Many customers I speak with struggle to rapidly assess cloud services and integrate them into their IT organization. As part of my blog series on governing cloud service adoption, I asked Ken to share some of his ‘lessons learned’ in assessing the risks of cloud services and bringing them into Cisco IT’s fold.
How do you ensure that teams wanting to use new cloud services work with your team?
Our team is not in the business of sourcing cloud vendors. That responsibility lies with the individual business units and their architecture teams who are seeking to use the service, often in partnership with IT. Once a vendor is selected, there are two primary ways in which my team gets engaged. First, through the Global Contracts team as they have made Cloud Service Provider assessment a part of the contracting process, and second when a new service is being integrated within IT.
How do you evaluate whether a new cloud service is risky to the business?
We look at seven risk factors to create a formula for risk—business criticality, financial viability, security, resiliency, architectural alignment, regulatory compliance, and assessment status.
We establish the business criticality of the service to determine how Cisco would be impacted or disrupted in the event the capability provided by the vendor would go away, and whether we could react or compensate.
We then look at the financial viability of the vendor to give us comfort that they will remain in business. To evaluate vendors we leverage Dunn & Bradstreet’s Predictive Scores & Ratings. We rely heavily on Cisco’s Information Security (InfoSec) organization to provide us with a Security Composite Risk score. Depending on the parameters of the cloud provider engagement, InfoSec will look at the vendor’s application development process, infrastructure, data handling security, system-to-system interoperability, and other areas. For resiliency we focus on how they meet our standards around business continuity and disaster recovery to ensure that our business data will be there when needed, regardless of what happens.
We also need to ensure that we stay compliant with regulations. A vendor that has to comply with HIPAA, SOX, or other regulatory/privacy requirements poses a higher risk than one that doesn’t. For this reason, we look into whether regulatory compliance is a factor, and if so, that it is addressed appropriately.
Finally, we also assess if the vendor aligns to the broader architecture that Cisco IT is investing in to support the business. Vendors are deemed higher investment risk if they do not align to the business and operational roadmap that Cisco is pursuing.
We re-asses vendors on a periodic basis according to their overall risk score. If a service is overdue for a reassessment, that in itself increases the risk of doing business with the provider, so we factor it in.
In your opinion, what are the three most important things to manage the business risks of cloud services?
First, I would suggest establishing ownership and governance of cloud services via a centralized PMO at enterprise level, not just within IT. This ownership needs to go beyond just assessing vendors for security risk, and focus on establishing company-wide policies for overseeing cloud services at the enterprise level.
Second, provide visibility into existing services and how they are being used. This helps enable a catalog of assessed and approved vendors for people to access. If you can have fewer vendors being used, you can reduce your risk.
Third, continually monitor services across the board to know what risks we might be facing, and ensure that the service providers are meeting their SLAs. Additionally, this helps to ensure that investments aren’t being wasted. There is a natural CSP application lifecycle – selection, implementation, adoption, and eventually that service usage might decline and you may end up supporting something that has very few users if you don’t have a lifecycle approach to phasing out services.
What is your biggest lesson learned in assessing new cloud services?
I wish the program had collected more metrics earlier. What we are finding is that there are a significant number of services being contracted all over the company. By collecting really good metrics we might have been more effective in showing executives what services are being used, who is using them, and how. We are making good progress on this now, but I wish we started earlier.
How are you monitoring cloud services and gathering this intelligence?
Our professional service team has helped us a great deal. With the Cisco Cloud Consumption Services, we have begun to capture an enterprise view of what cloud services are being used, by whom and have a great dashboard of metrics we can now use to inform Cisco executives. I never imagined before we were using the software that we had nearly 2,000 cloud services in use, but with Cisco Cloud Consumption we now know and can monitor activity.
As organizations seek ways to maintain real-time connections with their workforce and customers in an increasingly digital and mobile-centered world, the growth of mobile cloud will be a major force in shaping the business landscape and future tech decisions. The first blog post in this series, by Padmasree Warrior, explores how the convergence of mobility and cloud will deliver unprecedented transformation for all organizations. The second blog post in this series, by Sujai Hajela, answers the question of what mobile cloud really is and how it continues to provide new business opportunities. In the third post, Joe Cozzolino looks at what mobile cloud means for service providers and enterprises. And finally, this post will discuss the need for end-to-end security in a mobile cloud environment.
Mobile cloud services are growing exponentially in both number and scope. According to a report from Smith’s Point Analytics released late last year, mobile cloud services platforms are projected to grow over the next four years from US$579 million to a staggering US$4.4 billion in 2017.
As a Cloud Architect, I’ve had the privilege to work with CTOs and CIOs across the globe to uncover the key factors driving Business Continuity and Workload Mobility across their cloud infrastructures. We’ve worked with enterprises, large and small, and service providers to answer their top five concerns in our new Business Continuity and Workload Mobility solution for the Private Cloud.
1) Can you provide business continuity, workload mobility, and disaster recovery for my unique mix of applications, with lower infrastructure costs and less complexity for my operations teams? Yes.
2) Can you provide a multi-site design that reduces business outages and costly downtime, allowing my critical applications to be more secure and available? Yes.
3) Can my operations teams perform live migrations of applications across sites while maintaining user connections, security, and stateful services? Yes.
4) Does your multi-site solution allow me to utilize idle standby capacity during “normal” operations, and reclaim that capacity as needed during an outage event? Yes.
5) Can your Cisco Validated Design greatly reduce my deployment risks and simplify my design process, saving my business significant time, money, and resources? Yes.
A Proven Multi-site Design, Built on the Most Widely Deployed Cloud Infrastructure
We addressed each of these pain points as we designed, built, and validated our new multi-site business continuity and workload mobility solution. Our multi-site solution is built upon Cisco’s cloud foundation, the Virtual Multi-service Data Center (VMDC) that’s been deployed at hundreds of the world’s top enterprises and service providers. In our latest VMDC release, we’ve extended our cloud design to support multi-site topologies and critical use cases for private cloud customers. This validated design simply connects regional and long-distance data centers within your private cloud to address some critical IT functions, including:
application business continuity across data center sites;
stateful workload mobility across data center sites, will maintaining user connections and security;
application disaster recovery and avoidance across data center sites; and
application geo-clustering and load balancing across data center sites.
Choose the Cloud Infrastructure that Fits Your Unique Business Needs
The VMDC Business Continuity and Workload Mobility solution (CVD Design Guide) is grounded in the reality of today’s cloud environment, providing different design choices that match your applications needs. We realize there is no “one size fits all” cloud design, that’s why we support both physical and virtual resources, multiple hypervisors and storage choices, and security compliant designs with industry certifications like FISMA, PCI, and HIPPA.
Key Factors Driving Business Continuity and Workload Mobility in the Private Cloud Read More »
Organizations are rapidly moving critical data into the cloud, yet they still have serious concerns about security and other business risks. Read Bob Dimicco’s blog to learn several important steps companies can take to mitigate the risks of cloud services, such as uncovering shadow IT, assessing data security, and instituting cloud-specific employee policies.