White paper. Secure Cloud Services: An Integrated Approach

Transcription

1 White paper Secure Cloud Services: An Integrated Approach Edition October 2013

2 Whitepaper Information Management Secure Cloud Services: An Integrated Approach Edition October 2013 Copyright 2013 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing system or circulated in any form by print, photo print, microfilm or any other means without written permission by EXIN. ITIL is a Registered Trade Mark of AXELOS Limited. 2

3 Introduction Cloud Computing is changing the way IT services are developed, procured and delivered. Amidst all the hype about Cloud, this much is as clear as a bell. Many IT roles will change radically, or even may be eliminated completely, but new opportunities will also arise for professionals with business expertise, a broad understanding of IT developments and the skills necessary to integrate specializations and bring specialists together. For professionals willing to seize these opportunities, there are many courses and certifications available to provide them with knowledge in one of the relevant fields or prepare them for a specific role in the development and delivery of Secure Cloud Services. What has been missing is training and a certification based on the integration of the main subjects related to selecting and delivering Secure Cloud Services, a program based on the most important principles that is focused on their interconnection. In this White Paper, EXIN presents such a program: the EXIN Certified Integrator in Secure Cloud Services. 3

4 The EXIN Certified Integrator in Secure Cloud Services Cloud Computing is an example of a clear trend where organizations are regaining control over their information management, supported (and no longer being led) by IT. This is creating a new wave of professionalism, as was elucidated in the EXIN White Paper on Information Management, Building great organizations through Information Management: The People Factor. The future lies in developing individuals and providing them with the skills and the essential mindset for building great organizations. The next generation of professionals in Information Management, including those defining their roles as IT experts, will need a non-it-centric approach and a capacity to exploit the opportunities offered by IT. They will need the right knowledge, skills and attitude to ensure a more efficient and effective performance by their organization, to explore possibilities of new ways of conducting business, and to establish new businesses. Looking at the skillset of this EXIN Certified Integrator in Secure Cloud Services, there is a quite generic starting point: knowledge and understanding of how IT can support and transform the business. It is important that such knowledge and understanding is not confined to a specific job role or framework, but shared amongst a large group of professionals, on the business side, in the IT department and in IT service provider organizations. This requires a common understanding of the most essential principles, practices and techniques, the basis for professional cooperation and communication. There is a need for an integrated approach, starting at a foundational level, where business challenges, IT practices and new technological developments are brought together. The EXIN Certified Integrator in Secure Cloud Services meets exactly this need, combining business concerns (Information Security), with new technological developments (Cloud) and best practices (Service Management). As Prakash MS, Vice-president of HP s IT Infrastructure Services stated in a recent interview: Cloud, Information Management and Security will have a big role to play in the next 5 to 7 years, and the binding factor for all of this will continue to be Service Management. 4

5 Secure Cloud Service Cloud Computing, providing IT related services through the Internet, allows flexible IT solutions to support the business, based on clear service arrangements. Technically speaking, Cloud Computing is more an evolution than a revolution. It is a combination of technical developments that has led to a new way of dealing with data, applications and services that is making fundamental changes to the relationship between IT and business. Such changes tend to generate hype, blurring the difference between promises and reality. But companies no longer need to own their hardware and software. People have access to their workplace or personal documents, music and photos wherever they are: this is the reality of today. Cloud Computing is the state-of-the-art way to provide and use IT services. Cloud-based services involve a lot more than just contracting the use of an application hosted in a datacenter connected to the web. As with all other services, they need management, monitoring and support. Most of all, they need clear arrangements between customers and suppliers. When considering Cloud Services, two major issues stand out: information security and service quality. Security and reliability have been identified as the main reason organizations are reluctant to turn to Cloud-based IT services. To address these issues, a wealth of best practices and standards can be mobilized, but application of these practices and standards requires an understanding of both their essentials and the principles of Cloud Computing. 5

6 Service Management Whereas understanding Cloud Computing is based on the knowledge of how IT services are built and delivered, knowledge of Service Management is necessary for understanding the processes required to manage availability, security and continuity of these services. In dealing with Cloud Services provided by third parties, Service Level Agreements play a major role, especially in ensuring that changes, incidents and problems are dealt with appropriately. Without going into too much technical detail, the international standard for IT Service Management, ISO/IEC 20000, is an excellent starting point for getting a grip on these often-complex issues. IT Service Providers can also leverage their certification against this standard to reassure their customers that they are in control of their Service Management and that their Service Management System is being independently audited on a regular basis. The ISO standard for IT Service Management can be used to identify the core of good Service Management, without diluting principles to textbook recipes. For Cloud Services in particular, it is important to remember that services are based on agreements with customers and hence on alignment of service provision with business needs. To deliver such services, other agreements with suppliers have to be in place in order to underpin the service levels agreed with the customer. Deployment of the service should be controlled, e.g., using the change management process, and services must be supported as well. The ISO/IEC guidance for IT Service Management focuses on the support and control of all these necessary steps in the design and delivery of services by the management system. This quality approach enables organizations to learn from their experience, adjust and improve in ever changing circumstances. This approach changes Service Management into a journey toward success as opposed to becoming the next failing project. One thing is for sure, in implementing Cloud Services as well: there will be mistakes and failures, so you need to be prepared to learn from them. 6

7 Information Security Management A recurring nightmare for many CIOs is sensitive data and software being stolen or corrupted by hackers. Introducing Cloud Computing does not seem to automatically ensure that they can sleep. Securing Cloud Services requires a combination of understanding Cloud Computing and the principles of Information Security Management. Such principles can be found in the international standard for Information Security Management, ISO/IEC Certification of the service provider against ISO/IEC should be a major consideration in the selection of a Cloud Service supplier. Information Security and Service Management are tightly interlinked and Cloud Computing makes a seamless integration even more urgent. The approach of the ISO standards for Information Security Management and Service Management, both based on the continual improvement cycle of Plan, Do, Check and Act, greatly facilitate such an integration. Migrating services into the Cloud and thus outside the company s security perimeter, raises many new security and privacy issues. Extensions of the ISO/IEC series to address Cloud security and privacy are in preparation, showing how to best apply the principles of the ISO/IEC standard to the latest technology for service provision. One lesson learned from Cloud Service deployment in recent years is that information security professionals need to be involved. In one study on the security of server virtualization, Gartner found that in 60% of the cases, the virtualized servers were less secure than the original ones; 40% of the organizations had not bothered to involve security specialists in their projects. Not that Cloud Computing is inherently insecure but, as Neil MacDonald, Gartner fellow and vice president, put it: "Most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants." 7

8 The People Factor Bringing Cloud Computing, Information Security and Service Management together in processes and tools is one thing, but it is people that make it all happen. At every conference on Service Management, Information Security or Cloud Computing, practitioners presenting their experience warn the audience that getting people on board was the most important and most difficult aspect of their initiative. Getting people on board, getting the organization to benefit from their experience, professionalism and creativity is often defined as communication. But communication without a shared understanding and common language is bound to fail. The EXIN Certified Integrator in secure Cloud Services is designed to overcome the barriers of misunderstanding between professionals, especially where new technologies or process innovations need to be implemented. It provides a foundation of common knowledge and mutual understanding of vocabulary. Each of the EXIN Foundation programs has been developed and kept up to date in cooperation with international experts in their specific field. The Foundation programs cover the essential principles and basic concepts, while paying extra attention to the relationship with peripheral subjects. Foundation training accredited by EXIN is interactive, contains practical examples, and pays attention to the issues brought up by the attendees. The EXIN Certificates ensure that the intended learning outcomes have been thoroughly tested and achieved. If you want to have your organization certified, you definitively want to have your staff certified. 8

9 The EXIN Certified Integrator in Secure Cloud Services For the EXIN Certified Integrator in Secure Cloud Services, EXIN has developed a program around the foundations of Cloud Computing, Information Security and Service Management which covers the building, management and securing of modern IT services. Combining these three foundation modules offers a range of advantages: Combined training offers an opportunity to bring together representatives from all three disciplines Cloud Computing is a rich source of excellent state-of-the-art examples of Information Security and Service Management issues In-depth review of the interconnection between the three subjects The combination of certificates for each of the three subjects adds value to each individual subject. The target audience for the EXIN Certified Integrator in Secure Cloud Services includes business and IT managers, project/program managers, service designers, IT architects and/or planners, IT consultants, IT auditors and IT security staff. 9

10 The EXIN Cloud Computing Foundation The syllabus of EXIN s Cloud Computing Foundation covers: The Concept of Cloud Computing Including the technical evolution toward Cloud Computing, the main delivery and service models and architectures and the drivers and limitations of Cloud Computing Implementing and Managing Cloud Computing Including the main components of Cloud Services, their relationships and the Service Management principles that apply for Cloud Computing Using the Cloud Including the different ways users access the Cloud, how Cloud Services can be used by the business and how service providers can use the Cloud Information Security and Compliance Including risk management and managing identity and privacy in the Cloud Evaluation of Cloud Computing Including the business case for Cloud Computing and evaluating Cloud Computing implementations The subjects of Implementing and Managing Cloud Computing and Information Security and Compliance have a clear link to the other two modules in the EXIN Certified Integrator in Secure Cloud Services: Information Security and Service Management. In combination with the EXIN Cloud Computing Foundation, these modules help to provide a deeper understanding of the Service Management and Information Security issues in delivering Cloud Services. 10

11 The EXIN It Service Management Foundation The IT Service Management Foundation syllabus describes the key information and concepts for IT Service Management based on ISO/IEC as well as its relationships with other areas of information management. This course builds the fundamental skills and knowledge enabling one to participate in organizational teams working within Service Management. Emphasis is on the Service Management System (SMS) and Service Management processes, specifically the core concepts and basic terminology of IT Service Management based on ISO/IEC 20000:2011. The syllabus of the IT Service Management Foundation module includes: Core concepts of Service Management and quality frameworks Including the principles of process-based Service Management and the role of quality frameworks The Service Management System (SMS) and the value and application of the PDCA cycle Including the objectives, roles and governance principles associated with the management system and the application of continual improvement principles to Service Management High-level concepts around service design and transition Including the planning, design and transition of new or changed services Including the objectives, quality requirements, activities and practical application of the main IT Service Management processes The focus on the quality approach and the Service Management System provides a natural link to Information Security based on ISO/IEC Both modules can be used in combination to increase quality awareness, provide a better understanding of the quality approach and emphasize the commonalities in managing services and Information Security. The subject of the Service Management processes is ideal for using real world practical examples illustrating how quality requirements and activities of the Service Management processes will be affected by implementing Cloud Computing and Information Security measures. The EXIN IT Service Management Foundation is also part of the EXIN IT Service Management certification program based on ISO/IEC The EXIN IT Service Management Foundation certificate provides the basic knowledge required in the rest of the program (e.g., the Auditor, Manager and Executive Consultant certificates). For more details please refer to our website 11

12 The EXIN Information Security Foundation One of the objectives of the EXIN Information Security Foundation is to raise the awareness that information is valuable and vulnerable, and to learn which measures are necessary to protect information. This module provides the basic concepts and principles of Information Security and the organizational arrangements (the management system) that should be in place to secure the confidentiality, integrity and availability of an organization s information. The syllabus of the EXIN Information Security Management Foundation includes: Information and security Including basic concepts of information and its value Threats and risks Including the relationship between threats, risks and the reliability of information Security policy and the set-up of Information Security Including the components of security policy, security organization and the management of (security) incidents Security measures Including physical, technical and organizational measures Legislation and regulations Including examples of legislation, regulations and possible security measures Several subjects in this syllabus offer opportunities to discuss Cloud Computing-related issues and point out the relationship with IT Service Management processes. The EXIN Information Security Foundation is also part of the EXIN Information Security certification program based on ISO/IEC The EXIN Information Security Foundation certificate provides the basic knowledge required in the rest of the program (e.g., the Advanced and Expert certificates). For more details please refer to our website 12

13 An Integrated Approach Each of the three EXIN Foundation modules will contribute to the better understanding of how to provide Secure Cloud Services, however an integrated approach will also exploit the full potential of the EXIN Certified Integrator in Secure Cloud Services. In studying Cloud Computing, Service Management and Information Security in their shared context, students get a better understanding of their relationships. Using the links and suggestions described in this White Paper, students and trainers will be able to provide examples and real world case studies to illustrate how the emerging technologies in Cloud Computing can be utilized to achieve secure and reliable service to the benefit of their organization. Acknowledgements EXIN would like to thank its customers, partners and champions for their input, which has helped form EXIN s overall vision on the EXIN Certified Integrator in Secure Cloud Services. In particular EXIN would like to thank the following people for their contribution to this White Paper: Lynda Cooper, Director, Service Ltd. Pierre Bernard, CTDP, ITIL Expert 13

14 Contact EXIN Website: 14