Should I Build or Should I Buy Now?

Cloud computing is here to stay. Like it or not. But how does a cloud computing user know if the system is safe to store and process vital business and personal data? How do cloud service providers build the necessary trust, manage risk, and protect vital data in cloud systems?

You need the flexibility, scalability, and potential cost savings that cloud services deliver. But should you build your own, or buy your services? The answer is heavily dependent on your organization’s capabilities, resources, and capital and/or operational budgets. Both approaches require a comprehensive risk assessment and a business resumption plan. However, what happens in between is very different.

Building a private cloud

If you are going to build a private cloud, you first need to know your capabilities and risk tolerance. This is a detailed assessment that covers the people, processes, and technology that comprise the cloud service, and potential consequences or risks should certain security controls fail or something else goes wrong.

A risk assessment does not comprise statements like “the risk is medium.” What are decision makers to do with such a vague statement? It is essential to measure and quantify risks. If you cannot express the loss expectancy and the probability of that loss, you do not fully understand the risk. It is not easy, and it requires experienced personnel that can clearly and concisely articulate the risks to the appropriate decision makers.

To properly manage risk, a risk management framework is needed and it must be continually monitored and assessed for inertia, institutional bias, incorrect or outdated assumptions, etc.¹ There are well-established security and risk management frameworks to choose from, such as ISO 27001 or SOC.

These are less prescriptive than some sector-specific frameworks like FedRAMP, which is geared specifically for U.S. government customers. However, FedRAMP has its merits too in the private sector as it is based on several NIST standards like NIST SP 800-53. These frameworks tend to apply to specific markets and operating models, but there is little reason not to go with at least one of these for your risk management activities. They provide reasonable baseline requirements for security controls of a cloud service and operation.

The next steps are implementation and operation. Once you have identified the appropriate security controls, you need to implement them across the service organization. This requires investing in people with the necessary skills and expertise, which may be the biggest challenge. Some countries, regions, and industries are experiencing acute shortages of skilled security personnel.

If you have overcome this issue, then the team needs to review and redesign business processes to ensure that the security controls are implemented correctly and routinely maintained. Simply applying new security controls to existing processes can result in large inefficiencies, gaps in coverage that can eventually lead to service outages, or worse, a breach.

Finally, once your private cloud is operating, you need to continuously monitor and test the systems and controls against a changing set of regulations, standards, technology, applications, threat landscape, and vulnerabilities. Not doing this on a continual basis leaves the organization vulnerable to advanced emerging threats, leaks from new data or applications, or other unanticipated changes to the environment.

Buying public cloud services

If you are going to buy public cloud services, the first step is to understand the service and service provider. You need to ask and verify that the service provider has adequate security and privacy controls and has implemented some sort of formal risk management framework that is in your best interest. What frameworks have they implemented? Do they have any third-party certifications? Do they continually monitor and test their security controls? How do they resolve security issues and in what timeframe?  Essentially, you are looking for formal attestation or third-party verification of their security controls and that they are doing the right things.

The next step is to look at the contract terms and conditions. Service-level agreements (SLAs) are important contract clauses that warrant special attention. It is important to choose or negotiate the minimum level that meets your needs, so that you are not paying for service levels beyond your requirements. You also need to verify that you are receiving the necessary service level, and be clear on the penalties and remedies available should the service provider not meet its obligations.

Once you have chosen your provider, you need to audit routinely. Situations change, regulations change, and certifications expire. If you are not auditing routinely to verify that the provider’s operations are still delivering the required and stated security controls that meet your risk tolerance, then you are doing yourself a disservice.

Business resumption

Finally, things can and do go wrong. Regardless of whether you build or buy, you need business resumption plans that cover a wide range of scenarios. Whether it is catastrophic failure of a data center, bankruptcy of a cloud provider, merger or acquisition, or a data breach, you need to be prepared so that you can respond immediately and appropriately, and keep your business operating. Business resumption plans also need to be routinely tested and adapted to evolve with your business.

¹Steve Grobman and Allison Cerra, The Second Economy: The Race for Trust, Treasure and Time in the Cybersecurity War (New York: Apress Media, 2016).