Cloud technology has gained wide acceptance across multiple industries and is often touted as the future way of doing business. The company in consideration here- Better Payments Incorporated is a multinational payments organization that provides electronic payment cards to its customers. The company’s CIO has been entrusted with the immediate goals of reducing cost, increasing security and driving a technology enabled geographical expansion. This case study analysis paper will look into the ways and means for the company to achieve its goals through the adoption of cloud technology. The roadmap for the CIO to help the company achieve its goals is presented as the response to the questions asked.
Cloud Deployment Model:
Selecting the right cloud deployment model is highly critical for BPI to achieve its goals and thereby stay competitive. By moving to cloud technology, BPI aims to achieve a controlled technology landscape that is scalable, available, cost effective and secure. The deployment model should be able to balance these parameters in favor of BPI. In addition to this, the size of the organization, current financial scenario and the present infrastructure background also comes into play while deciding upon the most suitable cloud deployment model.
Based on the assessment by considering these factors, it is recommended that BPI adopt a two stage cloud deployment strategy. For the short to medium term, it is advised to adopt the hybrid cloud deployment model that will help to address the concerns and pave the way for future expansion. Once the goals are achieved, BPI can eventually move into the private cloud model, which will enable the company to have a complete hold of matters. For the purpose of this assessment, the hybrid model is considered. The major advantage of hybrid model is that in incorporates the positives of both the public and private cloud models. It offers the best of both worlds where the company can classify its data and applications depending on the confidentiality and availability in either a public or in-house cloud. Ideally, for a company operating in the financial sector, it is best advised to go after the private cloud, but that requires significant investments both in owning and maintaining. A private cloud also requires highly qualified technicians to maintain it, which all add to the operational costs. Hybrid cloud also helps to overcome the security issues associated with the public cloud, while making use of its benefits such as scalability, availability and cost effectiveness. In this case, it is recommended to house the company’s web servers in the public cloud that will ensure scalability and availability and store the sensitive data in the company’s own private cloud. By doing so, the company can limit the infrastructure set up expenses and can even re-use the available hardware. A direct mapping of the hybrid model’s uniqueness vis-à-vis the business objectives of BPI is provided below-
Quadruple the transaction volume- One of the major benefits of the hybrid model is its scalability. The transaction applications used by the company’s customers can be hosted in the public cloud, where the scalability is virtually limitless. This helps BPI in seamless enhancement of its transaction volumes without making any significant hardware investments.
Decrease Capital Expenditure- Yet another major benefit of the hybrid model is the reduced capital expenditure as a large number of applications are stored and run by utilizing the public cloud. This reduces the investment, which otherwise would have required on servers, computers, personnel and the related infrastructure.
Reduce disk storage- Hybrid model enables minimal disk storage as a good amount of data will be hosted on the public cloud and the company will be saved from the chores of maintaining the data in their own servers.
Online sales lead and tracking application- The online sales lead and tracking application can be hosted on the public cloud whereas the data generated can be stored in the private cloud.
Disaster recovery capability- Access to both the private and public clouds ensures a foolproof disaster recovery capability. BPI possesses the capability to move data between the clouds and in the event of a disaster, the company can migrate the data to the public cloud, albeit temporarily.
It should also be noted that the hybrid model comes with its own set of risks as well. One of the major challenges of hybrid model is its complexity of management . Seamless movement of data and other applications poses its own set of challenges and requires expert supervision. Other typical challenges include interface incompatibility, network connectivity and availability .
Cloud Service Delivery Model
Considering the technology and business landscape that BPI is operating in along with their future goals and in conjunction with the hybrid cloud set up recommended above, it is advised that BPI should go after the Software as a Service (SaaS) delivery model. In SaaS model, the entire application can be accessed by the customers of BPI by using a web interface connected by internet . SaaS will help the customers of BPI in accessing the electronic payment processing platform. Effectively, the service delivery, i.e. creation of electronic payment instruments by BPI’s customers will be catered through by deploying the SaaS model. The customers of BPI will be able to access the platform and make transactions by accessing it through the web. Depending on the criticality, the applications can be hosted on either the public cloud or the private cloud. Let us now look into how the SaaS model uniquely addresses the four business objectives of BPI.
Increasing the transaction volume- BPI has a fluctuating transaction volume that peaks during the months of November, December and January. They need to scale back after this to more appropriate levels. In this scenario, the SaaS delivery model comes in as handy as it accommodates periodical expansion and contraction of end users. The application that is hosted on the public cloud can be scaled up or down quickly with the public cloud. As the critical applications are not opened for the customers, they can be hosted on the private cloud; hence the matter of scalability does not arise. The concern of security is addressed as the data generated will be stored in the private cloud.
Cost effectiveness- Most of the SaaS delivery models are priced on a ‘pay-per-use’ mode. It offers the scope of limitless expansion as the corresponding server space can be purchased from the service provider. Hence there is no requirement of spending on any infrastructure cost here.
Quicker data sharing- As the applications are hosted in the hybrid cloud and delivered in a SaaS model, the data can be shared across locations very quickly. It also helps the company to ramp up their resources quickly.
Online sales application- The online sales application hosted on the public cloud can be delivered through the SaaS delivery model, which will help BPI to better coordinate their business development activities.
Some of the drawbacks of SaaS include absence of foolproof security of customer information as the public clouds are generally vulnerable to external threats compared to the public clouds. As scalability and availability are critical here, the application can be hosted on the public cloud only. However, as the data captured are stored in the private cloud storage mechanism, which is highly secure, the threat can be negated to some extent. Still the data entry made through the publically hosted application requires constant monitoring from the service provider.
SaaS Delivery Model and Security
Security activities have to be initiated from both BPI as well as the cloud service provider in order to ensure business continuity and avoid losses arising out of any blackouts. SaaS delivery models are particularly vulnerable as they are mostly adopted for those applications that are hosted in a public cloud. This section will first look into the activities that are the responsibilities of BPI followed by those that are the responsibilities of the cloud service provider based on the CSA guide.
The following are the major responsibilities that should be addressed by BPI -
Assess the Risks- Identifying and measuring the risks involved is a critical activity that has to be initiated by BPI. Creation of checklists and quantifying the risks associated with the SaaS application should be the pre-requisites to adopt the new technology. Various operational dependencies, costs, time involved and evaluating the vendor credentials are of utmost importance in ensuring the success of the cloud.
Contingency Planning- The contingency plans should be devised with the target of achieving zero disruption to the business under any circumstances. Creation of software escrow, option of keeping an alternate SaaS vendor, scheduled automation scripts for data archival, moving to the private cloud etc. are some of the plans that BPI should consider.
Effective Execution- Proper documentation of the contingency plans, identifying the team, performing audits and conducting mock drills are the ways to ensure effective execution of the plan. BPI should be able to recover, restore and resume operations in minimum turnaround time and without causing any loss to the business.
The following are the major responsibilities that should be addressed by the service provider -
U.S. Federal and State Laws- Several federal and State laws and associated regulations mandate the cloud service provider to adopt security and privacy measures while dealing with the client’s data.
Contractual Obligations- Cloud service providers are bound by contractual obligations made with their clients who are related to security of the data handled. It is the responsibility of the cloud service provider to adhere to these obligations regarding handling and usage of the data.
Document Availability- The cloud service provider should ensure the availability of the documents like its employee background check reports, NDAs, user access administration documents, access control related documents, roles and responsibilities matrix etc.
Security infrastructure- The service provider should ensure that its premises are secure and must include intrusion prevention systems, anti-virus, firewall, network intrusion prevention system, log monitoring, file monitoring, web application protection, etc. .
Security Guard- Round the clock availability of security staff that includes guards, supervisors and officers at the service provider’s facility. CCTV monitoring and patrolling the premises are also mandatory.
Environmental security- The service provider is also responsible in ensuring equipment and location protection, maintenance and proper disposal
Testing and Audit- Regular maintenance checks, testing of the infrastructure and periodical audits are the other mandatory requirements that the cloud service provider should adhere to.
Approaching the CSA domains
CSA has consolidated the cloud computing security into 13 domains which serves to provide targeted and insightful recommendations . This section will provide recommendations on how BPI should approach each of these 13 domains for cloud based services it decides to implement.
Domain 1: Cloud computing architectural framework- As the first step, BPI should put the framework in place by choosing hybrid deployment model, SaaS service models and establish the cloud security reference model.
Domain 2: Governance and enterprise risk management- It is of utmost importance for BPI to establish a well-developed security governance process which has the capacity to scale up or down depending on the business and operations. The security governance and enterprise risk management process should be repeatable, sustainable, measurable, continually improving and cost effective .
Domain 3: Legal and electronic discovery- The functional, jurisdictional and contractual dimensions should be examined thoroughly prior to engaging any cloud service provider. The roles and responsibilities should be clearly defined, data security should be ensured and pre-contract due diligence should be performed. BPI should have clarity on the hosting location of the service provider and should be prepared to face any eventuality like contract termination.
Domain 4: Compliance and audit- It should be ensured that the contract with the service provider should adhere to all compliance clauses. Frequent audit should be performed to ensure continued adherence.
Domain 5: Information lifecycle management- Proper measures should be taken to manage the information generated. Clarity on information access, use and destruction should be ensured.
Domain 6: Portability and interoperability- BPI should ensure the portability and interoperability of the data and other information. This is to ensure business continuity in case of any future eventuality like contract closure, vendor shifting etc.
Domain 7: Traditional security, DR & BCP- Data security should be given utmost importance and a disaster recovery and business continuity plan should be in place to make sure that the business is not disrupted as a result of any catastrophic event.
Domain 8: Data center operations- BPI should be convinced about the service provider’s capabilities to balance between cost effectiveness, availability, scalability and security. Pre-contract audits should be conducted and a year-on-year roadmap should be put in place to ensure transparency.
Domain 9: Incident response, Notification and Remediation- Clear demarcation of roles and responsibilities and an efficient governance structure is mandatory to ensure proper reporting of any incidences or eventualities. This will also help to ensure timely attention and remediation.
Domain 10: Application security: This is a key component as BPI will be hosting their application in the public cloud. BPI should ensure that all the mandatory security apparatus is in place with the service provider. An effective back up strategy should be put in place which can be triggered if in case any security breach is reported.
Domain 11: Encryption and key management: Total encryption of the data transferred is recommended as it will help to ensure the security of the data.
Domain 12: Identity and access management: Identity provisioning, authentication, authorization and user management are some of the best practices to be put in place to ensure security of the application and data hosted on the cloud.
Domain 13: Virtualization: BPI should identify the virtualization types provided by the cloud service provider, ensure availability of third party security apparatus, understand the security controls already in place and should validate the integrity of any VM template from the service provider.
References
Bruno, F. (2016). Contingency Planning for SaaS. Retrieved from Iron Mountain: http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/Data-Sheets-Brochures/Brochures/ITAK-V8.aspx
Cloud Security Alliance. (2009, December). Security Guidance for Critical Areas in Focus in Cloud Computing v2.1. Retrieved from cloudsecurityalliance.org: https://cloudsecurityalliance.org/csaguide.pdf
Cloud Security Alliance. (2011, November 14). Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. Retrieved from cloudsecurityalliance.org: https://cloudsecurityalliance.org/group/security-guidance/
Dé, siré, & Athow. (2014, January 14). SaaS, PaaS and IaaS: which cloud service model is for you? Retrieved from techradar.india: http://www.in.techradar.com/news/internet/cloud-services/SaaS-PaaS-and-IaaS-which-cloud-service-model-is-for-you/articleshow/38633676.cms
Victories, V. (2015, August 19). 4 Types of Cloud Computing Deployment Model You Need to Know. Retrieved from IBM Developer Works: https://www.ibm.com/developerworks/community/blogs/722f6200-f4ca-4eb3-9d64-8d2b58b2d4e8/entry/4_Types_of_Cloud_Computing_Deployment_Model_You_Need_to_Know1?lang=en
Y, L. (2016). Going Public: Pros and Cons of 3 Major Cloud Deployment Systems. Retrieved from Scripted: https://scripted.com/cpt_experts/going-public-thedos-donts-public-cloud-deployment/
