Shared Services: A Perfect Storm of Opportunity

CSC, the American technology firm announced the results of a study that reveals a willingness within the government and IT community to be flexible around security governance to benefit from cloud computing and shared services. Results show that users are open to sharing sensitive activities in the cloud, as long as the parties involved share similar characteristics and have the same cultural approach to security.

The report, titled ‘Shared Services: A perfect storm of opportunity,’ was developed by CSC with support from UK government body CESG (Communications-Electronics Security Group), the information assurance arm of GCHQ (Government Communications Headquarters). Respondents included 200 senior security and IT experts working across central and local government and their associated suppliers, who attended the Government’s Information Assurance flagship event, IA10 in September this year.

With security of utmost concern to UK government departments, the survey asked what the inhibitors are to achieving full cost savings and efficiencies from cloud computing. The research revealed that the main barrier to the adoption of cloud services are the different approaches to information security across potential users, and that confusion still exists about the cloud.

Enthusiasm to find the middle ground on governance was demonstrated by the majority of respondents (65 percent) being willing to share Security Operations Centre (SOC) services, as an interim measure to build trust between users. People also declared that a reduction in the number of audit events to be monitored – along with a revision to internal governance, risk and compliance policies and processes – were the two most important compromises when migrating to cloud services.

“Reaping the cost benefit of shared services is of paramount importance to local and central government but security policies and compliance regulation have made this a real challenge,” said Ron Knode, CSC’s director for Global Security Solutions. “The most startling discovery in the survey is that the public sector is more flexible and willing to look at alternative approaches to certain aspects of security, and develop stepping stones towards using shared services. Previously, nobody was willing to do this – departments had their rules and that was that. Now suddenly, people are indicating that ‘if you’re a lot like me,’ maybe they can come together with an altered set of governance processes and decision-making criteria to gain the benefits of the cloud.”

When asked what the most important aspects are when establishing shared services, the “cultural approach to Information Assurance (IA) and Information Risk Management” was respondents’ top answer. Desktop applications are the first choice for respondents when questioned about which service functions they were most comfortable in sharing. In addition, while the vast majority strongly agreed that the use of a public cloud would substantially increase risk to confidentiality, a majority also agreed that a shared private cloud (or community cloud) among users with similar security cultures would likely be an acceptable risk.

Confusion around what contributes to the development of cloud services was also evident with respondents. When asked what technologies and approaches used to develop cloud services were the most mature, the survey unveiled conflicting opinions with no clear outcome.

Survey presents three key recommendations:

“For progress to be made in cloud computing, departments need to focus on the paths of least resistance, such as creating a like-minded community sharing lower-risk services. By establishing a governance test-bed, users can examine and validate potential areas of flexibility of governance. Transparency also has to be included in every proposed cloud standard and advocates should resist the urge to develop too many clouds but rather explore progressive or layered clouds, which accommodate different user standards,” Knode added.

To help increase confidence in shared services and build momentum in cloud adoption within government, CESG and CSC have made three key recommendations following the survey:

Recommendations summary:

1. Common bond payoffs: The willingness to be flexible in governance presents an opportunity that should not be missed. Concentrate on affinity: If you can find a team outside your immediate organization whose security culture, maturity and general obligation to security governance is close to your own, then hunt for shared functions, business processes or applications. If they emerge, then that’s a great way of kicking-off a shared service model and capturing the shared service payoffs. Why not use a community cloud to share similar-risk services?

But don’t just set out to prove the technology; instead, establish a focused, cloud-based risk-governance test-bed (not just a general cloud pilot) and use it to test scenarios that examine and validate potential areas of flexibility in governance.

Finally, there’s evidence that industry may be prepared to go as far as the sharing of security officer services. Include this in the trial and – if it’s successful – momentum for more shared services will surely follow. You’ll need a champion, of course – someone to lead the sharing initiative. The right IT partner will be able to help.

2. Cloud usage barriers: New cloud standards are inevitable, whether developed by central government or by the industry itself. Either way, transparency must be a fundamental characteristic in any and every agreed standard.

For most public services, data anchoring in some form or another will be hugely important, so government departments need to be sure to include a mandate for geographic, platform and process anchoring of data and transactions. Transparency and accountability in the cloud are key, so get them specified in the standards where possible.

3. Compliance adjustment: The danger with ensuring every cloud-based process or service complies with a specific standard is that you end up with multiple clouds. It is far better to exploit the willingness to be flexible with governance in establishing, measuring and confirming compliance. Explore progressive (layered) cloud solutions that enable people to add their own degrees of compliance and certification when they need to. Fix the methodology, not the cloud.

Source

• Author
• Recent Posts

Brian

Managing Partner at meshIP, LLC

Brian Byrne is the founder and Managing Partner of Dallas based meshIP, a technology services firm offering cloud computing strategies and services. He is an accomplished executive with senior management experience in all facets of the technology, telecom, cloud computing, and SaaS industries. He has proven success in developing, financing and executing strategic plans as well as launching new ventures. His background includes a record of significant achievement in international business development and his credentials include a MBA in Marketing and Management Strategy from the J.L. Kellogg Graduate School of Management at Northwestern University, a MS from the School of Computer Science at DePaul University, and a BBA in Finance from the University of Notre Dame.

He is also the inventor of the patented meshDETECT, Secure Prison Cell Phone Solutions.

LinkedIn Profile

Latest posts by Brian (see all)

• The Customer Edge Drives the Need for NaaS - June 25, 2023
• Blockchain Evolves And Secures - January 13, 2019
• Bessemer Ventures’ 2018 Cloud Computing Trends - February 25, 2018