GDS International - Next - Generation - Telecommunications - Summit - Africa - 2

White Paper Profiting From the Cloud: CSP Trust & Efficiency Are Key

Prepared by Caroline Chappell Senior Analyst, Heavy Reading www.heavyreading.com on behalf of

www.symantec.com February 2012

http://www.heavyreading.com/�

http://www.symantec.com/�

HEAVY READING | FEBRUARY 2012 | WHITE PAPER | PROFITING FROM THE CLOUD: CSP TRUST & EFFICIENCY ARE KEY 2

Introduction Cloud computing represents a significant market opportunity for communications service providers (CSPs). CSPs are in an excellent position to add cloud services to existing enterprise connectivity and hosting portfolios, and many have advanced plans for doing so. To succeed in the cloud market, CSPs need to provide superior cloud services that are more trusted than those offered by the current generation of Web-based cloud providers. Cloud security and efficiency present large challenges, and enterprises fear the loss of intellectual property and/or customer data, reputation-al risk, malicious activity and outages in the cloud. CSPs that can provide cloud services with the highest levels of trust and availability at the lowest cost will profit most from the cloud. Such CSPs will persuade a critical mass of enterprises to migrate to the cloud and benefit from the increased revenues this will bring, The five characteristics of cloud computing, as defined by the National Institute of Standards and Technology (NIST), bring new vulnerabilities and threats. To create a trusted cloud, CSPs need to address these additional cloud security require-ments, providing consistent, ubiquitous customer policy-driven and service-appropriate security across multiple cloud deployment models and services, while guaranteeing highest performance at the lowest cost. The guidance provided by the Cloud Security Alliance (CSA) provides a useful starting point as CSPs embark on defining the secure "silver lining" to their cloud. CSPs can differentiate themselves by designing into their cloud architectures a more comprehensive and complete set of CSA controls (policies, procedures and processes for 14 CSA-defined security domains) than enterprises – or third-party cloud service providers that the CSP is aggregating on behalf of an enterprise – can implement for themselves. These controls need to be implemented as a global security management layer that is populated with strong countermeasures, provides organization-wide visibility of all aspects of security and compliance and has a high level of security process automation to maximize the effectiveness of countermeasures and minimize operational costs. This white paper discusses the opportunity and requirements for building a trusted and efficient cloud, including best practice security design principles and a blueprint for an efficient global security management layer. Section II expands on the role security plays in creating trusted cloud services and deployment models, explains CSP advantages in leveraging existing security capabilities and discusses how effective security can differentiate CSPs in an increasingly crowded cloud market. Section III looks at the four design principles that CSPs need to build into a trusted and efficient cloud, and how these principles and CSA guidance come together in a global security management architecture that supports effective governance of the trusted cloud. Section IV illustrates the application of the global security management architec-ture and its underlying security design principles in the context of mobile health (mHealth).


The Cloud: CSP Opportunities & Challenges Expanding Into the Cloud Cloud computing represents the most significant market opportunity for commu-nications service providers (CSPs) since the arrival of the Internet. Like the early days of the Internet, cloud computing also presents considerable challenges for providers in the areas of security and efficiency. Cloud computing, according to the NIST definition, is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services). Enterprises benefit from the agility, scalability, flexibility and lower costs conferred by the cloud model. Such are the perceived advantages of the cloud that the Open Data Center Alliance's 300 enterprise members, representing some $100 billion worth of IT procurement power, plan to triple cloud deployment in the next two years – an adoption rate five times faster than had previously been expected. CSPs already have established businesses delivering network resources to enter-prise customers; the cloud is a natural evolution of this business. It gives CSPs the opportunity to aggregate all types of information communications technology (ICT) resources and deliver them in an on-demand, low-cost model that will displace enterprise-owned ICT infrastructure over time. CSPs gain incremental revenue from providing cloud-based computing, storage, applications and services in addition to connectivity (network) solutions. No wonder Heavy Reading research shows that an overwhelming majority of CSPs across the world plan to offer cloud services within the next three years, with many intending to roll out all three cloud service models identified by NIST: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). SaaS is a catch-all for any type of application/service delivered from the cloud, from communications services such as voice, videoconferencing and IP PBX to more general applications such as collaboration, business services and security.

Security Creates a Trusted Silver Lining to the Cloud

The riches of the cloud market will not rain down on CSPs unless they can provide a cloud environment that is superior to those available from the first generation of Web-based cloud providers. While utilization of Web-based cloud services is growing, the main consumers today are IT-based, highly tech-savvy companies and/or enterprises with non-critical computing requirements, such as test and development. Most enterprises do not trust over-the-top providers of cloud services, citing security and perfor-mance as the top reasons for not using Web-based clouds for their computing requirements. They fear the loss of intellectual property and/or customer data, which would damage their business and lay them open to reputational risk. They also feel threatened by the fact that malicious activity or outages in the cloud could affect critical services on which their business depends. To persuade a critical mass of enterprises to migrate to the cloud and to profit from the revenue opportunities this will bring, CSPs need to offer secure cloud services over which their enterprise customers have as much, if not more, visibility and control as they do over their in-house, physical ICT infrastructures. CSPs need


to demonstrate that their clouds have a silver lining – security – as the foundation for building trust in the cloud. CSPs already control the cost of secure connectivity to the cloud in the way that over-the-top cloud providers cannot. Their ability to combine secure network with server and other resources make the economics of cloud even more compelling for customers. CSPs can also leverage trusted relationships with enterprises, based on years of delivering secure network and physical hosted services, which typically require an understanding of governance, risk management and compliance (GRC), including compliant and certified operational processes and infrastructure. While CSPs may have a head start over Web-based cloud providers in their understanding of trust and security issues such as GRC, identity management and information protection and management, the cloud introduces new challenges in all these areas. Figure 1 explains the vulnerabilities and threats associated with the five NIST-defined characteristics that turn hosted/managed computing into cloud.

CSPs need to provide countermeasures for all these threats in order to create a trusted cloud environment that meets the security and high-availability require-ments of the majority of enterprise customers.

Figure 1: Cloud Characteristics Introduce New Vulnerabilities & Threats

NIST CLOUD CHARACTERISTICS VULNERABILITIES THREATS

On-Demand Self Service

Customers take charge of configuring/managing "their" part of a cloud service. They thus need access inside the traditional perimeter firewall and to be granted administrative access rights.

Identity theft, unauthorized access, data leakage, spam data, malicious code, targeted attacks, phishing attacks.

Broad Network Access

Any device can potentially connect to the cloud and instigate processes within, or downloading of data from, a cloud service. Devices may have varying levels of security depending on the enterprise/cloud service provider's level of control over it. Devices may be infected with malware.

Data loss, compromise of data integrity and confidentiality, unauthorized access, malicious code, reputational risk.

Resource Pooling

Multiple tenants can coexist within the same resource pool(s) on virtualized infrastructure. Cloud is based on (virtualized) software, which is typically unanchored to specific, secure physical hardware and which naturally has vulnerabilities that can be exploited.

Risk activity, malicious code, data leakage, data loss, loss of service (e.g., if an adjacent tenant has infrastructure frozen for legal reasons), unauthorized access, reputational risk.

Rapid Elasticity

In order to scale up and down rapidly and balance utilization across the cloud infrastructure – a key cost advantage of cloud – workloads can be moved, dynamically, anywhere in the cloud.

Lack of compliance if data is moved/ processed in a non-compliant geo-graphy, compromise of data integrity and confidentiality if data moved in the clear, data loss, reputational risk, loss of availability if elasticity fails.

Measured Service

Cloud services are metered in order to charge on a usage basis. Fraud activity, revenue leakage.


No Single Cloud

The challenge of providing security in the cloud is compounded by the fact that there is no single type of "cloud." Instead, there are multiple permutations of cloud service models (IaaS, PaaS and SaaS) and cloud deployment models. NIST defines four deployment models: private, public, hybrid and community. An enterprise is likely to want to use many combinations of these deployment models, for example running a private cloud in its own or a third-party data center, but able to reach out to a public or community cloud at times of peak workloads and/or for specific (PaaS/SaaS) services and applications. Enterprises are therefore likely to use CSPs as part of a hybrid cloud deployment strategy, where a CSP may run:

· A "hosted" private cloud on its own infrastructure on behalf of an enter-prise customer

· A public cloud and/or an aggregation of public clouds, e.g., SaaS clouds that enterprise customers can tap into on an as-needed basis

· A community cloud on behalf of multiple enterprises In all three, enterprises will expect to be able to apply their security policies and performance SLAs to the cloud deployment, with no degradation of policy/SLAs because they have moved processing and data outside their organizations. The higher up the stack of cloud services they choose to engage with a CSP, the more reliant they will be on the CSP's security policies and performance guarantees. Figure 2 illustrates the security responsibilities of enterprise customers and CSPs for each service type in the cloud stack.

Figure 2: Security Responsibility Across Three Cloud Service Models

Source: Symantec


A CSP must therefore make its policies and guarantees at each level of the cloud services stack transparent to enterprise customers and as aligned as possible with enterprise customer policies around GRC, identity management and information protection and management. For example, if a CSP wants to provide SaaS in a public/hybrid/community cloud model to enterprises in the financial services industry, the CSP will be responsible for implementing and managing a higher level of PCI-compliancy than if it provides IaaS. The challenge for CSPs, as they step up to seize the cloud opportunity, is to provide consistent, ubiquitous, customer policy-driven and service-appropriate security across multiple cloud deployment models and services, all while guaran-teeing highest performance at the lowest cost.


Designing a Trusted & Efficient CSP Cloud Such challenges dictate four key design principles for a trusted cloud:

· Security by design · Security through integration · Security through visibility · Security through automation.

These principles help CSPs to build a cloud fabric in which security is the silver lining, persistently protecting enterprise customers in whatever cloud services they choose to consume, in whichever deployment model. They enable CSPs to offer security cost-effectively and in a way that allows them to best manage their and their customers' risk.

Security by Design Security needs to be designed into the cloud architecture from the beginning. The four pillars of security needed to address vulnerabilities and threats in the cloud are no different from those required for any ICT service: identity protection, data protection, information management and GRC auditing. But these functions need to be designed into the cloud architecture from the beginning, not added as an afterthought. When countermeasures are inserted into an infrastructure not originally architected for them, there is a higher risk of hidden vulnerabilities and more difficulty in gaining visibility into different types of threat and/or non-compliance with security policies. These challenges are compounded in a cloud environment, where a CSP will be providing different permutations of cloud service and deployment models to individual customers. Adding security measures after the fact, rather than design-ing them in as an integral part of the cloud architecture, adds integration and testing cost and the potential cost of failure. The Cloud Security Alliance (CSA) is rapidly becoming the most respected source of cloud security guidance and standards globally. Its best practices suggest that cloud providers align their architectures with the CSA's emerging security require-ments and controls (policies, procedures and processes) for the 14 security domains identified as involved in governing or operating cloud services (see Figure 3). The CSA's controls draw on and rationalize multiple, disparate government and other industry-accepted security policies such as HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST. The controls adjust such policies for the cloud and populate each domain with a set of best practices for cloud providers and consumers to follow. CSPs can differentiate themselves by designing into their cloud architectures a more comprehensive and complete set of controls than many enterprises, or third-party cloud service providers that the CSP is aggregating on behalf of an enter-prise, can implement for themselves. The CSA's controls augment a CSP's existing security control environment by specifically addressing security vulnerabilities in the cloud. For example, auditability is built into each CSA control, automatically making the level of the CSP's compliance to that control transparent to a cloud


consumer. This will be an important reassurance factor for enterprise consumers of cloud services, enabling them to understand the level of protection for their information and thus the level of risk to which they are exposing themselves. A CSP that designs its cloud architecture from the ground up to comply with CSA controls gains a powerful competitive advantage in the current market. Once accounted for in the design of the cloud architecture, security can be more successfully implemented using tools and systems that provide identity manage-ment, data protection, information management and GRC audit functions, with lower cost and risk.

Figure 3: Cloud Security Alliance Domains

DOMAIN NAME

DOMAIN GUIDANCE DESCRIPTION

REQUIRED COUNTERMEASURES/CAPABILITIES TO IMPLEMENT CONTROLS IN EACH DOMAIN

Governance Domains

Governance & Enterprise Risk Management

Recommendations and requirements for organizations concerned with governing and measuring enterprise risk intro-duced by cloud computing.

Plan for policy automation with regulatory and technical content automatically mapped to policies and updated as regulations change. Assess the ability to automatically import data from third parties for even greater visibility into risk posture. Report from a centralized database which pulls together controls data from multiple sources and maps it back to policies. Remediate and fix with built-in risk scoring and integration with ticketing systems.

Legal Contracts & Electronic Discovery

Potential legal issues when using cloud computing, including protection requirements for information and computer systems, regulatory and legal requirements.

Search with e-discovery; provide roles-based access for legal and/or IT users to search, preserve, review and export electronically-stored information efficiently. Global de-duplication of archived content across email, files, SharePoint documents, IM. Create Data Classifica-tion Services (DCS) based on context and relevance.

Compliance & Audit

Maintaining and proving compliance when using cloud computing, including evaluating how cloud affects compliance with internal and external security/regulatory policies.

Create host-based detection and prevention to shield cloud-based virtual machine infrastructures and services against inappropriate behaviors and activities that lead to data compromise. Design procedural controls to govern appropriate behavior.

Information Management & Data Security

Managing data placed in the cloud, identifying and control-ling data in the cloud and moving to the cloud. Addressing data confidentiality, integrity and availability in the cloud.

Detect and protect organization's intellectual property in the cloud or wherever it is stored. Help customer cloud teams identify at risk workloads to drive risk management on placement of workloads in public vs. private clouds. Provide insight to help control and define the scope of audit for cloud-based assets.

Portability & Interoperability

Moving data and services between cloud providers or cloud provider and enterprise customers.

Deliver functionality and interactivity between applica-tions and the OS. Provide for portability of applications, data, and content with portable software format. Simplify the virtualization process with application packages that run in the native operating environment for which they were designed.


Figure 3: Cloud Security Alliance Domains (Continued)

DOMAIN NAME



Operational Domains

Traditional Security, Business Continuity & Disaster Recovery

Adapting and applying operational processes and procedures relating to the implementation of security, business continuity and disaster recovery to the cloud.

Provide effective protection with unique platform-independent logical policy groupings (physical/virtual). Reduce security workloads across both virtual and physical deployments in private, public and hybrid environments. Identify, monitor and manage rogue, vulnerable or non-compliant systems.

Data Center Operations

Evaluating data center architecture and operations and their risk profile for cloud-based services

Require an assessment that allows organizations to gain visibility into resources across multiple data centers and customizable geographical, physical, and organizational boundaries. Address capacity planning to prevent service outage by identifying misaligned storage and applications. Promote responsible usage by making customers account-able with chargeback reports.

Incident Response, Notification & Remediation

Ensuring proper and ade-quate incident detection, response, notification and remediation are in place for the cloud

Deliver ITIL and best-practice processes for incident, problem and change management. Provide highly configurable help desk software that adapt processes to organizational needs. Include self-service capabilities to speed service and drive down costs.

Application Security

Securing application software that is being run in, or devel-oped for, the cloud

Integrate security at the design and development software phases. Implement application vulnerability management, penetration testing and code analysis.

Encryption & Key Man-agement

Understanding the require-ments for proper encryption usage and scalable key management in the cloud

Provide ability to create keys and certificates for use with different applications. Ensure provisioning works with policy and automation to automatically deliver keys and certifi-cates to applications. Store keys within a protected, fault-tolerant, high-availability database. Control the administra-tive processes and key attributes through policy.

Identity & Access Management

Managing cloud-based identities, entitlements and access rights

Provide solutions that allow companies and consumers to engage in communications and commerce online. Provide services that include: SSL Certificates, Code Signing Certificates, and User Authentication.

Virtualization

Scoping the risks associated with virtualization, including multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc.

Coordinate recovery and management of applications in VMware vSphere, LDOM, LPAR, KVM virtual environments. Require compatibility with key virtualization features, including integration with Application Awareness API, high-availability, site recovery, fault tolerance and key virtualiza-tion features such as Live Migration and Warm Migration in Unix platforms. Provide integration with backup software, which provides virtual machine image restoration as a possible remediation mechanism in virtual environments. Feature centralized application health monitoring and management.


Security Through Integration Security must be integrated across operational domains. Within a service provider organization, the responsibility for security is typically fragmented across different business units and IT groups. The cloud embraces different ICT components – such as network, servers, storage, databases and applications – and makes them available in a more holistic way than conventional ICT. The level of virtualization in the cloud, and its multi-tenant nature within a service provider organization, introduces more scope for components to affect each other in unpredictable ways, resulting in new vulnerabilities. Security that is implemented by separate organizational functions with point tools and idiosyncratic processes is not effective for a cloud environment. CSPs will find it difficult to comprehensively monitor and manage security states in the cloud or provide robust identity management in a consistent way, supported by single sign-on (SSO), across the cloud. Such a situation introduces vulnerabilities in the gaps where the security functions provided by individual groups with different point tools fail to dovetail. CSPs will therefore find it necessary to manage security in a more global way than they have in the past, joining up the disparate organizations responsible for different aspects of security and ensuring a common view of security and consis-tent processes, practices and tools.

Security Through Visibility Security depends on complete visibility of security policies and countermeasures. Enterprise customers are used to feeling that they are in control of their ICT environments. This sense of control is founded on their visibility of employee actions and endpoint/infrastructure behavior, which they gain from management data visualized in reports and dashboards. Enterprises use such visualized intelligence to modify and create policies that change actions and behavior for different purposes – for example to increase efficiency, reduce cost and improve security. Enterprises moving critical applications and data to a CSP's cloud environment will want equivalent, if not greater, control over "their" portion of the cloud. If they are to trust the cloud, they especially need visibility of the security policies and countermeasures in place, visible evidence of the effectiveness of both and the

Figure 3: Cloud Security Alliance Domains (Continued)

DOMAIN NAME



Security as a Service

Delegating detection, remediation and governance of security infrastructure to trusted third party with specialist cloud security expertise and tools

Protect from Web-borne threats and enable the control, monitoring and enforcement of Web acceptable use policies with minimal latency. Automatically update anti-malware layers, block threats away from the network. Reduce Web misuse and help protect bandwidth through URL filtering policies and Web traffic quota limits.


ability to change/customize policies directly themselves, so they have the highest visibility that action has been taken. The CSP cloud needs to design in mechanisms that give enterprise customers comprehensive visibility of their environment and the security policies and counter-measures at work to protect it. Conformance with CSA controls can help here, through their provision of an audit capability.

Security Through Automation Security management in the cloud must be automated for high efficiency and low cost. The cloud is a highly dynamic environment with many moving parts. It is also a high-scale environment, especially when implemented by a CSP to support multiple large enterprise customers. The scale and dynamic nature of the cloud means that it can only be managed and controlled cost-effectively through ultra-high levels of automation. Security processes and procedures certainly need to be automated. Manual processes of threat discovery and response are too slow and costly in a cloud environment. Automation is key to the CSP's ability to:

· Detect and respond to threats in real time.

· Monitor CSA controls, send alerts to the right organizational function when non-compliance is detected and remediate (e.g., reconfigure infrastruc-ture) without manual intervention.

· Manage secure, cloud-based processes that involve high volumes. Exam-ples include: issuing and examining employee credentials in the cloud (both the CSP's own employee credentials and those of its enterprise cus-tomers); and de-duplication and encryption of large amounts of data tra-velling between an enterprise and the CSP's cloud for backup and disas-ter recovery purposes.

· Create a detailed audit trail to meet GRC requirements at low cost. Automation ensures that security processes and procedures are applied consis-tently, reliably and at a manageable cost. Automation is therefore core to the trust an enterprise has in a cloud provider and to the profitability and sustainability of a CSP's cloud services.

Applying the Design Principles: A Global Security Management Layer for the Cloud CSPs will find it helpful to apply the four design principles when specifying a global cloud security management layer for their trusted and efficient cloud. The global security management layer gives the CSP cloud its security "silver lining." A global security management layer should:

· Map to the CSA controls, to ensure that all aspects of security have been adapted to the specific requirements of the cloud.

· Support the second principle of organizational and domain integration by enabling CSPs to manage countermeasures (security processes and tools)


across the cloud from a single logical decision point. The global security management layer should centralize control for all security functions in-cluding strong authentication, authorization, password management, endpoint protection, information classification and encryption, DLP, se-cure device management, audit and compliance management.

· Provide seamless visibility throughout the cloud of the identity, data and information protection mechanisms working to secure individual custom-ers' cloud environments (public/private/hybrid, IaaS/PaaS/SaaS). The global security management layer should give CSPs and (through multi-tenant support) their enterprise customers end-to-end visualizations of the way security is being applied within the cloud, tailored to the needs of their various security functions/organizations.

· Support the high levels of automation that are central to the success of trusted cloud delivery, including allowing CSPs to automate new security processes and to apply policies to new cloud-based services, so that they can develop their cloud business rapidly and cost-effectively.

Figure 4 illustrates an architecture for a global security management layer that implements the four design principles. Components of the architecture include:

· Support for multi-tenancy, so that security management can be exposed, in a secure and controlled way, to enterprise customers. Enterprise cus-tomers can then be given delegated powers to manage security policies and processes within their "own" cloud environments, as well as to monitor policies and processes for GRC audit purposes – a key requirement for generating trust in the cloud.

· A sophisticated, real-time event data collection and analysis capability that can collate multiple sources of event data into a common data set to identify emerging threats, including risk and fraud activity, malicious code, vulnerabilities, spam data and targeted and phishing attacks across the cloud. The management layer can then use this intelligence to prioritize, in real time, the remediation of threats through the countermea-sures under its control.

· Built-in reporting and auditing capabilities that give CSPs and their enter-prise customers immediate, basic visibility and control over their cloud environment(s). Such capabilities should be extensible so that CSPs and enterprises can define their own, differentiated views of security data and/or their own workflows for management and audit purposes.

· A policy engine for the definition, application and monitoring of security policies. Policy engines may be pre-populated with policies for specific industry segments (e.g., PCI, HIPAA) but it should also be possible for the CSP and/or its enterprise customers to add their own, company-specific security policies.

· A flexible workflow system and common workflow templates that support automation. CSPs should consider whether candidates for a global securi-ty management layer can provide, out of the box, a high level of built-in automation, especially for high volume, cloud-based processes such as data de-duplication and encryption. Ready-to-use automated support for common security processes will reduce a CSP's costs, as it won't need to develop such a capability itself. However, a standalone workflow system is also necessary to enable CSPs to customize automation for their own and


their enterprise customer environments. A workflow system allows CSPs to extend automated security management to new cloud services and dep-loyment models over time, especially as they continue to aggregate and broker third-party cloud services on behalf of enterprise customers.

· An integrated set of countermeasures (tools and processes) that can work with each other, the common, real-time data set and the global reporting and workflow components within the architecture to prevent any security blind spots.

Figure 4: A Global Security Management Architecture


Implementing a Trusted Cloud: An mHealth Case Study Mobile Health (mHealth) represents a multi-billion-dollar opportunity for health providers to streamline and improve the delivery of medical services using mobile devices and health-related applications and data in the cloud. Governments around the world are sponsoring telehealth and electronic patient record schemes, at the heart of which are cloud-based infrastructures providing access, processing, storage and workflow capabilities. Healthcare providers are looking for CSP partners to help them achieve their mHealth vision. Cloud is essential to the flexibility, accelerated treatment processes and cost-advantages associated with mHealth, but as we have seen its characteristics introduce new vulnerabilities and threats. Health is rightly a highly regulated sector given the nature of medical information, the need for complete patient confiden-tiality and the critical role of patient monitoring and treatment systems. Any CSP wanting to provide cloud services to the emerging mHealth market will need to demonstrate that they can meet the stringent levels of compliance required to protect patient data and healthcare systems. CSPs will need to show that the health care systems and operations in their clouds are secure and compliant, that they have policy-driven countermeasures in place to prevent, detect and respond to threats, that they can manage petabytes of medical data efficiently and securely, and that their security not only extends across the cloud, but out to the tens of thousands of endpoints – mobile devices – that interact with systems and data in the cloud. A global security management capability will be key to protecting mHealth providers that put their trust in a CSP mHealth cloud. The global security manage-ment layer provides:

· The real-time event correlation and analysis function that enables CSPs to detect anomalies arising in the mHealth cloud and to gain early warning of vulnerabilities that threaten systems and/or data

· The ability to support security policies required by mHealth regulatory bo-dies and specific medical provider customers

· Centralized management of security, providing a global and comprehen-sive view of security compliance across the mHealth cloud

· Workflow to automate security processes to increase the trust, efficiency and cost-effectiveness of the mHealth cloud

· A set of countermeasures to provide specific aspects of systems and data protection in the mHealth cloud, specifically:

o Access control and identity authentication

o Server and system hardening

o Intrusion detection and network access control

o File whitelisting, scanning

o Compliance monitoring

o Efficient lifecycle storage management


o Disaster recovery and business continuity

o Data protection and backup

o Archiving, cataloguing and e-discovery of information

o Tracking and controlling critical information, including automatic ca-tegorization

o Encryption tools

o Medical device authentication A large North American CSP is targeting the opportunity for cloud-based storage of modern Picture Archiving and Communication Systems (PACS). Hospitals are struggling with the fact that they have many different medical imaging systems from multiple vendors producing huge volumes of PACS data. A small hospital alone can generate as many as 300,000 images per year, all of which need to be managed and stored securely. The CSP has set up a secure and compliant cloud-based storage environment to which hospitals can safely download their images. The CSP uses global security management infrastructure components to lock down the infrastructure support-ing the cloud-based storage environment, limit and manage access to it and provide an audit trail of hospital user activity. At the same time, the CSP monitors the infrastructure so that it remains compliant with HIPAA requirements, demon-strating this continued compliance through frequent generation of user reports. As a result, the CSP has created a valuable cloud-based service for a group of mHealth customers and a new revenue stream for itself, with the opportunity to grow this revenue by adding new mHealth services to its secure cloud infrastruc-ture over time.


Conclusion In conclusion, cloud computing represents a critical opportunity for CSPs to develop new and lucrative sources of revenue. CSPs are well positioned to address enterprise cloud requirements, since they can leverage established businesses delivering network services to enterprise customers. Enterprises are eager to move to a cloud model, recognizing that they can significantly reduce costs by drawing IT down as a service, on-demand. But while enterprises understand the business benefits of cloud computing, they have concerns over its security and the protection of valuable intellectual property assets. CSPs must demonstrate they can deliver secure cloud services in which enterprises can have the highest degree of trust. Cloud computing is a young market, and there is plenty of scope for CSPs to build cloud services that are more highly trusted than the first generation of over-the-top cloud offers. CSPs with secure cloud services will differentiate themselves in the market, creating a reputation based on trust. This will inspire brand loyalty, making enterprise customers less likely to churn. CSPs will also gain incremental opportuni-ties to take on enterprises' more critical ICT requirements and to address valuable market segments, such as finance and mHealth, where regulatory compliance and stringent protection are key. CSPs intending to implement trusted cloud service delivery infrastructure need to ensure that security is its bedrock. The infrastructure should conform to the four design principles described in this paper. Security should be designed in as an integral part of a CSP's cloud architecture from the start. The security manage-ment layer should be comprehensive, embracing all security functions within their organization. It should provide unparalleled visibility of security policies and coun-termeasures, and it must be highly automated for high efficiency and low cost. CSPs that put global security management in place – the security lining for their cloud – will be best positioned to provide the level of trust and efficiency that enterprises require. They will be the providers with both the credibility and the right cost base to grow a profitable cloud services business. They will be able to protect their brand, seize new vertical market opportunities and attract and retain enterprise customers. In the future, trusted CSPs will persuade enterprises to relinquish their private ICT infrastructures and to outsource most, if not all, of their requirements to the cloud. Security is the enabler of this vision, and those CSPs that build the right protection measures into their clouds from the beginning will be best placed to profit from it.