Distributed Computing Models and distributed information systems are becoming increasingly common in conjunction with and amplified by the adoption of cloud computing services.
The globalization of companies, along with collaboration and outsourcing, continues to allow organizations and users to avail themselves of distributed services.
The drivers for adopting such services are many but include increasing enterprise productivity and reducing development cost.
The impact on organizations in terms of visibility and control over a distributed or effectively dispersed model can be wide-ranging.
The Certified Cloud Security Professional must review and address the following components to ensure that the distributed Computing Models does not negatively influence the factors outlined in the rest of this topic.
Clear Communications
Traditional IT deployment and operations typically allow a clear line of sight or understanding of the personnel, their roles, functions, and core areas of focus.
This provides for far more access to individuals, either on a name basis or based on their roles.
Communications allow for collaboration, information sharing, and the availability of relevant details and information when necessary.
This can be from operations, engineering, controls, or development.
Distributed IT Computing Models challenge and essentially redefine the roles, functions, and ability for face-to-face communications or direct interactions, such as emails, phone calls, and messengers.
Although the convenience and speed at which operations or changes can be effected in such environments (such as asking an engineer or a developer to implement relevant changes), the potential for such swift amendments are typically replaced by more structured, regimented, and standardized requests.
From a security perspective, this can be seen as an enhancement in many cases.
It alleviates and removes the opportunity for untracked changes or for bypassing change management controls.
It also reduces the risks associated with implementing changes or amendments without proper testing and risk management is taken into account.
Computing Models: Coordination and Management of Activities
Project management has long been an ingrained and essential component to ensuring the smooth and successful delivery of technology projects, deployments, and solutions.
Enter the complexity or benefit of distributed and outsourced IT Computing Models .
Yes, there are benefits when outsourced models are involved in the delivery of services and solutions particularly when it is their business to ensure such services and solutions are delivered to clients, and even more so when large scale services and solutions are public offerings, such as Salesforce, Google, and Microsoft.
In short, bringing in an independent group of subject matter experts whose focus is on the delivery of such projects and functionality can make for a swift rollout or deployment.
The lack of familiarity or an engrained working relationship with the provider can make for a refined and efficient process, versus multiple engagements, discussions, negotiations, and the need to provide resources and skills not to mention ensuring the availability or willingness of internal or team resources to participate.
Sign-off and acceptance typically allow the provider to deliver with accountability and independent oversight from the customer’s perspective.
Computing Models: Governance of Processes and Activities
Effective governance allows for peace of mind and a level of confidence to be established in an organization.
This is even more true with distributed IT Computing Models and the use of IT services or solutions across dispersed organizational boundaries from a variety of users.
Where the IT department previously would provide details or facilitate reporting to program management, risk management, audit, compliance, or legal function depending on the nature of the services, it may now need to pull information from numerous sources and providers, leading to the following:
- Increased number of sources for information
- Varying levels of cooperation
- Varying levels of information and completeness
- Varying response times and willingness to assist
- Multiple reporting formats and structures
- Lack of cohesion in terms of activities and focus
- Requirement for additional resources and interactions with providers
- Minimal evidence available to support claims and verify information
- Disruption or discontent from internal resources, where job function or role may have undergone a change
Selecting the provider is the key to a smooth and repeatable mechanism around the governance of services and processes.
Governance can be automated to reduce ongoing requirements for continued interaction with providers or third parties, resulting in a streamlined audit and risk management engagement.
Coordination Is Key
Interacting with and collecting information from multiple sources requires coordination of efforts, including defining how these processes are to be managed.
The governance process should seek to establish how to achieve the common objective.
For those familiar with third-party management—that is, organizing and maintaining communications and interactions between distributed people, processes, and technology across several locations (often involving different cultures, time zones, and operating environments) the requirement should be integrated into the SLAs and contractual obligations.
Clear assignment and identification of requirements (along with frequency, mechanisms, and resourcing) should be highlighted and agreed upon from the outset.
At this point, it will most likely become clear which components can be automated, along with who will be responsible for coordinating them between the customer and CSP.
Once this is accepted and becomes operational, opportunities to improve this process may become clear.
However, if these can be coordinated with ease across distributed IT environments and providers, it will be a key factor in having a clear view of performance versus SLAs and contracts, as well as the overall effectiveness and efficiency of outsourced activities and services. Outsourced activities and services that are not explicitly meeting the agreed SLA or contract should be met with financial penalties.
Security Reporting
The previous stages should result in an independent report being provided as to the security posture of the virtualized machines.
This should be reported in a format that illustrates any high, medium, or low risks (typical of audit reports).
Alternatively, it should be based on industry ratings such as Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS).
Common approaches also include reporting against the Open Web Application Security Project (OWASP) Top 10 and SANS Top 20 listings.
Many vendors do not make such reports available to customers or the public for obvious reasons. However, sanitized versions may be made available when a client requests such indications of vulnerabilities; any exposures to their information will be limited.
In these cases, the provider may supply a statement from the auditors or assessors attesting to the fact that no high- or medium-level vulnerabilities were detected or the risk rating for the engagement was deemed to below.
These are not common; typically the organization does not want to share the findings or risks with customers or potential customers.
The auditors or assessors usually make the report and findings available only for customers and not for public or external circulation.
