In our engagements with customers, we often come across the questions of Cloud Security and Compliance. Our customers want to know whether Cloud is secure and whether as they move into the Cloud they can continue to be compliant with EU Data Protection Regulation, PCI/DSS, and other compliance regimes.
We often need to look into existing security and compliance practices to understand the benefits of Cloud security. A good model for illustrating security would be to assume that Security consists of three elements: Technology, People, and Processes. Let’s see what establishing a secure conventional solution really means in terms of this model:
Technology
In a conventional on-premises solution, you’ll likely start by choosing secure premises for your business; you may need to build, acquire, or rent secure premises, and you’ll have to consider securing the perimeters using fences, ballads, barriers, etc. You’ll clearly use CCTV systems outside the premises. You’ll have to consider the power and network connectivity to your premises as well, which is often non-trivial: establishing resilient power connectivity, including building substations if needed, means lots of heavy lifting. You’ll also want to establish resilient power and network connectivity within the premises to each and every cabinet. You’ll need to consider power systems within the premises, as well as HVAC (heating, ventilation, air-conditioning). You’ll also likely use CCTV systems inside the premises, and you’ll establish multi-factor authentication for access to the premises and data floors, you’ll be using trap doors, etc. You’ll establish your security operations centre for the premises. Even for a small facility, you’ve likely already invested tens of millions of pounds of CapEx just to establish the technical foundations. The OpEx associated with that, including rent for the premises, water, electricity, and power charges, waste disposal charges, etc – it all piles up to a fairly sizeable monthly amount as well, likely in the tens of thousands at least.
People
Clearly, your data centre will need to be operated by very experienced engineers and security personnel. You will likely need to find hardware and software engineers, electrical and HVAC engineers, all of which in such a number so that they can work in shifts, and cover the operations of your facilities 24×7. You’ll probably need service managers for your premises. Security staff will need to be properly selected, vetted, and trained, as they are working in an important facility storing your crown jewels – your data! Finding even a small team to run such a data centre will likely cost in the hundreds of thousands of pounds in terms of recruiter fees, training, and other foundation activities. Even for a small team, you are probably looking at tens to hundreds of thousands a month in terms of salaries and training, as well as other related staff costs.
Processes
You will likely establish security processes and procedures for your business. Given that you are likely to be required to comply with standards, such as ISO 27001, PCI/DSS, and EU/UK Personal Data Protection, you will probably have to have relatively elaborate processes, and also likely to have to go through a formal certification process by undergoing external audits as well. Such processes and associated compliance is likely to cost in the hundreds of thousands in terms of CapEx but then you’ll probably need to do internal audits, as well as refresh your certifications periodically, so OpEx int the tens of thousands per annum is to be expected.
So establishing secure foundations for your data and IT services is going to be expensive both initially to build and then on a monthly basis – to operate. Here is a summary of the costs and ballparks:
Let’s pause for a second: so we are looking to establish secure services, and we’ll need to find the investment for it, likely in the millions of pounds per annum just to run, and in the tens of millions to build. And what user value is it going to add? Likely none. Security and Compliance are the foundations of your services. If you are a bank, for example, they just must be there, as that’s what everyone expects from you. No, Security and Compliance are not going to bring you new customers, or allow you to offer more competitive mortgage offerings; they mean little in terms of added value to your end customers. They are a safety net, so they must be there, whatever happens. Thus, you’ll need to make an investment in the foundations that your customers don’t see any direct value in. How likely are you to be able to secure your investment, year after year, for operating a secure and compliant environment, but not adding direct customer value? And let’s remind ourselves that we are living in times of rising threat levels on the Internet, of sophisticated and determined threat agents, and cybercrime syndicates operating for-profit organisations, targeting businesses such as yours. So while your risk exposure and requirements from you are likely to be increasing considerably, your security and compliance budget is likely to be under scrutiny, and may even shrink… That’s the challenge that we often see as we talk to CISOs.
Now let’s look at Cloud, and take AWS EC2 as an example. When you launch a new instance, you are automatically compliant with ISO 27001, PCI/DSS, SOC1/2/3, ISAE3402, SSAE16, IT Grundschutz, UK Cloud Security Principles, etc (another 20 standards) at the infrastructure level. And how much will this cost you? Well, you pay for EC2 and that’s it! Security is embedded; it’s for free. You don’t pay extra for it. Thus, you don’t need to compromise.
This is just one of the many other reasons that we often highlight in discussions with customers.