Monday, April 30, 2018

MANUFACTURING IN THE CLOUD: PART XIII: SERVICE MODEL, CONTROLS AND SECURITY RISKS

This blog is a MESA Member Point of View.

By Goran Novkovic, MESA Member, CQA, CSQE, ITIL, APM, PMP, PEng

This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.


Cloud computing is revolutionising the way manufacturing organizations are implementing their information systems and using their critical assets. It promises better and more efficient usage of resources and virtually unlimited scalability and greater flexibility -- all at an attractive cost.

However, adoption of cloud computing models carry a number of technical and business risks. Well, risks are nothing new even without clouds, and I am sure that every manufacturing organization already has its own risk management methodology in place. But have you thought of Business Impact Analysis (BIA)?

The manufacturing organizations should analyze negative impacts that bad things happening can have on their business. BIA is highly recommended for this because it represents the systematic process of determining and evaluating the potential effects of an interruption to business operation. The business impact analysis should be carried out as part of a cloud service adoption process by the manufacturing organization.

RISKS
As we previously discussed, when a manufacturing organization moves data and software applications to the cloud, they are placing a certain level of trust to Cloud Service Providers (CSPs). Thus, manufacturing organizations lose a certain level of control over these critical assets and there is risk associated with that.

To mitigate risk, all security requirements must be clearly defined, analyzed and communicated to ensure that if they move assets to the cloud, they still adhere to all applicable laws and regulations. There is no compromise about that! You don’t want to see that your manufacturing organization is on the main page of newspapers.

For widespread adoption of cloud computing services, manufacturing organizations must assurance that Cloud Service Providers (CSPs) are trustworthy and they are doing everything in their power to protect data and software applications of the manufacturing organizations. CSP has to be carefully selected based on well-defined business requirements. Adopting manufacturing organizations must be confident that the services outsourced to the Cloud Service Provider, including any important assets will not be disrupted and compromised. Even a small incident in the cloud can have a large impact on a manufacturing organization. Again, you work hard and you don’t want your manufacturing organization to become famous overnight in a negative way.


EXPECTATIONS FROM MODELS
Let's look into cloud service models and discuss what to expect in terms of controls and security risks related to critical data assets and software applications in the cloud.  

       IaaS: In terms of cloud service models, with IaaS model the CSP provides an underlying                       infrastructure (computational capabilities, storage, and network management) and the                           manufacturing organization uses these resources to manage its data and software applications.           IaaS provides the greatest control over resources and triggers he least security risk for the                   manufacturing organization. 

       PaaS: With PaaS model, the CSP provides not only the infrastructure, but also the application             development platform. The manufacturing organization has fewer infrastructure elements to                 manage, but still retains control over some system administration. This reduces the                               responsibility of the manufacturing organization, but translates into less control over resources,           and thus higher security risk for the organization. 

       SaaS: Using SaaS model, the CSP has total control over the infrastructure and development               platforms, but also has control over administering the software applications. Even so,                           manufacturing organizations may still be responsible for securing the data that are produced by           SaaS applications. Although this may help manufacturing organizations reduce costs and
       speed time to market, SaaS model is associated with least control over resources and the
       highest risk for the organization.




Goran Novkovic, CQA, CSQE, ITIL, APM, PMP, PEng
Goran Novkovic has over 15 years of experience in various regulated industry sectors. His expertise is in industrial control systems (ICS) cybersecurity, control systems engineering, computer systems validation, software security and test management, cloud security and regulatory compliance. Goran has a formal education in Electrical Engineering and Project Management and possesses a master's degree in Information Technology. He has number of professional licenses and designations. He is holder of CQA (Certified Quality Auditor) and CSQE (Certified Software Quality Engineer) certifications with ASQ (American Society for Quality). Goran is certified ITIL, certified Agile Project Manager and Project Management Professional with PMI (Project Management Institute). He is licensed Professional Engineer with PEO (Professional Engineers Ontario). Goran is focused on ICS cybersecurity and he is helping organizations to establish ICS cybersecurity governance and develop effective ICS cybersecurity programs from scratch. E-mail contact: goran@valiver.com

No comments: