Tuesday, May 15, 2018

MANUFACTURING IN THE CLOUD: PART XIV: DEPLOYMENT MODEL RISKS

This blog is a MESA Member Point of View.

By Goran Novkovic, MESA Member, CQA, CSQE, ITIL, APM, PMP, PEng

This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.

There is a wide range of technical and business risks associated with the adoption of cloud computing by manufacturing organizations. In cloud computing, operation and resources are outsourced to the cloud; but the risk is not! The responsibility for securing sensitive business data and software applications in the cloud still resides with the manufacturing organizations. Please, never forget that!

The good thing is, many of the security strategies that manufacturing organizations might adopt in a cloud environment can also be applied to an on-premises environment. So, please use what you already have. This can be very helpful and can also save some time in protecting critical assets in the cloud.


MODEL RISKS
Let's look into cloud deployment models and discuss what manufacturing organizations can expect in terms of controls and security risks in the cloud. As we already mentioned in previous blogs, the Cloud Service Provider (CSP) is taking a lot of control over critical assets of the manufacturing organization. This also means that manufacturing organizations should evaluate the CSP's business continuity mechanisms and failover procedures as a part of CSP selection process. CSP must meet all specific business needs of the manufacturing organization. Again, please select your CSP carefully! And still, don't forget to have your exit strategy. You might need it if things go wrong.

Private cloud offers services that are consumed exclusively by one Cloud Service Customer (i.e. manufacturing organization), and resources are controlled by the same manufacturing organization. Private cloud is the most similar to traditional on-premises architecture, and it provides the greatest control over resources, which means the least security risk for the manufacturing organization.
Community cloud is where cloud services are used exclusively by a specific collection of CSCs (manufacturing organizations) that have the same interests and requirements in terms of security and regulatory compliance. Community cloud can be private cloud, or it can be public cloud provided by Cloud Service Provider (CSP). It means less control over resources and higher security risk for manufacturing organization. 

Community cloud is where cloud services are used exclusively by a specific collection of CSCs (manufacturing organizations) that have the same interests and requirements in terms of security and regulatory compliance. Community cloud can be private cloud, or it can be public cloud provided by Cloud Service Provider (CSP). It means less control over resources and higher security risk for manufacturing organization.

Hybrid cloud can be a combination of at least 2 cloud deployment models (private, community, or public), and this can lead to less control and higher security risk for the manufacturing organization. P

Public cloud is where cloud services are available to and consumed by all CSCs such as customers over the Internet, whether they are individual or organizations. However, all resources are under control of the CSP. Since manufacturing organizations have no control over cloud resources, this means the greatest security risks for the organization.

If one takes into account both characteristics of cloud service models and cloud deployment models, the manufacturing organization loses more control, and eventually more of the risk is assumed by the Cloud Service Provider (CSP). In cloud computing (cloud service vs cloud deployment models), security risk is directly proportional to the amount of control the manufacturing organization loses over the computing resources. Picture shows the relationship between the service and deployment models and their cumulative risk.


Have you had an experience or found a model that reduced risk for your organization? Tell us about it in the comments or reach out to me directly.


Goran Novkovic, CQA, CSQE, ITIL, APM, PMP, PEng

Goran Novkovic is Senior Manager, OT Cybersecurity with PwC Canada. He has 17 years of professional engineering experience within manufacturing organizations and utilities, public and private sectors. His expertise is in OT/ICS cybersecurity, IT/OT convergence, IoT/IIoT deployments, control systems engineering, cloud security and regulatory compliance. Goran has a formal education in Electrical Engineering and Project Management and possesses a master's degree in Information Technology. He has a number of professional licenses and designations. He is Certified Quality Auditor and Certified Software Quality Engineer with American Society for Quality. Goran is certified ITIL, certified Agile Project Manager and Project Management Professional with Project Management Institute. He is a licensed Professional Engineer in Ontario. Goran is focused on OT/ICS Cybersecurity and he is helping manufacturing organizations to develop OT Cybersecurity Programs that support Smart Manufacturing innovation
E-mail contact:  gornovkovic@gmail.com

No comments: