Tuesday, June 19, 2018


This blog is a MESA Member Point of View.

By Goran Novkovic, MESA Member, CQA, CSQE, ITIL, APM, PMP, PEng

This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.

Service Level Agreement (SLA) with a Cloud Service Provider (CSP) is a live document that must be well-understood and negotiated between Cloud Service Customer (CSP) and Cloud Service Provider (CSP) so that the manufacturing organization as CSC can successfully manage and satisfy all security and regulatory compliance requirements in the cloud. Both parties have an interest to come to an agreement. 

When the manufacturing organization signs the SLA as a legally binding agreement with the CSP, it should not stop here because things are not done. They are actually never done. 

Managing SLA is a continuous process. SLA should be constantly monitored, updated and improved to meet the business needs of the manufacturing organization. This is a critically important process, which provides many opportunities for continuous improvements in satisfying statutory, regulatory and contractual obligations for the manufacturing organization. 

When we talk about sensitive business data and software applications in the cloud in terms of SLA, please keep in mind the manufacturing organization possesses the legal ownership and has full control of data assets stored in the cloud regardless of the physical location in which they are hosted. Furthermore, the Cloud Service Provider (CSP) typically is not provided with access to the data at all. Most CSPs are actually claiming that they don’t even know what data your manufacturing organization has stored in the cloud! Do you believe in it? 

On the other hand, the CSP is legally responsible to protect any hosted data assets that are owned by their customers (i.e. manufacturing organizations) based on SLA, so the CSP cannot delete, modify, copy, or even sell customer data without the customer’s knowledge. 

How the Cloud Service Provider handles sensitive data and software applications can vary from one CSP to another. And this is something that the manufacturing organization would have to investigate and make sure that provided functions meet particular business interests in terms of security and regulatory compliance in the cloud. 

For example, one of the things that the manufacturing organization must determine is whether data is encrypted when it is being transmitted to and from the cloud (data in transit), whatever data is encrypted when it is used by software applications (data in use), but also whether data is encrypted when it is stored in the cloud (data at rest).
Regulatory requirements can influence configurations for, and the selection of, an appropriate cloud computing environment. Depending on the industry sectors, one of the regulatory requirements for manufacturing organizations can be that manufacturer's data must be within national boundaries. 

However, the CSP might not be able to determine exactly where the data are physically stored particularly when redundant cloud infrastructures are implemented. Does it sound interesting to you? I have recently attended the conference provided by one of the major CSP where the presenter said that their cloud solutions are so secured that they make so many copies of customer data so there is no way that customer will ever lose data! This made me so uncomfortable. How do you feel about that? Do you really want to hear that CSP is making multiple copies of your data without your knowledge?
What about secure data deletion (Media Sanitization Policy), which says when data is deleted, it stays deleted and cannot be recovered? You might be wondering, is there any copy or instances left where data is not actually deleted? How this can affect our exit strategy if we decide to leave this particular CSP?
The physical locations of the servers that are used to store and process manufacturer's data can become a critical contractual issue. In other words, one of the biggest questions that seems to arise when it comes to cloud computing is where exactly manufacturer's data is physically located. It might be stored on a data center server in a different country!
And that could be a sticky issue, because depending on the industry and what organization is storing in the cloud, the manufacturing organization might have many security or legal reasons for ensuring the data is stored in a data center within national borders, and being operated by citizens of a particular country, domestically. So it really depends on what the manufacturing organization is doing in the cloud and what type of business the manufacturing organization is in. At very least, requirements for the physical location of the stored data must be clearly defined under the Service Level Agreement (SLA) between CSP and the manufacturing organization.

Can standards help mitigate risk in an SLA? For successful adoption of cloud computing services, a manufacturing organization needs assurance that CSP is trustworthy and is taking all possible precautions to reduce vulnerabilities and protect critical assets. This assurance often comes in the form of industry-recognized security certifications (for example, ISO 27001) obtained by the CSP, confirming that the Cloud Service Provider complies with certain standards and regulations, and (when possible) providing the customer (manufacturing organization) access to audit reports. 

An effective and trusted cloud environment is implemented through a combination of effective risk management and compliance with regulatory requirements (including legal responsibilities and standards). Both parties (CSP and CSC) are required to satisfy legal requirements and standards, but this must be considered from two different views. 
  1. From the CSP perspective, they have to satisfy the laws and regulations governing their own business, as well as the legal obligations defined by the SLA. For example, the CSP cannot make multiple copies of data outside of its own national borders if this is not legally permitted, and it cannot sell data to someone else to make a profit. 
  2. On the other hand, CSC must satisfy regulatory requirements with the organizations and regulatory bodies they do business with.  
In terms of standards, this is primarily related to CSPs, since they want to attract manufacturing organizations to do business with. For example, one of the basic standards that every CSP should follow is ISO 27001. However, the manufacturing organization does not need to be ISO 27001 certified. 

Why? Because there are so many elements in ISO 27001 and other standards, recommendations and best practices (e.g. NIST 800 Special Publications) that manufacturing organizations can use to secure its data and software applications while satisfying regulatory compliance requirements. 

Stay tuned for more about the responsibilities in the cloud. In the next blog, we will be talking about Cloud Responsibility Matrix, and further discuss specific security responsibilities between Cloud Service Providers and manufacturing organizations. Cloud Responsibility Matrix is one of the major reference points and critically important to know.

Goran Novkovic, CQA, CSQE, ITIL, APM, PMP, PEng
Goran is Director in Cyber-Kinetic Security practice with PwC. He is Professional Engineer with 17 years of experience in Operational Technology/ Industrial Control Systems Cybersecurity. Goran provides expertise in OT/ICS cybersecurity management and combines it with IT/OT convergence, industrial intelligence and innovative technology solutions (Big Data. AI, ML, IoT/IIoT, Industrial Analytics). Goran is helping manufacturing organizations to define their cybersecurity goals and objectives, to determine where they currently are and where they want to be in terms of organizational cybersecurity and digital transformation. He is working with manufacturing organizations to successfully manage OT/ICS challenges by establishing strong OT Cybersecurity Governance, defining OT Cybersecurity Frameworks and developing OT Cybersecurity Programs from scratch. His approach to OT/ICS Cybersecurity includes addressing safety and security of information, technology, people and facilities. Goran is helping manufacturing organizations to improve cybersecurity culture by developing and delivering cybersecurity training and awareness programs. Goran takes cybersecurity initiatives as opportunities for optimization, improvement and innovation for every manufacturing organization no matter the size or industry sector.
E-mail contact: goran.novkovic@pwc.com

No comments: