As organizations become more sophisticated in their use of cloud -- and as cloud services become more prevalent...
in enterprises -- new business models are emerging that not only seek to provide new services to customers, but also package existing services in different ways. One concept that is starting to come to the fore in this regard is that of the cloud service broker.
While by no means universally adopted -- or even universally accepted -- these relationships do exist. And given that they do, it's important for security practitioners to realize that securing a cloud service broker relationship can be somewhat different from securing a run-of-the-mill one-off cloud relationship, because it's a different type of relationship. For the security evaluation of a given individual service provider, there are some excellent resources out there to help customers analyze and evaluate security risks; for example, the Cloud Security Alliance's Governance, Risk Management and Compliance Stack, as well as other specialized tools and resources. For broker relationships, on the other hand, many of these resources may be less applicable.
In this tip, I will discuss why security professionals in a post-cloud world should understand what a cloud service broker is, why this matters from a security standpoint and what some of the advantages and disadvantages are of a service broker relationship from a security-specific point of view.
What is a cloud service broker?
By definition, a cloud service broker is a middleman of sorts that bundles together multiple service offerings. This means individual services are purchased, coordinated, managed and/or contracted through one central source rather than individually -- sometimes with additional services added on. One way to think about this is as analogous to a value-added reseller or integrator role in a non-cloud technology ecosystem.
Many types of cloud service broker relationships exist. One could, for example, involve the aggregation of multiple service offerings from a billing perspective (i.e., the customer gets one bill that spans multiple service provider offerings). Other relationships are from a management standpoint (i.e., one user interface to manage multiple different offerings), from a contractual standpoint (i.e., the customer has one contract instead of many and gets multiple services under that umbrella), or from the unification of any other aspect of service delivery under one centralized relationship. Cloud service brokers could also involve the packaging and reselling of "fungible" back-end services (e.g., storage or compute resources) from different service providers, making them available to the customer through a unified interface.
So why would enterprises want such a relationship? The main advantage of a cloud service broker from a customer perspective is that rather than having to track and maintain multiple different one-off service provider relationships, an organization can have one relationship with a single broker instead. This can make contractual negotiation easier and greatly simplify the management of the relationship. There can also be cost benefits, as the broker might be able to pass along advantageous volume pricing to customers, or they might be able to provide value-add services such as the tailoring of services toward a particular industry or slicing of high-volume services to small and midsize businesses.
Cloud service broker security challenges and benefits
Despite its ability to simplify management and reduce costs, a cloud service broker relationship can come with a number of security challenges because it introduces an intermediary between a cloud service provider and the customer. Think about how much complexity is already present in a given cloud relationship when looked at from a "supply chain" perspective (i.e., accounting for the third-party relationship and all supporting relationships).
For example, consider an organization employing an arbitrary Software as a Service (SaaS) application. That application might be built on top of another service provider's Platform as a Service (PaaS) offering which in turn might be hosted at yet another service provider's Infrastructure as a Service (IaaS) package. Any failure in this chain could lead to a security issue or service disruption, as many websites -- including Quora, Foursquare, Reddit and numerous others -- experienced after Amazon's Elastic Computer Cloud had a significant outage in April of 2011.
A cloud service broker -- as an intermediate party involved in packaging, aggregating and customizing cloud content for its customers -- adds additional complexity to an already-complex set of circumstances. The brokers themselves might have multiple SaaS relationships (or PaaS and IaaS offerings) in the scope of what they provide, and each one of those might rest on top of a complex delivery chain. As you might well expect, unpacking the risk dynamics of all of these service in aggregate can be a thorny problem.
It's important, however, to realize that cloud service brokers are not necessarily all bad from a security point of view; there can be some significant upsides. First, some cloud service brokers are founded on the premise of addressing security and/or compliance challenges in the cloud. A cloud service broker might base its entire business on meeting the compliance or security needs within a particular industry (e.g., a cloud service broker specializing in healthcare might make it part of its service offering to understand the requirements of HIPAA and ensure that these requirements are addressed in the individual service provider relationships they bundle).
Second, a cloud service broker relationship can help offset the impact of shadow IT, a pernicious issue when it comes to cloud. Cloud use by its very nature lends itself to shadow IT, making a full understanding of cloud usage in a given organization challenging to acquire. Between instant-on and pay-as-you-go delivery models, it's easy for those outside of IT (developers, business leads, etc.) to establish cloud relationships without going through formal channels. To illustrate the extent of this issue, a recent survey from 2nd Watch suggested that 61% of enterprise business units using cloud services circumvent their own IT departments and go directly to the cloud service provider. Adding a cloud broker into the equation as part of a broader enterprise strategy can help offset the impact of shadow IT; if a relationship with a broker exists when cloud use is discovered in an enterprise (for example, by leveraging discovery tools such as those from CipherCloud or Spiceworks), direct transition of that usage to the broker is oftentimes feasible, allowing it to be managed through that unified relationship.
It is critical to keep in mind that the security concerns associated with a cloud service broker are different from those associated with direct service provider relationships and, as more and more enterprises adopt this approach, new issues could likely arise. If, as some predict, these relationships expand in scope and become more prevalent, it's important that security professionals know what to expect from cloud service brokers and how the potential security risks of them might be different from those of individual cloud service provider relationships.
About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.