Regulatory Conformance
This is a guide on regulatory conformance.
Legal and ComplianceĀ
Now, when you talk about regulatory conformance, it is an organization's requirement to adhere to certain laws, regulations, guidelines, or specifications. Now, that is dependent on basically the business or the type of operations or the functions you perform. Or you provide services to the customer. Now, if you're dealing with credit card in an online environment, you have to comply to a specific regulation. Now, if you're dealing with personally identifiable information of your patients, then you have to deal with another certification or the regulation. It depends what kind of operations you are performing as an organization. If you fail to meet any of these regulatory compliance regulations, there could be different type of punishments or legal actions. It could be fine. It could be a legal lawsuit.
Basically, it can halt your operations. So you are not only opting for these certifications or the regulations, but you are also complying to them to the fullest. Then, we are talking about in the online environment. It is responsibility of a cloud consumer. And it is also the responsibility of the cloud service provider. Now, you cannot say we are compliant because my cloud service provider is compliant. You also have to be compliant if you're dealing with online credit card transactions.
So you have to ensure that these regulatory compliances or the regulations are met without any fall back as a failure or anything else. Then, we are talking about the need for compliance in the cloud computing. Now, whenever you opt for a specific regulations or compliance, you have to understand it also brings a great deal of operational consistency. Why it does that? Because it tells you how to perform a certain task with defined guidelines. You cannot deviate from these guidelines. Or else you will have non conformances when an audit is conducted. Then, there is also need to have information visibility. Where is your information stored? How is it stored? Who has the access? So all this kind of visibility and its access control is visible. Then you have to have a better landscape about security. So it is about putting certain security controls into practice. You cannot simply say, okay, I have a firewall. Now my infrastructure is secured. You have to have multiple levels of security controls or what it is known as defense in depth.
So, for instance, now if you're talking about physical security. Have you put in the CCTV cameras? Have you put in the motion sensors? Have you placed a security guard next to the building entrance or the data center entrance? Are there access controls before somebody walks into your data center room and takes away a hard drive? You need to avoid regulatory fines. So if you do not comply to a specific regulations. Let's say you are dealing with again, credit card informations in the online transactions, then you need to be compliant with PCI DSS. Now, if you do not comply, even though you have opted for the certification, you have received the certification from PCI DSS. You are now compliant. But, what happens when you have to renew the certification? You will need to ensure, as your business operations expand or they shrink, your security controls need to be adjusted accordingly. You have to ensure whatever you are doing in your business, whenever you are complying to a specific regulation, your security landscape is going to change accordingly. And this needs to be done. Because you want to avoid any kind of legal issues. It is to avoid any kind of regulatory fines. Now, when we are talking about certain compliance types. So it depends majorly on the types of operations that you are performing. Like I previously said, if it is online transactions, then there is going to be a different type of compliance type. If you're talking about personally identifiable information of your patients, then there is going to be a different type of compliance. Then, it could be possible that you are a federal agency and dealing with government information. So there could be another type of compliance. So let's just have a quick look at some of these compliances that are available. So first, let's talk about the Payment Card Industry Data Security Standard, which is known as PCI DSS. Now, this is the information standard for the organization that handle credit card information from the major schemes. So basically, if you are dealing with credit card information in an online transaction, it could be credit card or the debit card.
Then, you need to opt for PCI DSS. And it is a mandatory certification that we have to opt for. Then, let's talk about Health Insurance Portability and Accountability Act, which is known as HIPAA. It provides privacy standards to protect patients' medical records and other type of health information. Which could be anything related to a disease or anything similar to a patient's health. So you need to ensure that you protect this information. And this compliance applies to anybody who's dealing with the patient's health information. And which could be your hospitals or the health care service providers. Then, we are talking about Federal Information Security Management Act, which is known as FISMA. This compliance is about protecting government informations, operations, and assets against any kind of threat. Which could be either natural, something like a hurricane or flood. Or it could be manmade, which could be something like a distributed denial of service attack or a brute force attack.
Next comes the Sarbanes-Oxley Act, which is known as SOX. Now, this is about protecting an organization from any kind of accounting error or fraud practices. Basically, you want to protect the shareholders and the general public from any kind of fraud that may exist. Specifically, the accounting frauds, which can be a common phenomena if you look at some big organizations. Which could be a possibility when you are dealing with millions of dollars. There could be a possibility that there is a fraud that is going on internally in an organization. SOX focuses on improving the accuracy of corporate disclosures. So here what I mean to say is that you cannot run the accounting operation within an organization and not disclose them properly. So if you do not comply to this, there are going to be legal actions. In the cloud environment, you are likely to face the compliance and conformance challenges. And this is because the environment is completely different than the on-premise data centers. And of course, a lot of things are not in your control when you are talking about the cloud environment.
So you cannot ensure compliance and conformance as a cloud consumer. Then the legal landscape may vary from country to country. Which means a act like FISMA or a compliance like FISMA will apply only within the United States of America. It does not apply anywhere else in the world. And now, because the legal landscape changes from country to country. And this is because your data is stored in one different country. And therefore, the legal landscape of that particular country or the compliance acts within that particular country will apply. So in that case, whenever you are migrating to the cloud environment or you're using the cloud environment. You need to know where your data is stored. And which laws from which country will apply. Now, the other problems is the legal landscape which may change because the technology is also changing. You will not find the regulation which is outdated. Which means that the technology has progressed but the compliance is still ten years old. That is quite unlikely because these compliance is the organization's who are owning these compliances.
They also update them from time to time just to ensure that they are at pace with the technology as it is progressing. As the technology matures, you will find that new regulations have come into the practice. Or even the older ones have evolved to match up the technology that is in existence today. So you need to make sure that you are complying to these regulations. You're keeping your infrastructure up to date. And this needs to happen from time to time. Every few years, you will find that a new regulation has come into practice. And you need to be compliant to this particular regulation. So, of course, as a cloud consumer, because your infrastructure is not in your control. So the compliance to all legal and regulatory requirements may become difficult sometimes. Because you will not be able to match up to them. Now, this happens because the physical infrastructure is not in your control.
So anything to do with the physical infrastructure, you will have to just go by the words of the cloud service provider. So sometimes it becomes difficult in terms to where you're storing data and where it is getting replicated. Now, this can cause a little bit of complication. Because the moment you replicate your data into another country, their rules and regulations will apply. Let's now look at some of the types of laws that are available. So these can be international laws. These can be national laws. These can be state laws. Depending on what country you are in, there is a possibility that different types of rules will apply. Now, when you talk about the international laws, they are basically rules that govern the relationship between different countries. So if you talk about PCI DSS, it's an international regulation. So therefore, it applies to anybody in whichever country they are. So if they are accepting any kind of credit card payments or processing them, this regulation will apply. Now, when you talk about the state laws, they apply within a state. For instance, there could be a law that is applicable only to the state of the New York.
Then we are talking about Copyright and Privacy Act. Which basically mean that anybody who does the infringement of any kind of copyright or privacy Information, then there will be certain laws applicable. Which can lead to a specific punishment. Now, these laws activate when you perform a copyright infringement. Or share the information with another party who is not the legal owner of the information. Or you have not taken the consent from the owner to share that information. Then, we are talking about enforceable governmental request, which is an order from the government. Let's not talk about the intellectual property right, which describes the creation of mind. Anything that you create with your own thought process is your intellectual property. Now, this intellectual property right focuses on preventing something that you have created. Now these could be words. It could be logos, symbols, or any kind of artistic creation. Or it could be literary work, which is considered to be the intellectual property of the creator. Now, the intellectual property right. It helps you retain the rights of your own creation.
So you have patents, trademarks, copyright protections that help you protect the intellectual entitlements of your own creation. Then, we are talking about the privacy law. Which can be defined as the rights of an individual to determine when, how, and to what extent you can release your own personal information. Then, comes the doctrine of the proper law, which refers to when a conflict of law appears or happens. Then, the doctrine of the proper law determines, where and how this is going to be resolved. And which place it needs to be resolved. At which jurisdiction will the dispute be heard. And that could be based on the contractual agreement between two parties.
So for instance, if you have a contract with a company. Now, there is always a clause which states if there is any kind of dispute, it will be taken care in so particular state. And normally, that state is where the company is situated. Then, we are talking about the criminal law. And that is basically a set of rules that defines the conduct that is prohibited by the government. And it is to protect the safety and the well-being of the public. So what in the simplest term I can describe is anything that government says that you cannot do.
And if you do that, that is a criminal act. And you should not be doing. That is what the criminal law defines. That if you commit a crime, then there is going to be certain amount of punishment that you are going to be entitled with. So then comes the tort law, which is basically about providing relief to the person who's suffering as a result of somebody's doing wrongful act. And then we are talking about restatement conflict of law, which is a collation of developments in the common law. Now, just to recap, we talked about different types of regulations. We talked about different types of laws. We also talked about that there can be a national, state, or international laws.
Framework and Guidelines
When you talk about a framework, it is a set of guidelines that you can use to perform certain tasks. For example, when you need to retain data on your hard drive, a framework will tell you that you have to encrypt the data, whether it is in storage, whether it is in transmission. So you have to have a certain set of guidelines that define the way you perform a certain task when you talk in the context of security. A framework could also be aligned to legal requirements or regulations to protect your data. Now when you specifically talk about credit card data or credit card online transactions, then you need to be PCI DSS compliant. Now, these kinds of frameworks will help you meet a certain guidelines that you can use to align your tasks. And these frameworks help you meet a certain set of rules and regulations. Otherwise, if you do not apply these frameworks in the tasks that you do, you may end up with a legal lawsuit or the non-compliance.
You may also end up with a certain type of problem which could be something like a data breach. So therefore, you need to clearly define your security policies or set of policies that you have within your organization, so that you are aligned with the particular framework. Now, it does not mean that every organization needs to be compliant to a specific framework. Several organizations may simply not even comply to any of these frameworks. For example, they may have internal ISMS, which is information security management system. So now, certain organizations may simply have their internal security policies, and they strictly follow these policies. So now, certain organization may simply have their internal security policies, and they may follow them. However, everything is dependent on the kind of work your organization does. Like a example that I gave, if you are involved into online credit card transactions, then you need to be compliant with PCI DSS. These frameworks also help you define a certain level of security by guiding you to implement a set of security controls that protect your data.
Now, these security frameworks like ISO 27001 does not tell you exactly what you need to implement. It just tells you that you need to encrypt your data, and how you encrypt your data is your choice. But then there are very strict security frameworks like PCI DSS, which tell you what needs to be done and how it needs to be done. So depending on the work that your organization does, you will have to accordingly choose the right framework and choose the right security controls to protect your data. Now, this is the point I just discussed. Basically, how and what type of security must be implemented? That is dependent on the type of framework you choose. Some generic frameworks like ISO 27001 will basically give you a set of guidelines that you need to implement security. You will need to encrypt your data. But most strict guidelines like PCI DSS will guide you into implementing a specific type of security control.
It will also tell you that the firewall should have these kind of rules. It will tell you exactly what needs to be done and how it needs to be done. So now, let's discuss some of the common frameworks for cloud computing. The first one is OECD, which basically defines several guidelines including national privacy strategies, privacy management programs, and data security breach notifications. Now, these are some of the new guidelines of OECD. Next one is EU Data Protection Directive. When you're talking about this particular framework or the regulation, whatever you choose to call it. EU Data Protection Directive focuses on the protection and the free movement of personal data within the European Union. Now, it is basically designed to protect the privacy and protection of all personal data collected for the citizens of European Union. Then, we're talking about the ePrivacy Directive, which refers to processing of personal data and protection of privacy in the electronic communication.
Then we are also talking about GDPR, which is known as General Data Protection Regulations. Now, this one specifically refers to the protection against the unauthorized and unlawful processing of information. GDPR requires an organization to implement appropriate technical and organizational controls to protect the data. Now, the next one is the Asia Pacific Economic Cooperation Privacy Framework which is known as APEC, which focuses on the privacy of the data. The next one is ISO 27017, 2015 edition, which focuses on information security controls applicable for the cloud services. Now, let's look at some of the common legal requirements. So you have the US federal laws. Some of the examples are HIPAA. Then you also have COPPA, which is Children's Online Privacy Protection Act. That focuses on the organizations to implement specific controls and security measures when collecting, processing, storing, transmitting data with their own partners or any kind of third-party organization. Then you have the US state laws, which are applicable within a specific state.
So anything that happens within that state regarding the data or its privacy, a state law will become applicable. Then we have standards, which basically capture requirements and guidelines. And one example is ISO 27001 and PCI DSS. Then we are talking about international and regional regulations. Now, there are different frameworks and regulations that can be applied across the borders to different countries. What it means is, it basically applies to any country and every country in the world. Now, these are specific standards that define the guidelines as to what happens to the data. Now when you talk about PCI DSS or ISO 27001, these are international frameworks that needs to be applied in specific context. Then we are talking about contractual obligations. Now, sometimes your organization will tie up with a specific client that wants a specific framework certifications to take place. Just to give you an example, if your organization processes information for a client, that client will definitely want the proper level of security with the data that you are processing.
So therefore, there may be a contractual obligation you have to fulfill that you will be compliant with, let's say ISO 27001 regulation. And you will obtain that certification and maintain it till the time you work with that specific client. Now just to recap, we talked about different types of frameworks, such as PCI DSS, ISO 27001. And we also spoke about regulations like GDPR.
E-Discovery
Let's now talk about the e-discovery process. Basically, what e-discovery process talks about is how do you use your data from forensic investigation? How can you utilize that data that you have recovered as part of the forensic investigation and make it presentable for any kind of trials in the court of law? So basically, this entire process is about locating, searching, securing, reviewing information that has been stored on a hard drive. So now, let's assume a user had deleted a certain set of files that could have been important in an investigation.
Now this e-discovery process will help you locate that information. It is the entire process of finding that information, ensuring what you have found is relevant in that particular investigation. So now, this particular data that you discover, it has to go through the entire process of nine steps. And then only you can make it presentable for an investigation or any kind of legal proceedings that happen in the court. Let's now look at the e-discovery challenges. So the biggest challenge in the e-discovery is the location of the data. Now it could be either in the public cloud, it could be in the private cloud. Now again, the private cloud is in your control. You being the cloud consumer, it is your data center, or it is running by a third party service provider, but you own that particular cloud.
So it becomes easy for you to recover that information. Now when you're talking about the public cloud, again, what you only get to access even in any kind of cloud deployment if you discuss, be it infrastructure as a service, platform as a service, software as a service, you only know the front-end. Which is maximum you can go up till is the virtual machine or the operating system of that particular virtual machine, not beyond. Now the data is actually stored on the physical hard drive, so you do not have access to that particular hard drive. So how do you basically control that data? How do you run the e-discovery process on the data is a major challenge. Then it comes to the point who controls or hosts the data?
So the depending on the kind of cloud you're running be it the public or the private cloud, this challenge may or may not happen. So if it is a private cloud, then you, of course, control the data, you host the data. It is easy for you to get your hands on the physical hard drive and perform the data retrieval, but that is not in the case of the public environment. And then which method or tools do you use when the data is in the public cloud? Remember, the physical infrastructure is in the hands of the cloud service provider. Now they may or may not have the appropriate tools to run the e-discovery process. You cannot just run a normal tool and say, okay, I have recovered the lost data. E-discovery tools are specialized tools that basically not only discover the data, but they also help you preserve the data in a particular format that is the original format of the data.
So they also ensure that during the recovery process the data is not tampered. Basically, it does not lose its integrity. So does the cloud service provider, specifically the public cloud service provider, do they have these kind of tools or methods that can be used in the e-discovery process? So that brings to another question before even supporting the tools or providing the tools to the cloud consumer. Does the cloud service provider support the e-discovery process? When you're tying up with a specific cloud service provider, you need to check on this point, whether the cloud service provider supports the e-discovery process, in case anything goes wrong with the data. Now if they provide the service, you need to be very specific. And you should be mentioning that in the service-level agreement, or SLA, in that case. That if there is any kind of issue that happens, they should help you in the e-discovery process. The time limit will also might require a bit in this scenario because it should not happen that cloud service provider puts in agreement saying, okay, they will take ten days to recover the data.
You would definitely not want that because the data might just end up losing its validity. So let's look at the e-discovery process now. So there are a total of nine stages or nine phases in this particular process. It starts with the information management or information governance, which is talking about the implementation of processes, controls, and procedures to manage the information. That is, what is happening in the information management? This is basically the starting point in the e-discovery process. Then you are moving onto the identification phase or identification stage that helps you determine what is important. What is that you're trying to discover in this entire e-discovery process? Then you move on to the preservation phase that helps you protect what has been identified. So there is going to be some set of information or piece of information that you identify as something that you want to recover or something that you want to search. Because it is important to be presented in the court of law or it is important to be presented as an evidence.
Therefore, once you identify the piece of information, you need to protect what has been identified. Then you move on to the next phase, which is known as the collection phase, in which you collect the information. You collect the metadata of that information or any other kind of attribute, without spoiling the integrity of that information. This is going to be very critical. You want to ensure that the file does not lose its integrity, if it's metadata, it's attributes are preserved as is. Then you move on to processing phase, which is basically preparing the information via software. Now once you have collected the information, you want to process it and processing cannot happen manually. It has to be done through a particular software. So once you do that, you need to review the processed information. You need to distinguish between relevant and non-relevant data. Once you have done that, then you move on to the analysis phase in which you have to evaluate information for its content and context. Then you move on to the production phase in which you produce the information as an evidence.
You determine how documents must be protected and produced. Then comes the presentation phase in which you basically determine how information is displayed as an evidence in the trials. This is the entire e-discovery process, right from creating and managing the information to presenting the information as an evidence. It is important to understand that you have to go through all these stages and these are the stages which are linear in format, they cannot be jumped by phases. So for instance, you cannot say, after identifying you're going to go directly into processing of the information. Every phase has to be followed in the linear fashion. Otherwise, you are just going to spoil the entire e-discovery process and spoil the most critical piece, which is information that you're trying to discover. Once the information is spoiled, it cannot be produced as an evidence. Therefore, you have to be very cautious when you are handling the e-discovery process. Now we come to the e-discovery maturity model. The first one is the ad-hoc model. That is the chaotic process because the company dealing in the e-discovery process has little, or rather, no experience with the e-discovery. They have a very high risk in spoiling the evidence, chain of custody, etc.
So this means that the company may actually end up spoiling the entire evidence which could have been preserved. Then we are moving on to integrated and optimized process. Now this is a very mature stage. This is known as the level five stage. This is another model which is known as integrated and optimized model. Now in this model, the organization has experience and they have the expertise in e-discovery process, and they know how to work within this process. They have the strategies, they have the process, and they know how to handle that information that needs to be produced as an evidence. So they focus on the integration of IT systems like enterprise search, and archiving, etc. Then we move on to the managed process. Now this particular process is known as level two process. Because the company is basically learning about the e-discovery process, but they do not have much experience. So they might as well hire an external vendor or an expert to manage their entire process. Then we move on to level three, which is known as the standardized process.
Now in this process, company goes to a trusted service provider or a partner to manage the entire process in a repeatable fashion. So this external vendor, or the company, or the expert is a permanent entity who will come and do the e-discovery process as and when required. Then we are talking about semi-integrated process, in which the company brings in the knowledge and the tools to run the process. And in this process here, it is not only the internal resources, but you also have the specialized external entities or service providers who help you in running the e-discovery process. Now we are going to talk about conducting the e-discovery investigation.
So the first one is software as a service, which is SaaS-based. So here the cloud service provider provides you the tools and the processes to perform the entire process. This is also known as the e-discovery process in the cloud. Then we are talking about the hosted e-discovery, which is the provider-based. Now this means a service provider conducts the e-discovery process on the data that is stored in the cloud. So here the cloud service provider is not performing the e-discovery process. There is a third party that is performing the e-discovery process in the cloud.
So then we are talking about the third party e-discovery process. Now in this particular process, the cloud service provider does not have any engagement with the third party. You have to hire that third party, bring that third party on board, and ask them to run the e-discovery process. So now just to recap, we talked about the e-discovery process, different stages in the e-discovery process, different types of e-discovery process, and the entities who can be involved in the e-discovery process.
Auditing the Cloud
In this particular video, we will be focusing more on the auditing part of the cloud service provider. Now, there are three different types of reports that can be generated as far as system and organization control SOC reports are concerned. [Video description begins] The aws homepage displays on the screen. The page is titled Overview. On the right is a section titled SOC Resources with a link titled AWS SOC 3 Report underneath it. [Video description ends] Now the system and organizational control reports are basically nothing but third-party independent reports. So there are three kinds of such reports. So the first one is SOC 1 which is S-O-C 1. Now that focuses on the internal controls and the financial reporting. And it is mainly used by the users and the auditors. Then you have SOC 2 or S-O-C 2, which is about security, availability, integrity, privacy, and confidentiality. Now, this particular report is mainly used by the management of the organization and the regulators. Then the third type is about security, availability, and confidentiality. And this report is mainly available publicly so that anybody can go and look at that particular report and understand how this cloud service provider is trying to secure the data and what kind of audit has been done.
So now these are three different types of reports that can provide great insights into the compliance factor of the cloud service provider. Now when you talk about SOC reports, it allows the qualified [Video description begins] The host clicks the link AWS SOC 3 Report. The report opens in a new tab. [Video description ends] practitioners to issue SOC 1, 2, and 3 reports. Now, if you look at this particular report, which is the SOC 3 report, which I said is publicly available for anybody to use it. You can basically visit the AWS site and you can find this report. Now this particular report is on Amazon AWS, and now it is issued by EY, which is Ernst and Young. And it gives you lot of information about the compliance factor of AWS. Then, other than the cloud infrastructure and SOC reporting, we also can do auditing on our own infrastructure. [Video description begins] The host clicks another tab. A page labelled Qualys. Community Edition opens. It contains the following tabs: Dashboard, Scans, Reports, Assets, KnowledgeBase, and Users. [Video description ends] Which means we can use tool like Qualys which can help us do different types of scans and different types of audit. [Video description begins] The host clicks the Scan tab. A page titled Get Started Tutorials: Scans opens. It contains a ribbon with tabs such as Scans and Maps. Within the page are various sections such as Manage Vulnerability Scans, Manage Discovery Scans, and Configure Scan Settings. [Video description ends]
So for example, we can simply run a vulnerability scan and generate an audit report in terms of what kind of vulnerabilities do exist within our infrastructure. And then we can generate a report, which can be generated based on [Video description begins] He clicks the Reports tab. There are various sub tabs available in the Reports ribbon including Reports, Templates and Risk Analysis. [Video description ends] the types of certain templates that are available with the Qualys tool. [Video description begins] He clicks the Templates tab. A list of templates displays. The list contains the following column headers: Title, Type, Vulnerability Data, User, and Modified. [Video description ends] So it could be SANS Top 20 reports. It could be high severity reports. Or it could be simply PCI DSS compliance framework report. So depending on your requirement with a particular cloud service provider, for example, AWS, you can generate different types of reports depending on the requirement that you have.
Now just to recap, we talked about different types of SOC reports, which are SOC 1, 2, and 3, and the intended users of these reports. And then we also looked at how we can use a third-party tool like Qualys to do the infrastructure audit. Which can be done using a predefined template such as SANS Top 20 or PCI DSS.
Standards and Privacy Requirements
In one of the previous videos, we had discussed about what a framework is. And we also talked about some of the frameworks like PCI-DSS and ISO 27000 series in brief. Now, let's look at some of the frameworks in detail. So we will talk about ISO 27001. We will also talk about PCI-DSS, HIPAA, ISO 27018, and then we'll also look at GAPP. So let's start with ISO 27001. So when you talk about ISO 27001, it helps you define an information security management system.
Now in your organization you would probably already have a security policy and various security controls in place when you use ISO 27001. Now, with this particular framework, you can define the ISMS, or the Information Security Management System. And you can also involve the management because this is the entity that will become the approving authority of your security policies. So now, along with these security policies, there would be a lot of other relevant policies like password policy, acceptable usage policy. All these policies will fall under this security policy, and they have to be approved by the management. Now, when you talk about ISO 27001, it has 114 controls and 14 clauses across 35 different categories. So you do not have to apply all of them, you can apply certain controls depending on your requirements. And you can skip some of the controls if you do not have any kind of application of them within your own environment.
Now, when you talk about ISO 27001, it is pretty generic in terms of its implementation. It does not give you a very strict mandate as to what exactly you need to do. What it tells you is these are the controls, these are the clauses, and these are the control categories. Now see what is relevant to you and apply that only. So it helps you in reducing and controlling IT risks. Which means because now you have a structured framework guiding your security policies and security controls, you will have a limited set of controls that you need to implement. Your focus area is on certain aspects of the security that is relevant to your organization. And of course, you have to involve your management. And that helps in making them aware of the risks that can exist within the organization's IT infrastructure. To give you an example, let's say previously you did not have any kind of security controls to encrypt your data in storage.
Now, with the implementation of ISO 27001, it will mandate that you have to encrypt the data whether it is in storage or it is in transmission. Then because you are laying down certain security controls, you're aligning your security policy to these controls that you are implementing. And then the landscape or the security threat is reduced because there are reduced chances of security breaches. Now you have structured approach that is defining your security policy. There is certain set of security controls you are implementing and, of course, that helps you reduce the overall threat landscape. Because your threat landscape is reduced, there are high chances of having to retain your information confidentiality because you need to assign access only to those who need to have that access. So all this will fall under the ISMS that is aligned with your security policy.
Now, when you talk about the security policy and its sub-policies, like password policy and other policies, they can be integrated into your existing IT infrastructure, ISO 27001. It lowers the administration and security costs because you need to implement what is necessary, rest everything else will be discarded. Now you need to reduce the vulnerabilities. And therefore you can run vulnerability scans so that you can discover those vulnerabilities and take timely action to close them. You can build that into your security policy, that every six months we are going to run a vulnerability scan. We'll also be doing penetration testing. And then accordingly, we can build and deploy these tests within our infrastructure. Because ISO 27001 is a framework, it gives you a method to meet the compliance requirements. A lot of your clients will come and tell you, okay, we can give you this project if you can be 27001 certified. Now, in that process, you might have a security policy in place, you might have adequate security controls in place. All you need to do is align them with the ISO 27001 framework and get yourself audited by an authorized agency so that you can get the ISO 27001 certification. Now, ISO 27001 framework, the latest edition of ISO 27001 framework does not strictly adhere to the PDCA plan. But you can go ahead and implement PDCA, which is Plan, Do, Check, and Act. So there are four phases, which are Plan, Do, Check, and Act. And they're part of the project management framework that can be applied into your existing IT infrastructure.
Then we come to the PCI DSS standard, which is another security framework. PCI DSS is applicable to any organization that handles any kind of credit card transactions in any volume over the Internet. So be it 100 transactions, or be it 100,000 transactions, or 1 million transactions a month. But if you are doing any kind of online credit card transactions, or processing them, or handling them, or you're accepting credit card numbers, you need to be PCI DSS compliant. So it applies to different merchant levels. There are basically four different merchant levels to which PCI DSS applies, and these levels are defined by the Visa corporation. Now, when you talk about the four different level, the first one is any organization that processes over 6 million transactions a year. Second one is any organization that processes between 1 to 6 million transactions a year. Third one is any organization that processes 20,000 to 1 million transactions in a year. And the fourth one is any organization that processes less than 20,000 transactions in a year.
Now we come to HIPAA, which Health Insurance Portability and Accountability Act. Now this particular act was formed in 1996. And it is designed to provide privacy standards to protect patients' medical records and other kind of health information. Such as health plans, doctors, hospital information, or any kind of information that the healthcare provider is dealing with. What HIPAA says, that there is a requirement to ensure the privacy and the security of the data. Under any circumstances, the privacy and security of the data must be maintained. Now, HIPAA focuses on three different levels of controls. These are administratives, such as applying a security policy. Physical control, such as CCTV camera, motion sensors, or maybe deploying a security guard. Then the third one is technical, which is about installing and configuring a firewall, intrusion prevention system, DLP, which is data loss prevention. Then we have HIPAA which is of three kinds.
So there is HIPAA for consumer, there is a HIPAA for provider, and there is HIPAA for regulators. So when you talk about consumer, it is about protecting your information through HIPAA. Second one is for providers, and this basically applies to those organizations that deal with personally identifiable information, which is PII. So they are mandated to protect the privacy and security of PII. And the third one applies to regulators, which is federal agencies who are responsible for protecting the public health information. Now, let's talk about ISO 27018, which is about information technology, security techniques, code of practice. And this framework is basically designed to protect the personally identifiable information, or PII, in the public clouds. It has different section. The first one is consent, which specifically states that the cloud service provider cannot and must not use any personal data for advertising and marketing unless they are instructed by the consumers. If the consumer does not give the consent, then the cloud service provider cannot use anybody's personal information for marketing and advertising.
The next one is control, which explicitly states that the consumer has explicit control how a cloud service provider can use their information. Third one is transparency. Now, in this, the cloud service provider must inform cloud consumers where the data resides. Now if I have uploaded some data for example, I need to know where my data is residing. In this, if there is any third party contractor or vendor with the cloud service provider who intends to use my information, then the cloud service provider must inform me because that is my data. And the cloud service provider must also disclose to the consumer about the vendor using their data. So the cloud service provider must take the approval or the consent before using the data. Then the fourth one is communication.
Now, when you talk about the cloud service provider, they need to keep clear records of any incident that occurs in their environment. And most importantly, the cloud service provider must also maintain the information about how they dealt with a particular incident. Then we are talking about independent and yearly audit. In this, the cloud service provider may have to go through yearly audits by a third party. Now it cannot be that they have a subsidiary or they have another organization whose vendor can come and do the yearly audit. It has to be an independent third party. Now, this gives the confidence to the consumer that the cloud service provider is compliant to a specific regulation. Then we have the GAPP principle, which stands for Generally Accepted Privacy Principle. Now when you talk about GAPP principle, they are used by the organizations to develop a privacy program. And GAPP principle contains ten different sub-principles that you can use to secure the information and ensure that the privacy of that particular information is maintained.
Let's now look at the sub-principles within the GAPP principle. So you have the management, notice, choice and consent. Then you have collection, use and retention and disposal. Now, disposal is specifically talking about the information and its retention. And how is this information disposed? And who has the access to the information? How is the information disclosed to the third party? And what is the security implemented for privacy? And what is the quality of data? And basically, how is monitoring enforced in the cloud environment? So these are ten basic sub-principles of GAPP which deal with the design, implementation, and communication of privacy policy. And these sub-principles also help you establish and manage the privacy programs.
Using GAPP, you can also monitor and audit the privacy programs, and measure the performance of these programs. So overall, GAPP basically enforces privacy and ensures that it is retained for the consumers. And the data is not disclosed to anybody without the prior permissions from the consumer. Just to recap, we talked about various governance frameworks. We talked about ISO 27001, we talked about PCI-DSS. Then we talked about HIPAA, ISO 27018. And finally, towards the end, we talked about GAPP.
Service Level AgreementsĀ
When we talk about Service Level Agreement, or SLA, it is an agreement between the cloud service provider and the cloud consumer. Now the SLA defines what kind of services has to be provided by the cloud service provider, and what are the expectation that the cloud consumer should have. Now one of the key component of the SLA is the uptime that needs to be provided by the cloud service provider. Now this uptime has to be measured closely. Then the SLA can include a penalty clause which means whatever the services that have been mentioned in the SLA document, if they are not met, what is the penalty that should be imposed on the cloud service provider? Then you also have different types of SLAs with different services. For instance, you could have an SLA document for storage. You could have an SLA document for database. You could also have an SLA document for compute. Similarly, there are different type of SLAs that you can build around.
Let's now look at what are the types of SLA documents. So these type of SLAs could differ. So it could be service dependent. It could be multiple services bundled into a single SLA. So it depends what you are trying to take as services from the cloud service provider and what kind of SLA that needs to be created? So let's now first look at the multilevel SLA, that is used when you have different type of cloud consumers using the same service. Now these are useful for cloud service providers that provide a similar solution. This type of SLA is useful when a cloud service provider provides similar solution to different consumer types, and therefore, this SLA can be used. Now the second type of SLA is the service-based SLA. This is service-driven SLA which means a single service can be provided to all cloud consumers.
Then we are talking about customer-based SLA, which is a unique agreement between a cloud consumer, and the cloud service provider. Every time a cloud consumer needs to take your services, you can have the customer-based SLA signed. And that, of course, depends on the what kind of services the cloud consumer is asking for. Now this is more like a customized version of the SLA, which means you're defining the expectations of the consumers in a particular SLA document. So every time you create a customer-based SLA it is depending on the services that the cloud consumer is taking from the cloud service provider. So let's now look at the key SLA components. So you have the cloud service provider's liabilities. So what are these liabilities that the cloud service provider has to live with? You need to be very clear when you're talking about the SLA document. You also need to be aware when the suspension of a service can be imposed. So for instance, if uptime is not up to the mark, you can measure it month by month basis. You notice that the cloud service provider is not able to live up to the expectation. Then you can impose a suspension of service.
Then you can also define the exclusions. For instance, the cloud service provider can say, okay, in this particular SLA document, I am not liable for these kinds of services. So these services need to be excluded. Then comes the SLA penalties. So if the cloud service provider is not able to meet the expectations, and is not able to fulfill the criteria that has been mentioned in the SLA document, then you can define the SLA penalties. Then we are also talking about disaster recovery. So what happens in the case of disaster recovery? Is the cloud service provider liable to provide any kind of disaster recovery services? Are these disaster recovery services chargeable, or they are free of cost? Now all this can be defined in the SLA. Then you have to also ask for the uptime guarantee.
Now that is the critical component in the SLA document. So for instance is the uptime going to be five nines, which means 99.999%. Now that gives you effectively five minutes of downtime throughout the year. So this needs to be defined in the SLA document. There are certain topics that you would want to cover in the SLA document. So the first one is availability. What we spoke about, the five nines, which means effectively five minutes of downtime throughout the year. Now that remaining time in throughout the year is the availability of the services within the cloud infrastructure. Then comes the performance, and that is the response time you're looking at. So how much time should it take to load a particular web page. You can mention data security. So whether it is going to be possible to encrypt the data, of course, all cloud service providers give you the option of encrypting data. But what type of encryption is going to be available? Then you're talking about audit trails. For how long the audit trails or the logs are going to be retained, for how many devices, which type of devices will be audited, or on which devices can you enable the audited? Then you also need to talk about the disaster recovery.
You need to mention the Recovery Point Objective and the Recovery Time Objective. Then comes the data compliance. So is the cloud service provider adhering to any kind of regulations or compliance? What about the problem resolution? So if there is an issue that comes up, is there going to be service desk? So what about the problem resolution? So if any issue comes up, is there going to be a service desk? Not a lot of organizations have their products that are in the market, and they give you support. So they have different types of support packages like, let's say silver, gold, platinum.
Now in the silver package, for example, you could get a response time of 24 hours. In the gold package, you get a response time of eight hours. And in the platinum, you will get a response time of two hours. So this could vary depending on, what type of product you're using, and what kind of services, or the support packages you have taken from the product company. Now similarly, this also applies to the cloud service provider. They also have different level of support packages that you can take. There is certain level of support that is going to be free of cost, which any cloud consumer is entitled to. Then comes the change management. So what happens when there is an addition or deletion of a new service from the cloud service provider's end? So are they going to be informing you? Is there going to be any communication channel that would be open with the cloud consumer? Then we have the escalation metrics.
Now what happens if the cloud service provider is not able to meet the basic expectations? One example that I could give you is, you open several tickets with the cloud service provider. But even though they were supposed to resolve these tickets within four hours, it has been three days since these tickets have not been resolved. So how do you escalate this matter to the next level? So you need to have an escalation chart with the names, e-mails and the phone numbers. Then comes the exit strategy. How do you close out the SLA agreement with the cloud service provider. It could be that you are moving out of business. Or it could be that the cloud service provider is moving out of the business, or they are shutting down their business due to unseen reasons. It could be anything.
So there has to be an exit strategy that has to be mentioned as part of the SLA document. Then we have various ISO clauses for SLA references. Now you could use these SLA clauses and build your own SLA document. Most of the time, it would be the cloud service provider who's going to be providing the predefined SLA document. But sometimes you do not agree with the terms and the conditions. You may have to go back to the cloud service provider, and then you would ask them to change a particular clause. Now, this typically happens when you're giving them a lot of business. So they will go back to their legal team, and see the feasibility of changing a particular clause. But, in general, the ISO frameworks mentioned on the slide give you a whole bunch of clauses that you can use. We are not going to get into each one of them. We are not going to go through each and every clause. But in totality, it tells you what is the basic concept of SLA. It tells you what are the core components. So we are not going to get into each and every clause here, but these are some of the clauses from ISO that you can use as SLA reference. Now, just to recap, in this particular video we talked about what is SLA? What are the types of SLA? What are the components of SLA, and what are the SLA topics that you should add in an SLA document. So we also looked at some key components like audit trail, data compliance, and exit strategy. And then finally, we looked at some of the ISO clauses that you can use for SLA reference.
Risk MitigationĀ
When we talk about risk, it is something that is the potential or the probability of a loss that may occur. So for instance, if you talk about a server that is running in your data center, if you say, there is a probability that this may fail, now that is a risk. Remember, risk is not something that has happened in the past or is happening in the present times. Risk is something that will always happen in the future or there will be probability of it happening in the future. So this is a probability that something unwanted will happen such as a disk failure or such as a server crash.
Now when you talk about a server failure or you talk about a disk crash, now these are risks. These are not something, for example, a disk has already crashed, no, that is not a risk. That is an incident that has already happened. Risk will be something which is likely to happen and give you an unwanted or unfavorable results such as a service failure or a disk crash. Then risk is not always avoidable no matter what you do. No matter what kind of infrastructure you put up, whether it is in the on-premise data center or whether it is in the cloud, there will always be risks. Now these risks will differ from infrastructure to infrastructure, architecture to architecture, service to service types of data that you have in the on-premise and in the cloud.
So there will always be some risks that will be similar. Then there will be some risks that will be different in the on-premise data center versus in the cloud. But remember, not all risks can be avoided. Some you will be able to avoid. That is why you bring out the risk management plan and you see what other risks that are available, what you can handle and what you cannot handle, what is your risk appetite. So these are some of the things you will look at going forward. So when you talk about a risk-based methodology, so what is that you need to do to make it happen? So for instance, you need to decide what you want to protect. You need to list down the assets, or the services, or the data that you want to protect. It has to be something that is important that has values for the organization. So if something that does not have a value for the organization is unlikely to cause a risk.
So therefore, now when you talk about the important assets, you need to know what is important, you need to know how to protect that important asset. If you're talking about the data, then you can have different security controls in place like encryption, you could have a firewall protecting the incoming traffic. You could also have data loss prevention, or DLP, to ensure that nobody who's not authorized to access your data is trying to access that data and share it with somebody who you do not want the data to be shared. So you can have different types of security controls to protect your assets that are important and generate value for the organization. Then you need to know what kind of approach you want to adopt when protecting your assets. Not every situation will allow you to use the same approach. In some cases, you may want to accept the risk. In some cases, you will have to let the risk be transferred to some third party, such as insurance. Now you have a data center, if you insure it, what you are doing is you are transferring the risk of losing the infrastructure to a third party.
In this scenario, if anything happens to the infrastructure, you will get paid back by the insurance company. In some cases, you may end up accepting the risks such as if the cost of fixing a defect is $100,000 but it can cause a harm of only $10,000, you might as well accept the risk. Why would you want to fix up something by spending $100,000, but it can generate only a value of $10,000? Then whatever security controls you implement, whatever method you use, you need to ensure that you are monitoring your assets closely, especially that generate value for the organization. So you need to monitor. And one thing I would like to highlight is your risks will keep on evolving from time to time. So you cannot have static security controls or static controls placed and say, I have covered the organization from all aspects, nothing can happen. That is not going to be true. So if your risks start changing, then your controls have to improve, they have to change. You have to realign your controls to mitigate the risk.
Let's now look at what is a risk profile? So when you talk about a risk profile, it is about the organization's ability to take risks. It is based on quantitative analysis, not qualitative. Now, so each risk that you see, you need to assign number and accordingly prioritize your risks. Then, because you're using a quantitative analysis, it is non-subjective evaluation so there is no subjectivity. Had it been qualitative analysis, then there would have been lot of subjectivity built in to identifying the risk and defining the methods of dealing with these risks. So we also need to identify. Because we are assigning a number against each threat or risk, we need to understand what are the levels of risks that the organization can take. Because you have assigned a number against each risk or the threat, you can narrow down the risk that the organization can take. Now in the risk profiling, you're basically coming to a conclusion that the risks that the organization can be exposed to. So when you're talking about risk profiling, you're dealing with the components like risk tolerance, risk capacity, and risk required.
So if you talk about risk profiling, it would be risk tolerance plus the risk appetite. So what is risk appetite? When you talk about risk appetite, it is the organization's willingness to take certain amount of risks. So what you're talking about is the desired level of risk. Now this is different from risk tolerance. Now when you talk about risk tolerance, it is about the risk that the organization is preferring to take. And these are basically the risk level that the organization can tolerate, or the boundaries that can be defined for the risk that organization is willing to take. And now risk appetite should always be in sync with the strategic objectives. What it means is your organization's strategic objective which is more of a business goal and how to achieve whatever level of business in your organization. Now if your risk appetite is not aligned with it, there is going to be a major problem because you will end up taking more risks than you can digest, which means that you can dilute your business objective. Your risk will have more value than your strategic objectives for your organization.
They have to be in sync with the strategic objective. You need to maybe accept the risk, transfer the risk, mitigate the risk, but anything you do with the risk it has to come from the strategic objective. Then the risk appetite will also help you understand the level of risk exposure that the organization can have. So obviously, no organization will want to have more risk than it can tolerate or it can handle. So therefore, the risk exposure is pretty much critical in this scenario. Once you know the level of risk you can take, aligning to your business objective can help you further make risk-based decisions. Now if you don't know your risk appetite then, of course, you cannot make risk-based decisions. Those decisions will be more ambiguous because you do not know what are the risks involved in those decisions that you have made. So therefore, it is critical for you to understand your risk appetite. So let's understand the risk appetite types.
The first one is averse, which is basically avoiding the risk. That is the key objective of the organization. Then we come to minimal, which is about the preference of accepting the low risks. So this means you do not want to get involved with the higher risk. Any risk that has a minimal value or the risk itself is minimal, you can go ahead with it. Then it comes to cautious. Now cautious is basically the preference for safe options. So when we talk about cautious, it is about taking or accepting those risks that are of low value or have low profile. So any risk that has the low value or it is not a big danger for the organization, the organization will cautiously accept that risk. Then we are talking about open. Now in this particular case, the organization is willing to consider all potential options and choose the one that helps them in successful delivery.
So basically, here the organization is open. They are willing to do whatever it takes to accept the potential options and handle the risks. Then we are talking about hungry. Now these are the organization who tend to be very innovative and they will go with the options that are high in reward. So they are willing to take bigger risks, but obviously that bigger risk if they are able to handle comes with a big reward as well. So these organizations tend to be very innovative. They will find new methods to handle high profile risks. Let's now look at some of the risk frameworks. So first one is ISO 31000:2009 edition.
Now this particular framework is a risk management framework, and it is mainly used by the organizations to provide a structured and measurable risk management approach. Then we are talking about ENISA, which has a framework known as cloud computing benefits, risks, and recommendations for information security. Now this particular framework can be used as a foundation for risk management. Then we are talking about NIST, that has a framework known as 800-146, which focuses on the risk components and appropriate analysis of these risks. So to recap, in this video we looked at what is risk, what kind of different appetites that organization can have when dealing with risks. And then we also looked at different types of frameworks that are available that can be used by the organizations to handle risks.
Cloud Certification
According to ENISA, the cloud certification schemes list, or CCL, provides an overview of different existing certification schemes that might be delivering to the cloud computing consumers. Now, CCL has a list of main key components from most of the cloud certifications. Now according to ENISA, the Cloud Certification Schemes Metaframework, which is nothing but an extension to CCL, provides a neutral high level mapping of these certification frameworks across different cloud certifications. It provides the security requirements that map to the security objectives from various cloud certifications. So what we are trying to say is it compiles a lot of security requirements from various cloud certifications. Then it brings more transparency to the cloud certification schemes because what it does is compiles everything.
There is going to be a lot of overlapping because it compiles from different certification frameworks. And it also brings out a lot of transparency in terms of rather than looking through 20 different certifications, you can look at one particular metaframework which compiles all of them. So there is a first version that contains 29 documents that contain the requirements from NIST. Then you have 27 different security objectives mapping to five different cloud certifications. Now these five different cloud certifications' objectives are compiled under CCSM. Here is the Cloud Certification Schemes List, or CCSL. You have certified cloud service, TUV Rhineland, which focuses on the data security, data privacy, trustworthiness, and the quality of information. Then you have CSA attestation, OCF level 2, which focuses on third party assessment of cloud service provider.
Then, you have CSA certification, OCF level 2, which focuses on the independent assessment of security for a cloud service provider. Then we are talking about CSS self-assessment, OCF level 1, which brings an offering that documents the security controls provided by various cloud computing offerings. Now using OCF level 1, the cloud consumers can access the security of the cloud service provider. After this you have Euro cloud self-assessment, which is also known as ECSA self-assessment. Now this brings the transparency about the cloud service delivery and how it involves the subcontractors. It talks about the legal compliance based on individual regulations. It talks about data security, data privacy, business operations and interoperability of these operations. Then it talks about Euro cloud star audit certification, ECSA audit, which focuses on all different cloud deployment models, be it infrastructure as a service, platform as a service, software as a service. And now this can be a selection tool for the user. Then we are talking about ISO 27001 certification. It is a very well-known certification, we have spoken about this certification earlier. It provides the requirement for the ISMS, which is the information security management system.
There are a lot of security controls that can be used under the ISO 27001 certification. Then you have the payment card industry data security standard, which is very commonly known as PCI DSS. That focuses on credit card industry and organizations that deal with the online transactions using credit card or debit card. Then you have the LEET security rating guide, which focuses on security and resilience when dealing with the software as a service, platform as a service, or infrastructure as a service, cloud deployment models. Then you have AICPA SOC 1, that provides controls relevant to user identities over financial reporting. Then you have AICPA SOC 2, which focuses on test engagement.
Then you have AICPA SOC 3, which focuses on security controls related to security, availability, confidentiality and integrity. Now just to recap, we spoke about cloud certification schemes metaframework which is known as CCSM. And then we talked about different types of security frameworks that we can use when implementing our infrastructure or we can also use them when the infrastructure is already implemented.
Supply Chain Management
Do the Supply Chain Management is all about maintaining your supplies, moving them from one location to another, keeping an updated inventory of the parts or the components that are involved in building a particular product. Now this virtually exists in every organization. So you talk about a hardware manufacturer or you talk about anybody else, be it a car manufacturer or any organization that builds a particular product. There will be supply chain management. Now when you talk about supply chain management, you're talking about dealing with the movement and storage of material. So for instance, you may not be manufacturing anything in house. All components are coming from external entity. So let's talk about somebody manufacturing a car.
Now the car manufacturer does not make all the components on their own. They have to source in a lot of components. Be it the tires, or be it the brake shoes, or be it any other component that is part of the car. So what you do is basically you're sourcing the components from different vendors and store them in house and utilize them as and when required. So now these are going to be required because if you need to build a complete car, you need all the components and every time you cannot just order something as in when you need, you need to store some of the components in the inventory. So tomorrow let's say when you're manufacturing a car, it should not happen that you have everything but you have run out of tires. The tires are no longer available in the inventory because you never kept a track of how many tires would be required.
So you have to have a whole assembly line coming in to a halt because there are no tires in the inventory. So you have to keep an updated inventory. And that is the entire process of Supply Chain Management helps you achieve. To complete the scenario, let's say you're manufacturing the entire car, now there are 500 cars that you have manufactured in a single day because of the huge assembly line that you have. Now where are these cars going to go? Which dealers are you going to send these cars to? Are they going to be with the single dealer? So are they going to go to a single city? Or are they going to go to multiple cities and states? And within those multiple cities and states, are they going to go to multiple dealers? So you have to track them, because tomorrow if you need to find out a particular chassis number, you should be able to track that to which city, which state, which dealer, this particular car has gone.
So let's now look at what is the need for supply chain management in the cloud. So you have to understand and visualize why it would be required. When you're building something in nature, then you need to be connecting with different vendors to get their parts. So there is a probability that you might be manufacturing all the parts, but that is fine because you still need to keep the inventory ready. Otherwise you will keep on building some components over and over again but they are not required in that much quantity. So therefore, you need to be aware what is that you have and what is coming in and what is going out of your organization so that you can keep the updated inventory. So now imagine that there are components that are coming in and how things are getting assembled.
Now when you talk about the supply chain management, that typically people have the perception that it is only needed for the on-premise manufacturing units that they are developing something they would need parts. So now let's think of supply chain management in the cloud. So what is the need for supply chain in the cloud. So there are certain components that we are going to talk about. The first one is scalability. Now the businesses are changing. They are expanding. Now your IT system must also evolve to provide necessary resources to meet their needs. So for instance, now if you have a cloud based solution rather than having an in-house solution installed, now your vendors may have difficulties in connecting with your on-premise data center. But when things are in the cloud, all they need is an Internet connection and some component like a desktop or a laptop to connect to your solution. And, of course, this is on the basis of that they have the access to that particular application.
So that these guys can immediately update the supply chain management application. So for instance, if a vendor has sent out 100,000 components to your manufacturing unit, now that person can immediately you know add that kind of information within the supply chain management application. Now this becomes scalable. You can expand out to the multiple vendors and across multiple cities, across multiple nations. You do not have to overhaul the entire system. You can simply try and import your existing system into the cloud. And of course, there might be some bit of rework required, but at least you will be able to reuse that system. So, you would have to start offering the computing power to the vendor so that they can provide relevant information on timely basis. Now and that can only happen if you have a scalable system that can scale across the cities, nations. And that is only possible when you have a system deployed in the cloud environment.
No, because obviously when the number of vendors will increase, you need to scale up your infrastructure as well. As well as expanding the business to an extent that you have vendors across the different cities or the states or the nations. Then we are talking about the business value. Now with the solution, a business value has to come. Without getting the business value, there is no need for an IT system to work with a back end for supply chain management. Now this business value will only come when you have something that can help you grow your business. Now you have business objectives which are driving your business. Now that set of business objective needs to be expanded to support of your IT systems. And that can only happen when you have moved your system to the cloud. Otherwise it becomes everybody's trying to connect to your system which are not scalable.
You cannot scale them up or scale down. It takes time because you have to procure the physical hardware. So in the cloud, you can do that within seconds. So cost containment of course. Getting the physical hardware involves a lot of money and you have to pay a lot of cost, that can be taken away by simply putting your system in the cloud and using it there. And of course, you are talking about cost containment. The resources can be added to your IT environment on demand. In the cloud environment, it is instant. There is a cost involved in the cloud also, but it is very nominal cost as compared to what you pay for the physical component or the physical hardware for your on-premise data center. Then of course efficiency is also there.
So when you have on-premise data center along with your supply chain management running in the data center, there is a limited level of efficiency. And that can be extended to a greater level when you move your supply chain management in the cloud because you're no longer dependent on the internal resources. You can use the cloud to bring more efficiency. And of course, it goes back to getting the component or the system resources added to your cloud system. That becomes much more efficient method because you're able to scale up within no seconds. And it is not the efficiency that you have. You also cut down on the cost and therefore, efficiency automatically increases within your infrastructure. Then we come to accessibility and of course when you're talking about on-premise data center and the systems, they have limitations.
Your employees must be on site to access that particular information. So specifically that happens when you do not allow these employees to connect from a remote network, because you have certain security policies. Therefore, you cannot allow these employees to remotely connect to your network. Now the cloud resolves this particular problem also because the systems are accessible from anywhere in the world. Then you're talking about onboarding partners. So now there will be difficulties when you're trying to onboard partners. Now specifically talking about the on-premise data centers, it is difficult to onboard partners because if they provide data on their own format, you have broken down that data and you will need to integrate that data into your own systems. And that happens because you have not allowed them to access your on-premise Supply Chain Management application or the tool. So therefore it may take months to merge large quantity of data into your internal ID system. So, access to this information can be made easily available by onboarding your partners or your vendors to the system which is posted in the cloud. Then of course, the flexibility is also there, anybody can connect to your supply chain. Of course that depends on who has the access. But in general, anybody who has the access can connect and they need not connect through VPN or anything like that.
They can simply connect to the Internet and load your system by providing the login credentials. Then they can get into your systems. So it becomes much convenient and flexible, because you can monitor who has connected, you can monitor what is going on with your inventory. And of course, because the system is deployed in the cloud, there is more speed. There is better optimization, because if your cloud service provider has a predefined solution or a vendor is giving you a predefined solution hosted in the cloud. Then of course you are able to optimize cost because you are going to only focus on the tool itself and that tool need not be bought. What you are doing is taking the subscription from the cloud service provider which is obviously lesser than the product cost. And when you talk about the applications in the cloud environment, you do not have to install them.
You have to simply take access for those particular applications. And then basically you're just ready to roll with it. So there is speed. And of course, if you have taken a system from a third party or cloud service provider, you can also get it optimized. You can get it tailored to your specific needs as per your business requirement. So when you're talking about the supply chain risks, there are going to be some risks involved. So the first one is you should obtain regular updates. First is to get the regular updates from the vendors. So any system if you do not update it is useless. Because it is prone to lot of security threats as those vulnerabilities or the issues within the product have not been closed. So to extend this topic a little bit further, so you have a system in the cloud.
Now if you do not update it, it is useless and of course that goes with the supply chain management system as well. You will need your suppliers and vendors to regularly update the system, then it can also have a single point of failure if you do not build redundancy within the cloud systems. So even though your application is in the cloud, but if you are a hosted system is a single virtual machine or a single system, then of course, it is a single point of failure. So you need to ensure you replicate your virtual machine to somewhere else in another region to avoid the single point of failure. Then you need to have some appropriate documentation. So if there are going to be hundreds and thousands of vendors and users who would be connecting to your system, you need one method to keep training these individual. Second is you can also give them readily available documentation that they can refer. They can read it through and they can understand.
So basically, this will help them understand what your system does, how it does it, and what are they supposed to do in terms of activities in that particular system. Then we are talking about Supply Chain Management frameworks. Now the first one is CSA CCM, which is basically designed to provide guidance to the cloud service providers to help the cloud customers or the consumers in accessing the infrastructure in the cloud and ensure overall security risks.
So basically it is more talking from the perspective of avoiding the risk then dealing with the risk but then you have ISO 28000:2007 version which is the supply chain standard. And this particular framework is about measurement of security, resilience of growth for the supply chain management systems. Now just to recap, we talked about the basics of supply chain management. We also talked about the need for supply chain management in the cloud. And then we also spoke about the supply chain risks. And, finally, towards the end, we looked at the supply chain frameworks, which are CSA CCM and ISO 28000:2007 edition.