If you want my
business, you better make it fast
Self-service: 7x24 add, remove, change resources, workloads, and
connectivity
Elastic: scale up or down automatically within the limits I set
Available: stand up to hurricanes, DDOS, and replication storms.
Your mistakes should never be my problem.
If you want my data,
you better make it secure
Auditing: network and management
Network – I need to audit and or inspect all the traffic between my
systems. This includes but is not limited to traffic between users, systems,
and applications even where they share the same physical host and virtual
switch.
Management – I need to see all management events that may impact
the security or configuration of my systems. This includes but is not limited
to privileged access to my systems or data through the hypervisor or cloud
management APIs.
Control: policy and assurance
Policy – I need to express and apply security policies via a method
that is both human understandable and translatable into a machine-interpreted
language.
Assurance – I need to know when an event or incident occurs that
violates a policy and I need a method for testing that controls exist and are
effective for enforcing my policies.
Metrics: continuous and interoperable
Continuous – Per our agreed standards of measurement I must be able
to quantify the security attributes of my system. This may include but is not
limited to measurements for: vulnerability, configuration, performance,
incident detection, incident response, and incident containment.
Interoperable – All security relevant data and events must be
available in a documented machine-readable format. It should either comply with
standards such as Cyberscope and SCAP or my preferred GR&C system.
If you want my money,
you better not ask for much
Value – Not just cheaper than if I do it myself. Your services
should give my organization new capabilities to meet our objectives. These
capabilities could include user experience, logistic support, and accessibility
…
No lock-in – I should be able to easily move my data and workloads back
inside my enterprise or to one of your competitors.
No comments:
Post a Comment