Accreditation models for cloud adoption
Safety during the cloud adoption process is one of the key issues for organizations (both in the public and private sectors) that decide to move their business to the cloud. To dispel doubts that may arise in the decision-making process, AWS has prepared special, helpful documentation related to accreditation models – Accreditation Models for Secure Cloud Adoption. Thus, it provides a set of best practices in the field of accreditation, taking into account security in commercial data processing in the cloud.
The evaluation of cloud services offers can be a considerable challenge, especially for public institutions. It is influenced by the organizational model of a given administrative unit.
The organizational model is a structured structure (institutional or bureaucratic) that aims to support and implement accreditation programs. And this, in turn, is related to certificates and approvals widely used in the world, such as ISO, SOC 3 or PCI, which by definition consist of 80% of security requirements.
The whitepaper prepared by AWS refers to 3 models in which the key is to define who determines and approves the risk profile during adoption to the cloud. The developed models are adapted to international requirements.
Decentralized model
It was prepared on the basis of the British model, which allows for an individual approach of each public sector department or agency, flexibility in assessing and adjusting the risk model related to the activity or organizational requirements. Thanks to the possibility of prioritizing selected goals, there is a chance to delegate responsibility for the risk to a given accredited entity. Such flexibility allows for faster adoption of new solutions. However, it may be associated with increased costs and the need to have qualified teams that will be responsible for authorizing decisions related to the selection of a cloud service provider.
Centralized model
The model is used by Singapore and Germany. It standardizes the security accreditation processes in the entire administrative unit. Decisions are made at the headquarters of the unit, in accordance with a set set of criteria related to ensuring the highest possible levels of security for the entire organization. Such a decision-making process can be quite time-consuming, but in the long run, once approved cloud services can be used by all departments within a given unit. A model related to the publication and maintenance of standards by the headquarters of the government unit and certification by the cloud provider of the required accreditation. No formal evaluation or government approval is required.
Hybrid model
It combines the attributes of the two previously mentioned models. The FedRAMP (US Federal Risk and Authorization Management) model is a hybrid that includes two paths: the decentralized path (agency authorization) and the centralized Joint Authorization Board (JAB) path. In the hybrid model, the resources required to reach consensus among multiple decision-makers also add to the burden. It is related to guidelines prepared by state authorities and decisions concerning risk assessment.
Ultimately – the cloud adoption process depends on many factors specific to each situation. Therefore, it is worth getting acquainted with the best practices that will help you apply the right model, which are described in detail in Accreditation Models fo Secure Cloud Adoption.
In the context of the Polish IT market and the criterion of safe adoption to cloud computing, it is worth mentioning the Cloud Computing Cybersecurity Standards (SCCO). It is a document developed as part of the collection of Narodowe Standardy Cyberbezpieczeństwa, referred to in the Polish National Cyber Security Strategy for 2019-2024. It aims to:
- increasing the level of security of data processing and the provision of electronic services in government administration;
- permanent reduction of fixed costs of data processing;
- increasing the efficiency of spending funds in projects containing elements of IT infrastructure;
- shortening the implementation time of new IT projects by the faster provision of the required IT infrastructure;
- limiting the phenomenon of collecting the same data repeatedly in IT environments and removing technological barriers in the case of public registers;
- the popularization of the cloud computing model as the main method of implementing the state’s ICT systems (including the change of software development technology).
Source: https://chmura.gov.pl/informacje/scco/
SCCO is used as part of the System Zapewniania Usług Chmurowych (ZUCH), which also includes the services provided by the LCloud team. Choosing a service provider is important from the perspective of service quality and support in the migration process and building a safe and scalable infrastructure from scratch. Choosing the right partner implementing cloud services with experience in designing migration solutions is key to the success and trouble-free transfer of existing (or creation of new) infrastructure in cloud computing. In addition, the cloud service provider ensures transparency and compliance of the implemented solution with the current legal requirements, which in turn ensures the unification of security standards in the organization.
Overall, exploring the options for selecting an accreditation model and understanding how each can facilitate a successful cloud computing deployment and enable organizations to make the best choice for them.
If you don’t know which model to choose, we’ll help you with the process. We encourage you to contact us by e-mail at kontakt@lcloud.pl or via the contact form in the footer of the page.