Should You Monitor Your Cloud Assets Internally or Outsource the Job?

This blog was originally published by Weaver here.

Written by David Friedenberg, Senior Manager, IT Advisory Services, Weaver.

Most organizations and industries now use cloud service providers, or CSPs, to host systems and services. This may take the form of laaS, PaaS, or Saas (see box), depending on the needs of the business. As part of their service agreements, CSPs are typically required to submit third-party assurance reports such as International Organization for Standardization (ISO), Payment Card Industry (PCI), or Service Organization Control (SOC) to demonstrate compliance with specific regulations and their adherence to contractual obligations.

For greater transparency into their cloud-based systems, most organizations also employ one or both of two methods for monitoring CSPs: cloud monitoring tools or managed services.

Cloud monitoring tools are similar to other IT tools in that they are configured for a system and typically monitor through an installed agent or via an API collecting data from the target system. The tools collect data about specific metrics, such as uptime, health, resource allocation, resource usage, and active/idle connections, and may generate alerts based on thresholds or events. The alerts may be sent to a system dashboard, or other form of external communication, such as email or text message.

With managed services arrangements, third parties use a suite of tools to simplify the monitoring process for system owners and help prioritize responses. Monitoring services ingest monitoring data, filter through that data, and alert the system owner when action is required, and at agreed-upon intervals to facilitate oversight. Several factors should be taken into account in deciding whether to use internal monitoring tools or to outsource these services. Consider the following questions and risks:

• What are the business/operational requirements for maintaining visibility?
• Are there regulatory requirements that may be affected or relevant?
• Would other contractual obligations be impacted by sharing monitoring data with third parties?
• How would access be granted, and data transmitted, to the in-house tool or monitoring service? Is this method easily secured and encrypted within acceptable levels?
• Do we have systems or service providers already in place that can monitor cloud assets?
• Do we have in-house employees with the skills to monitor these systems? If so, do they have capacity to monitor additional systems?
• How does total cost of ownership for implementing a monitoring tool(s) in-house compare to hiring an outsourced monitoring service? (At a minimum, the analysis of tools cost should include costs of software, hardware, training, and salary for any additional personnel required. Analysis of outsourced monitoring services should incorporate one-time implementation costs, base subscription fees, incidental fees and any known recurring costs.)

This is not an exhaustive list, and organizations will need to address other questions based on their unique characteristics.

Read more about implementing outsourced cloud monitoring in our next blog.

About the Author

David Friedenberg, CISA, CRISC, CISSP, PCIP, QSA, has more than 13 years of experience in information technology, IT risk advisory services and internal audit across a broad range of environments. He has consulted with a wide range of clients, including Fortune 100 companies and government agencies, and has performed and led over 100 substantial audits across multiple industries and platforms. His focus includes Payment Card industry (PCI) consulting and assessments, ERP system implementation evaluations, and Sarbanes-Oxley (SOX) compliance. He also performs IT risk assessments, IT audits, SSAE18/service organization controls (SOC) reporting, to help companies meet security and compliance needs.

Holding multiple certifications — CISA, CRISC, CISSP, PCIP and QSA — David is an active member of ISACA, ISC2 and the Cloud Security Alliance. He graduated with a Bachelor of Science in information system security from Westwood College.