The cloud security debate continues today in every industry, and for every platform. Organizations and governments have created standards to help organizations minimize the risks associated with cloud computing, but doubt remains in the minds of some. As computing and networking requirements continue to grow, expertise in securing these environments is not keeping pace. Cloud providers with vigorous compliance efforts and talent are proving to be some of the safest places to store data and run operations. But who are the cloud providers with vigorous compliance efforts and talent? Efforts toward managing risks, threats, and regulatory requirements have shifted from being focused on monitoring internal networks to managing cloud providers.

Article Index:

Evaluating Cloud Providers and Services for Risk

Many businesses have found that outsourcing infrastructure, data storage, and applications hosting to the cloud enables significant resource savings and strengthens security. This is especially true for small to midsize businesses that lack IT expertise. But outsourcing cloud computing or data storage to a cloud provider doesn’t mean you should sit back and relax. You still have to govern those assets, identify and manage risks, and comply with all relevant industry and government standards. The organization that owns the data is ultimately responsible for it, even if outsourcing to a cloud provider means the data is not under your direct control.

There are several essential risk elements to consider when evaluating cloud providers:

  • Determine what processes can be outsourced, and what should remain under your direct internal control.
  • Identify what data the cloud provider is holding and understand the risks associated with that data. Is it proprietary or sensitive information? Does it fall under the auspices of PHI or PII regulations? What is the impact on your company if something negative happens to the data, service, or infrastructure?
  • Understand your internal risks and controls so you can ensure your security controls are being adopted and mapped to the cloud provider’s processes. If the provider isn’t handling your data according to your policies and standards, it is introducing risk to your organization. Obviously, if the provider’s security and compliance measures do not match your requirements, you may need a different provider.

 

Assessment and Controls Frameworks 

It’s imperative to understand how outsourcing IT functions to a cloud provider supports and impacts the business, both operationally and strategically. If the provider cannot communicate transparently about security measures, performance metrics and risk controls, then your organization’s assets, service availability, and business objectives could be compromised or hampered.

To ensure success and security in cloud-based operations, organizations need to employ a comprehensive governance, risk management, and compliance (GRC) approach, just as they would with internal operations. Organizations like the Information Systems Audit and Control Association (ISACA) and the Cloud Security Alliance (CSA) have been working for years to develop controls frameworks to guide cloud providers and help cloud customers assess those providers. In particular, the CSA’s Cloud Controls Matrix lays out a structure and detailed guidance for tailoring information security to the cloud environment.

 

A GRC Approach to Managing Risks Posed by the Cloud 

As CSA researchers1 point out, “Whether implementing private, public, or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of GRC requirements.” At RSA 2016, CSA identified the top security threats to the cloud as “The Treacherous Twelve.”2 Just skimming the subtitles is enough to make any IT decision-maker or compliance officer realize the importance of managing the special aspects of risk and compliance when it comes to cloud computing:

  • Data breaches
  • Weak identity, credential, and access management
  • Insecure APIs
  • System and application vulnerabilities
  • Account hijacking
  • Malicious insiders
  • Advanced persistent threats (APTs)
  • Data loss
  • Insufficient due diligence
  • Abuse and nefarious use of cloud services
  • Denial of service
  • Shared technology issues

The complexity of managing and monitoring all these vulnerabilities is apparent: traditional approaches that use spreadsheets and email to document and ensure compliance are inadequate. Comprehensive GRC solutions are able to map risks to controls, monitor controls, rely on continuously updated libraries of regulations and standards to assess gaps in compliance, automate workflow, manage assessments, track cloud providers, and store all relevant documentation in a central repository to support collaboration and organization-wide visibility.

GRC solutions can also provide lower level metrics, including: unpatched software or patching cadence, unencrypted files, misconfigured systems, pentest results (web app scans), and endpoints without recent scans. They may also include reputation, cash flow, and other measurements of viability. When any of these metrics reach unacceptable levels (such as software unpatched for three weeks on open high severity web apps or misconfigured critical systems), GRC analytics and workflow can provide alerts and help manage incidents.

Organizations outsourcing any IT operations or data storage to cloud providers can use comprehensive GRC solutions to consume high volumes of provider performance metrics. GRC platforms with advanced analytics capabilities can automatically convert cryptic IT metrics into digestible operational metrics. These metrics can then be tied to operational risks and communicated to stakeholders and executives across the organization to create a more comprehensive picture of cloud risk.

 

Building Confidence in the Cloud

The initial hesitance to rush into cloud adoption was likely related to the inherent loss of control over security protocols. To combat this hesitance, responsible cloud providers have sought difficult to obtain security certifications such as ISO 27001. Cloud technology and vendors that provide cloud infrastructure and services have, for the most part, proven to be secure and reliable. Yet the fact remains that cloud service providers and their customers operate on shared infrastructure, so they share vulnerabilities as well.

Each organization must focus on protecting its own data, intellectual property, customers, employees, partners, and services. Organizations managing these efforts through holistic, integrated GRC programs are proving their programs are more efficient, effective, and responsive to changing strategies, changing business operations, changes with cloud providers, and changes in the regulatory and compliance requirements. Completing extensive due diligence when selecting providers, monitoring the cloud provider’s security measures, cultivating a transparent and collaborative relationship with account managers, and aligning performance metrics to business imperatives will help ensure a successful and secure cloud deployment.


References

  1. https://cloudsecurityalliance.org/research/grc-stack/
  2. https://cloudsecurityalliance.org/media/news/cloud-security-alliance-releases-the-treacherous-twelve-cloud-computing-top-threats-in-2016/

 

This article was originally posted “A Comprehensive Approach To Data Security In The Cloud” from Cloud Strategy Magazine.