<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=905697862838810&amp;ev=PageView&amp;noscript=1">

Subscribe

    Fraud & Cyber Security | 4 min read

    Clear or Partly Cloudy: What's your Cloud Security Strategy?

    You have likely discovered the undeniable benefits of cloud services. Vendors offer scalable and highly available internet-accessible services to support almost all business needs. Most organizations have or will soon support business processes (workloads) from their own data center and through multiple third party cloud service providers (CSP). While the benefits may be appealing, leaders must make risk-informed decisions to maintain secure, business-ready services.

     

    Your organization’s risk management process should include a clear cloud security strategy to lower its risk. This strategy should include a plan to identify business needs, verify CSP capabilities, address regulatory requirements, and mitigate residual risk. While not an exhaustive list, leaders should consider the following five factors when evaluating cloud services:

    1. Resiliency

    Leaders must ensure services are available when they need them. The resiliency of the cloud services will vary based on the workload’s criticality and business impact during an outage. For example, an e-mail service will likely require high resiliency. By contrast, a service to create surveys may require lower resiliency. Leaders should consider the CSP’s ability to:

    1. Assure business continuity and disaster recovery

    2. Physically protect its data center(s)

    3. Manage changes and secure its infrastructure

    4. Increase service capacity

    5. Screen and manage its personnel and supporting vendors

    6. Store data in a specific location; and

    7. Meet defined service levels

    In all cases, due diligence is required to verify the provider will meet your resiliency requirements, and proper business agreements must codify your expectations.

    2. Data Security

    Accountability to secure data in the cloud remains with the business leader. While CSPs may provide adequate security controls to protect your data, leaders must ensure controls are implemented, monitored, and periodically reviewed. For example, CNN reported the U.S. Department of Defense failed to secure an Amazon Web Services (AWS) storage service and exposed more than 1.8 billion internet posts. Factors to consider before moving workload to the cloud include your ability to:

    1. Manage information throughout its life cycle

    2. Encrypt information and manage encryption keys

    3. Use secure application and programming interfaces; and

    4. Segregate and protect information based on classification

    3. Governance, Risk, and Compliance

    Integrating cloud services within existing governance and risk management processes is essential to control the use of cloud technology. As organizations expand their perimeter, governance must account for use of cloud services throughout their lifecycle. For example, corporate policies should apply to all information systems “owned or controlled” by the company. Similarly, risk management processes should explicitly address the use of cloud services and require a risk assessment during procurement. Finally, cloud security controls should protect data according to its classification and compliance requirements (e.g., PCI DSS and HIPAA). Overall, leaders should ensure the use of cloud services return value within the organization’s risk tolerance and compliance framework.

    4. Identity and Access Management

    At its core, seamless cloud integration and security depends upon effective and timely identity and access management (IAM). Through IAM, organizations may provide access to cloud and local services transparently. Factors to consider include the CSP’s ability to support:

    1. Single sign-on technology

    2. Multi-factor authentication

    3. Role-based access

    4. Authentication logging

    5. Separation of duties; and

    6. User access reviews and auditing.

    Leaders should fully consider a CSP’s ability to integrate within its existing IAM infrastructure. Done well, the use of cloud services may be seamless and secure. Alternatively, unmanaged cloud services may present an existential threat to the business.

    5. Security Operations

    Security incident response and continuous monitoring are essential to maintain a secure cloud deployment. Leaders should consider how they would respond to a data breach and monitor access commensurate to the risk and potential business impact of the service. Factors to consider are the organization’s ability to:

    1. Maintain contact with the CSP

    2. Enforce data retention and integrity decisions

    3. Receive timely and actionable security alerts

    4. Leverage the CSP’s security team

    5. Take action to mitigate a threat and recover from an attack

    Leaders should also consider the CSP’s ability to support: forensic investigations; E-discovery; security incident management; log retention; and response and recovery operations. Establishing and maintaining an environment that supports security operations upstream will help mitigate risk and optimize response during the inevitable data breach.

    A clear cloud security strategy must be an essential element of your risk management program. A risk-informed security strategy will help ensure your cloud decisions do not create unacceptable risk for your business, clients, and customers. Invest the time and effort to secure your cloud deployment to ensure it is resilient and business ready. Although well-intended, uniformed cloud decisions may easily negate the value of your investment and damage your business. In the end, a leader’s effort to secure their cloud workload may determine whether their business horizon is clear or partly cloudy.

    New call-to-action

    Helpful Resources:

    Cloud Security Alliance (CSA):The CSA provides security guidance to help organizations understand cloud security concepts and principles. Also, CSA produces a controls matrix that maps to other industry-accepted security standards, regulations, and frameworks. See: https://cloudsecurityalliance.org/guidance/ and https://cloudsecurityalliance.org/group/cloud-controls-matrix/ for more information.

    ISO/IEC 27017:2015: Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. See: https://www.iso.org/standard/43757.html

    ISO/IEC 27018:2014: Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. See https://www.iso.org/standard/61498.html

    NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing. See: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf

    Related Categories

    Fraud & Cyber Security

    Jeffrey Julig

    Jeffrey Julig is Vice President and Chief Information Security Officer (CISO) for SWBC. In this role, he leads a team of security professionals to protect SWBC’s diverse lines of business from internal and external cyber threats. Jeffrey is passionate about information security and privacy and belongs to numerous international, national, and local professional and community organizations. He has a Bachelor of Science degree in Cybersecurity from the University of Maryland University College and earned several of the information security industry’s most respected certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Law of Data Security and Investigations (GIAC-GLEG) certifications. Jeffrey attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a certified digital forensics examiner.

    You may also like:

    Fraud & Cyber Security

    Why Multi-Factor Authentication (MFA) is a Business Imperative

    Cybersecurity Awareness Month is an opportunity to evaluate risk and ensure basic controls are implemented to lower our ...

    Fraud & Cyber Security

    #FightThePhish: Tips for Combating Today’s Top Cybersecurity Threat

    The COVID-19 pandemic accelerated the use of technology to help business leaders overcome challenges quickly. Employers ...

    Fraud & Cyber Security

    #BeCyberSmart: Overcoming 2021's Greatest Cybersecurity Challenges

    Cybersecurity Awareness Month has arrived! The theme for 2021 is “Do Your Part. #BeCyberSmart.” This message is meant to...

    Let Us Know What You Thought about this Post.

    Put your Comment Below.

    contact us

    Revolutionize Your Employee Training Program with swbcU

    Learn More