Retirement plan sponsors are the first, and most important, line of defense in providing employees with well-managed retirement savings plans.
Clear or Partly Cloudy: What's your Cloud Security Strategy?
Your organization’s risk management process should include a clear cloud security strategy to lower its risk. This strategy should include a plan to identify business needs, verify CSP capabilities, address regulatory requirements, and mitigate residual risk. While not an exhaustive list, leaders should consider the following five factors when evaluating cloud services:
1. Resiliency
Leaders must ensure services are available when they need them. The resiliency of the cloud services will vary based on the workload’s criticality and business impact during an outage. For example, an e-mail service will likely require high resiliency. By contrast, a service to create surveys may require lower resiliency. Leaders should consider the CSP’s ability to:
-
Assure business continuity and disaster recovery
-
Physically protect its data center(s)
-
Manage changes and secure its infrastructure
-
Increase service capacity
-
Screen and manage its personnel and supporting vendors
-
Store data in a specific location; and
-
Meet defined service levels
In all cases, due diligence is required to verify the provider will meet your resiliency requirements, and proper business agreements must codify your expectations.
2. Data Security
Accountability to secure data in the cloud remains with the business leader. While CSPs may provide adequate security controls to protect your data, leaders must ensure controls are implemented, monitored, and periodically reviewed. For example, CNN reported the U.S. Department of Defense failed to secure an Amazon Web Services (AWS) storage service and exposed more than 1.8 billion internet posts. Factors to consider before moving workload to the cloud include your ability to:
-
Manage information throughout its life cycle
-
Encrypt information and manage encryption keys
-
Use secure application and programming interfaces; and
-
Segregate and protect information based on classification
3. Governance, Risk, and Compliance
Integrating cloud services within existing governance and risk management processes is essential to control the use of cloud technology. As organizations expand their perimeter, governance must account for use of cloud services throughout their lifecycle. For example, corporate policies should apply to all information systems “owned or controlled” by the company. Similarly, risk management processes should explicitly address the use of cloud services and require a risk assessment during procurement. Finally, cloud security controls should protect data according to its classification and compliance requirements (e.g., PCI DSS and HIPAA). Overall, leaders should ensure the use of cloud services return value within the organization’s risk tolerance and compliance framework.
4. Identity and Access Management
At its core, seamless cloud integration and security depends upon effective and timely identity and access management (IAM). Through IAM, organizations may provide access to cloud and local services transparently. Factors to consider include the CSP’s ability to support:
-
Single sign-on technology
-
Multi-factor authentication
-
Role-based access
-
Authentication logging
-
Separation of duties; and
-
User access reviews and auditing.
Leaders should fully consider a CSP’s ability to integrate within its existing IAM infrastructure. Done well, the use of cloud services may be seamless and secure. Alternatively, unmanaged cloud services may present an existential threat to the business.
5. Security Operations
Security incident response and continuous monitoring are essential to maintain a secure cloud deployment. Leaders should consider how they would respond to a data breach and monitor access commensurate to the risk and potential business impact of the service. Factors to consider are the organization’s ability to:
-
Maintain contact with the CSP
-
Enforce data retention and integrity decisions
-
Receive timely and actionable security alerts
-
Leverage the CSP’s security team
-
Take action to mitigate a threat and recover from an attack
Leaders should also consider the CSP’s ability to support: forensic investigations; E-discovery; security incident management; log retention; and response and recovery operations. Establishing and maintaining an environment that supports security operations upstream will help mitigate risk and optimize response during the inevitable data breach.
A clear cloud security strategy must be an essential element of your risk management program. A risk-informed security strategy will help ensure your cloud decisions do not create unacceptable risk for your business, clients, and customers. Invest the time and effort to secure your cloud deployment to ensure it is resilient and business ready. Although well-intended, uniformed cloud decisions may easily negate the value of your investment and damage your business. In the end, a leader’s effort to secure their cloud workload may determine whether their business horizon is clear or partly cloudy.
Helpful Resources:
Cloud Security Alliance (CSA):The CSA provides security guidance to help organizations understand cloud security concepts and principles. Also, CSA produces a controls matrix that maps to other industry-accepted security standards, regulations, and frameworks. See: https://cloudsecurityalliance.org/guidance/ and https://cloudsecurityalliance.org/group/cloud-controls-matrix/ for more information.
ISO/IEC 27017:2015: Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. See: https://www.iso.org/standard/43757.html
ISO/IEC 27018:2014: Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. See https://www.iso.org/standard/61498.html
NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing. See: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
Related Categories
Fraud & Cyber SecurityJeffrey Julig
Jeffrey Julig is Senior Vice President and Chief Information Security Officer (CISO) for SWBC. In this role, he leads a team of security professionals to protect SWBC’s diverse lines of business from internal and external cyber threats. Jeffrey is passionate about information security and privacy and belongs to numerous international, national, and local professional and community organizations. He has a Bachelor of Science degree in Cybersecurity from the University of Maryland University College and earned several of the information security industry’s most respected certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Law of Data Security and Investigations (GIAC-GLEG) certifications. Jeffrey attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a certified digital forensics examiner.
Let Us Know What You Thought about this Post.
Put your Comment Below.