<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=905697862838810&amp;ev=PageView&amp;noscript=1">


SWBC's BusinessHub blog is a one-stop resource for business owners and company decision makers.


Clear or Partly Cloudy: What's your Cloud Security Strategy?

cloud-security-800.jpegYou have likely discovered the undeniable benefits of cloud services. Vendors offer scalable and highly available internet-accessible services to support almost all business needs. Most organizations have or will soon support business processes (workloads) from their own data center and through multiple third party cloud service providers (CSP). While the benefits may be appealing, leaders must make risk-informed decisions to maintain secure, business-ready services.

Your organization’s risk management process should include a clear cloud security strategy to lower its risk. This strategy should include a plan to identify business needs, verify CSP capabilities, address regulatory requirements, and mitigate residual risk. While not an exhaustive list, leaders should consider the following five factors when evaluating cloud services:

1. Resiliency

Leaders must ensure services are available when they need them. The resiliency of the cloud services will vary based on the workload’s criticality and business impact during an outage. For example, an e-mail service will likely require high resiliency. By contrast, a service to create surveys may require lower resiliency. Leaders should consider the CSP’s ability to:

  1. Assure business continuity and disaster recovery

  2. Physically protect its data center(s)

  3. Manage changes and secure its infrastructure

  4. Increase service capacity

  5. Screen and manage its personnel and supporting vendors

  6. Store data in a specific location; and

  7. Meet defined service levels

In all cases, due diligence is required to verify the provider will meet your resiliency requirements, and proper business agreements must codify your expectations.

2. Data Security

Accountability to secure data in the cloud remains with the business leader. While CSPs may provide adequate security controls to protect your data, leaders must ensure controls are implemented, monitored, and periodically reviewed. For example, CNN reported the U.S. Department of Defense failed to secure an Amazon Web Services (AWS) storage service and exposed more than 1.8 billion internet posts. Factors to consider before moving workload to the cloud include your ability to:

  1. Manage information throughout its life cycle

  2. Encrypt information and manage encryption keys

  3. Use secure application and programming interfaces; and

  4. Segregate and protect information based on classification

3. Governance, Risk, and Compliance

Integrating cloud services within existing governance and risk management processes is essential to control the use of cloud technology. As organizations expand their perimeter, governance must account for use of cloud services throughout their lifecycle. For example, corporate policies should apply to all information systems “owned or controlled” by the company. Similarly, risk management processes should explicitly address the use of cloud services and require a risk assessment during procurement. Finally, cloud security controls should protect data according to its classification and compliance requirements (e.g., PCI DSS and HIPAA). Overall, leaders should ensure the use of cloud services return value within the organization’s risk tolerance and compliance framework.

4. Identity and Access Management

At its core, seamless cloud integration and security depends upon effective and timely identity and access management (IAM). Through IAM, organizations may provide access to cloud and local services transparently. Factors to consider include the CSP’s ability to support:

  1. Single sign-on technology

  2. Multi-factor authentication

  3. Role-based access

  4. Authentication logging

  5. Separation of duties; and

  6. User access reviews and auditing.

Leaders should fully consider a CSP’s ability to integrate within its existing IAM infrastructure. Done well, the use of cloud services may be seamless and secure. Alternatively, unmanaged cloud services may present an existential threat to the business.

5. Security Operations

Security incident response and continuous monitoring are essential to maintain a secure cloud deployment. Leaders should consider how they would respond to a data breach and monitor access commensurate to the risk and potential business impact of the service. Factors to consider are the organization’s ability to:

  1. Maintain contact with the CSP

  2. Enforce data retention and integrity decisions

  3. Receive timely and actionable security alerts

  4. Leverage the CSP’s security team

  5. Take action to mitigate a threat and recover from an attack

Leaders should also consider the CSP’s ability to support: forensic investigations; E-discovery; security incident management; log retention; and response and recovery operations. Establishing and maintaining an environment that supports security operations upstream will help mitigate risk and optimize response during the inevitable data breach.

A clear cloud security strategy must be an essential element of your risk management program. A risk-informed security strategy will help ensure your cloud decisions do not create unacceptable risk for your business, clients, and customers. Invest the time and effort to secure your cloud deployment to ensure it is resilient and business ready. Although well-intended, uniformed cloud decisions may easily negate the value of your investment and damage your business. In the end, a leader’s effort to secure their cloud workload may determine whether their business horizon is clear or partly cloudy.


Helpful Resources:

Cloud Security Alliance (CSA):The CSA provides security guidance to help organizations understand cloud security concepts and principles. Also, CSA produces a controls matrix that maps to other industry-accepted security standards, regulations, and frameworks. See: https://cloudsecurityalliance.org/guidance/ and https://cloudsecurityalliance.org/group/cloud-controls-matrix/ for more information.

ISO/IEC 27017:2015: Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. See: https://www.iso.org/standard/43757.html

ISO/IEC 27018:2014: Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. See https://www.iso.org/standard/61498.html

NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing. See: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf


Leave a comment below!