Enterprises Should Insist That Cloud Providers Give Visibility Into Their Security Processes and Controls to Ensure Confidentiality, Integrity, and Availability of Data…
In their eagerness to adopt cloud platforms and applications, organizations often neglect to recognize and address the compliance and security risks that come with them. The ease of getting a business into the cloud – a credit card and a few keystrokes – combined with service level agreements provides a false sense of security. However, shortcomings in the cloud providers’ security architecture can trickle down to customers that leverage their services in the form of power outages, data loss, unauthorized disclosure, data destruction, copyright infringement, brand reputation erosion. So what steps should organizations take to retool their security practices for the cloud age?
Over the last few months we reached two major milestones in the young history of cloud computing. On January 1st we celebrated the 30-year anniversary of the Internet, which has irrevocably changed the way we conduct business and collaborate. This was followed by the 15-year mark for Salesforce.com, a company that not only disrupted the software world with new models for technology, business, and philanthropy, but more importantly proved that organizations were willing to place their sensitive information in the cloud.
Because it allows enterprises to deploy IT resources quickly, cloud computing is rapidly replacing conventional in-house infrastructure at companies of all sizes. According to IDC (“IDC Black Book 2013”), by 2020, cloud computing will represent nearly 30% of all IT spending.
However, the push to the cloud is often led by business stakeholders trying to respond more quickly to changing market dynamics by taking IT matters into their own hands. When business units procure cloud-based services without IT’s knowledge, these “rogue applications” or “shadow IT” increase security risk. According to Cisco Consulting Services (“Impact of Cloud on IT Consumption Models”, Cisco 2013), 46% of North American IT leaders are seeing an increase in rogue purchasing by business teams. This number increases to 73% in the Asia-Pacific region. This creates new challenges for IT and security professionals, including but not limited to:
• Unknown security and compliance vulnerabilities;
• Misalignment of systems and internal policies;
• Inconsistent service level agreements; and
• Lack of visibility of security controls.
While cloud providers may have service level agreements in place, security provisions, the physical location of data, and other vital details may not be well defined. This creates a blind spot for organizations, especially those that must comply with contractual agreements, regulatory mandates, and breach notification laws for securing data.
Whether organizations plan to use public or private clouds, better security and compliance is needed. To address this challenge, it is necessary to institute policies and controls that match those used in data center environments. Third-party IT environments need to be as secure as their on-premise counterparts – especially if they can impact business performance and valuation.
Last year’s cyberattacks and associated data breaches of Zendesk and Evernote are prime examples of why companies need to implement a comprehensive risk and compliance plan that encompasses third-party cloud environments. Organizations should insist that cloud providers give them visibility into their security processes and controls to ensure confidentiality, integrity, and availability of data. Practically speaking, this would include the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.
As part of a Cloud Readiness Assessment, organizations should evaluate potential cloud service models and providers. This should include an assessment of certifications (e.g., SSAE 16) as well as security practices (e.g., assessment of threat and vulnerability management capabilities, continuous diagnostics and mitigation, business continuity plan), compliance posture, and ability to generate dynamic and detailed compliance reports that can be used by the provider, auditors, and an organization’s internal resources.
Given that many organizations use a heterogeneous cloud eco-system that can span infrastructure services, software providers (e.g., cloud management, data, compute, file storage, and virtualization), and platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option.
Following the guidelines developed by the Cloud Security Alliance, a non-profit organization that promotes the use of best practices for security assurance within cloud computing, organizations should perform both an initial Cloud Risk Assessment and continuously monitor cloud operations for new risks.
A portion of the cost savings obtained by moving to the cloud should be earmarked for monitoring cloud service provider’s security controls, and ongoing detailed assessments and audits to ensure continuous compliance.
If possible, organizations should consider leveraging monitoring services or big data risk management software to:
• Maintain continuous compliance monitoring;
• Segregate and manage virtualization provisioning;
• Automate the implementation of CIS benchmarks and secure configuration management; and
• Monitor new threats via data feeds from zero-day vendors such as Verisign and the National Vulnerability Database (NVD) as well as vulnerability findings from virtualized scanners.
While few cloud service providers currently offer capabilities for risk-based security management and continuous diagnostics for compliance, they may soon be required to do so in order to establish trust and maintain a competitive advantage.