In 
Expert Panel
Parag Deodhar, Chief Risk Officer, CISO & VP-Process Excellence, Bharti Axa General Insurance Co. Ltd
Dr Harsha, Head IT-Consultant, HK IT Group
Yagnesh Parikh, Senior VP-Head IT (Trading), ICICI Securities Ltd
THE SITUATION...
How will Manoj Sahani ensure data security on the Cloud in his organisation?
Every CIO or IT head is in a dilemma, thanks to the all pervasive Cloud. Manoj Sahani, Senior IT Manager of a large manufacturing firm, is no exception. However, Sahanis companys top management has already given him the green signal to go ahead with the Cloud model, and migration of applications related to CRM, ERP, Mailing Solutions, communication server, document collaboration, designing applications, besides the data to the Cloud. Against this backdrop, Sahanis biggest challenge is to choose the right service provider, evaluate the providers expertise in cloud deployment, analyse the redundancy plan, besides working out a cost benefit analysis as part of the uninterrupted service agreement.
Everything finally boils down to security with regard to the Cloud. Sahanis task is to comprehend to size the exact Cloud configuration required for his applications and how he can make sure the performance and end user experience is not compromised.Above all, the grave concern is to safeguard theorganisations data, in terms of devising the best guidelines and security certificates. Besides finding ways of converting local IT infrastructure based applications into Cloud based as also the bandwidth sizing for each application, he must justify the ROI for Cloud based service compared with local IT Infrastructure. Also, he may be expected to manage with servers already invested in with the co-locating concept.Will all the service providers enable the co-locating server concept? Will he get logs on a demand basis or automatic log uploads to super administration? Will his super administrators get data centre access round the clock if there are emergency reviews required? How can he convince his management and end users that the application data is secure and user experience will not change at any cost? He must also devise strategies to understand thedefaults and more secured IT security policies.The concern is to ensure that the cloud service provider provides clients a periodic upgrade and update on security and performance upgrade and update.
Amid such ambiguities, Sahanis primary focus is security and to evolve an effective security framework in a Cloud model.
He seeks suggestions from the expert panel to address his concerns.
The Big Questionsa) What kind of security tools or frameworks must Sahani evaluate ordeploy to make his data secure on the Cloud?
b)What are the security best practices in a Cloud framework for his enterprise that his service provider needs to work on?
Parag Deodhar, Chief Risk Officer, CISO & VP-Process Excellence, Bharti Axa General Insurance Co. Ltd
About me:
A Chartered Accountant, Certified Information Systems Auditor from ISACA, US and Certified Fraud Examiner from ACFE, US and board member on the Bangalore Chapter of ACFE, with over 15 years of experience in Enterprise Risk Management, Information Security and Forensics, Audit, Consulting and Program Management.
Have the Right to Audit
First Answer
Sahanis primary task is to evaluate the private Cloud, public Cloud and co-location scenarios and check for security certifications (ISO27000, 22301, etc). He should also do a due diligence / audit on the service provider to ensure the level of security provided. He must ensure he has a NDA and legal agreement in place with the provider including the right to audit. SLAs should also be put in place as required. The service provider must implement the following frameworks/tools:
- Data Privacy Frameworks--ISO27001, PCI-DSS, HIPAA etc
- Availability-ISO22301, high availability & DR
- Confidentiality--IDAM, Strong Authentication, DLP suite
- Event and Log monitoring--SIEM
- Malware controls--AV, IDS/IPS, and WAF etc.
Second Answer
As part of the Cloud initiative, and even before leaping on to the Cloud, Sahani needs to know a few security best practices in the Cloud framework and those that his service provider needs to work on.
Sahani can strictly follow an information risk management framework and must undertake these tasks:
a) Do a data classification and analyse what data will be stored in the Cloud. Depending on the sensitivity of data, the service provider should to provide adequate security levels and certifications (for example, if credit card data is to be stored, PCI-DSS certification would be required).
b) It is important to understand whether the regulations allow data storage on the Cloud especially when the service provider may be hosting the infrastructure outside the country
c) Strong authentication tools need to be implemented--ideally, dual factor
d) How access controls will be managed--will users be able to access data from outside the office network? If yes, what are the Data Leakage Prevention measures?
e) Data Storage--segregated from other tenants,encrypted
f) Data Availability--what are the requirements and how will it be managed, SLAs for incident resolution, etc; Disaster Recovery capabilities
g) Ensure that user ids and access rights granting / revocation and reconciliation process is followed diligently
h) Conduct regular audits on the service provider.
Dr Harsha, Head IT-Consultant, HK IT Group
About me:
A Ph.D in Information Security, I spearhead the entire IT operations of the group across the globe and address end-to-end solutions.
First Answer
Understand Access Control
The pre-requisite is to have security encryptions in place to safeguard data. Most often, enterprises outsource cloud computing activities, so Sahani needs to have a service provider. Before that, he should check their security application and its features. He must do a complete analysis on the service providers access and privileges to the companys data and application; this should be made transparent to the management. A periodic external audit must check what security tools are being provided. It is important to check the port opened and its availability for web access, and to ensure that other ports opened need to blocked.
To ensure greater security, end user access should be provided with SSL VPN andprint screen and copy files to the local system should be avoided; login fails should be restricted to 3 attempts; beyond this, the account should get locked.
As in a data centre, on a cloud too, strict group policies should be implemented for accessing resources like changing time, changing IPs , accessing system files, etc.
Notification to super administration should be enabled if there are suspicious activities or access, while DLP policies can be implemented to monitor logs and restrict content on the Cloud.
Second Answer
As a best practice, Sahani should choose for only 5-star rating applications if there are requirements on web server, they should be completely blocked. RUN, SHUTDOWN, EXPLORER, FILES ACCESS should be blocked to end users to understand how periodically the web server is scheduled for security and application patches. Other mandatory parameters from a security standpoint are:
*The redundancy plans scheduled and how much time it will take for restoration in case of a crash or when the server is down
* Analyse the exact bandwidth required for application; it should be availed with a 30 to 40 per cent buffer
* Need to check physical access and web access periodically and review (Biometric access, video surveillance, etc) them. The service provider must have power, cooling, site redundancy
* Service providers should be located away from coastal areas to avoid natural disasters
* Check if they have LEED certification for their data centre.
Yagnesh Parikh, Senior VP-Head IT (Trading), ICICI Securities Ltd
About me:
Possess a keen understanding of technology, an expert in addressing the IT needs of the banking and financial services sector
Data location is critical
First Answer
With regard to data security, it is a must for Sahani, particularly if it is a large enterprise, to understand if the data is residing in
Second Answer
As a best practice, Sahani needs to factor in the service providers communication policy to ensure if he keeps the IT team informed about the tasks periodically. It is important to get insights into his readiness to address any untoward incidents; its critical to see his proven track record. The best security practices would be to ensure that the partner has good governance in place, the contracts are well defined and legal and compliance needs are addressed appropriately. The service providers inter-operability efficiencies need to be understood where a data migration process is involved.
Add new comment