CISOs firmly believe that collaboration between business functions, risk functions and CIO will help in governing cloud securely
Needless to say, enterprises are migrating varied applications to cloud which are posing a great security threat to the organisation; and this is giving sleepless nights to Chief Security Information Officers (CISOs). The challenge for CISOs has been to maintain cloud operations security with so many disparate interests.
Most CISOs echo a similar sentiment when it comes to enterprise cloud: security measures related to cloud will include effective authentication, authorisation, audit, monitoring, adaptation, transformation and data mining and repository for maintaining operations security with so many disparate interests.
How to Justify Cloud Security in Disparate Environments
“Enterprises can maintain cloud operations either comfortably or cumbersomely based on how well the domains are defined and how best the policies, procedures and guidelines are created and practised, points out Senthil Kumar M, CISO, Rane Holdings.
Some best practices for secure cloud operations that Kumar recommends include taking complete stock of cloud strategy in an enterprise.
“Enterprises can maintain cloud operations either comfortably or cumbersomely based on how well the domains are defined and how best the policies, procedures and guidelines are created and practised” Senthil Kumar M, CISO, Rane Holdings
He says that CISOs need to follow these steps:
a) What is to go to the cloud? b) Identify IT governance objectives and deliverables. c) How it is going to be delivered? d) How it is going to be deployed? e) How is the cloud going to be formed? f) How is the cloud going to be governed? g) Lastly, evaluation, improvement and adaptation to the cloud model
Kumar says that the demonstration of compliance with required laws and regulations are purely now in the hands of the Cloud Service Providers (CSPs) as they are broadly subject to the size, geographical location, enforcement, customer base, volume and many other factors.
The regulatory and statutory requirements affecting cloud strategy will need particular attention. Depending on sector and geography, for example, the law regarding the physical location of storage and service provision will dictate the choice of cloud.
Similar to the mandate that the IT team carries--to buy in the line of business, CISOs have the mandate to have a collaborative approach to drive secure cloud governance.
Sethu Seetharaman, VP & Chief Risk Officer, Mphasis, emphasises the need to take a collaborative approach to ensure secure governance. He says, “ Risk, CIO, and business function together have taken a risk based decision and have classified the data and applications which can be moved into cloud and those that cannot be, which is a pre-requisite for cloud governance.”
He argues that depending upon the type of cloud service (SAAS, PAS, IAS) security controls have to be built either by the CISOs or the service provider (eg.SAAS).
According to him, choosing the right service provider based on the demonstrable assurance they provide is of the utmost importance.
Seetharaman’s view has been that good vendors publish and demonstrate how they comply with various international standards and regulations. “Also, CSA and BSI have come up with Security, Trust and Assurance Registry (STAR) certification and this is supposed to provide standards based on public repository of cloud provider security controls. While Star has levels for self-assessment, certification, attestation and star continuous, many are still at the first or the second levels only. Additionally, cloud providers can also demonstrate the compliance through SOC2 audits,” points out Seetharaman.
However, Seetharaman argues that it is still a seller’s market. “In our experience, we have not seen cloud service providers open to financial controls, incentives or penalties, while you can negotiate on price but there’s no scope on terms and conditions,” explains Seetharaman.
Atul Pandey, The ICT Rainmaker: GRC, GSD, PMO & BPM, reiterates that while your organisation is certainly taking measures to ensure that the policies, processes, environment are in compliance with relevant regulations, the question is how to prove that in an audit? Logging, Monitoring and Alerting are three common yet reliable approaches, says Pandey.
Elaborating, Pandey says,
- Logging: ensures that organisations can show that they are in full control of their systems. It can also be useful for a long term analysis.
- Monitoring: is the process of keeping a vigil on logs to ensure that there are no potential threats that can cause a security breach.
- Alerting: helps staff proactively identify, analyse and solve emerging issues.
- Auditing: the logs should cite grounds of evidence that the organisation is in compliance with the necessary regulations.