CISOs recommend right policies and procedures which can help industries in effective Cloud governance
Analysts find SMAC (Social Media Analytics and Cloud) all pervasive and invading the market place. Cloud is creating good footprints across enterprises and under various forms, whether private, public, or hybrid. With cloud getting more aggressive, business functions, devoid of IT’s intervention, are deploying a cloud model. Such a trend is leading to several discrepancies in regulatory, compliance and governance issues.
This has triggered much thought and discussion among Chief Information Security Officers (CISOs). The debate is about when the concept of Cloud Governance will come under CISO’s role and what the policies and procedures are that need to be followed for ensuring effective governance.
Cloud governance is a critical challenge for enterprises, and becoming an even larger issue as public and private cloud deployments become increasingly important to IT strategy. The reason is the increase in the number of applications in the cloud, the scale of those applications, and the number of people involved in operating those applications.
"While legacy investments already made need to be handled by CISOs, existing IT policies and governance mechanisms prove ineffective to manage cloud”--Sethu Seetaraman, VP& Chief Risk Officer, Mphasis
CISO’s Role and Policy Prescription
Several aspects that concern CISOs when it comes to cloud governance will be to address compliance around which data needs to be moving to cloud, whether the vendor will comply with the appropriate regulatory and legal requirements, and in particular, whose data are they moving to cloud? Will it result in any privacy regulation?
CISO Role in Driving cloud Governance Policy
- Cloud model is leading to several discrepancies in regulatory, compliance and governance issues
- Cloud governance is a critical challenge for enterprises, and becoming an even larger issue as public and private cloud gain momentum
- A CISO’s responsibility is multifold when it comes to cloud governance
- CISOs need to address compliance around which data needs to be moving to cloud
- CISO needs to check if the vendor will comply with the appropriate regulatory and legal requirements and, in particular, whose data is being moved to cloud?
- Assess the impact of privacy regulation
Sethu Sethuraman, VP& Chief Risk Officer, Mphasis, states that CISOs need to handle issues like portability--location of data, in the data centre. Some of the other domains that CISOs need to address according to Sethuraman are: disaster recovery, security requirement as part of the contract, cloud provider’s transparency of its controls, support provided by cloud service provider during an incident, maturity and health of service providers, transition and vendor risk switching cost--ability to move from one service provider to another.
Seetaraman maintains, “While legacy investments already made need to be handled by the CISO, existing IT policies and governance mechanisms prove ineffective to manage cloud.”
He further adds, “Understanding its limitations, and based on the need felt, separate policies and standards have been evolved--of course, guided by organisations like CSA (Cloud Security Alliance) guidance documents.”
Atul Pandey, The ICT Rainmaker: GRC, GSD, PMO & BPM, highlights three critical components that CISOs handle which include maintaining security across the cloud environment, demonstrating compliance with required laws and regulations and controlling and tracking expenditure along.
According to Pandey, in sync with CSA/Cloud Security Alliance standards, CISOs follow domains in a sequential yet integral overlap of Governance & Operations for Cloud that need to be comprehensively articulated as well championed.
Pandey reiterates that a CISO specifically and collaboratively be instrumental, indirectly or directly be responsible for governing risk management, legal issue, contracts and e-discovery, compliance and audit management, interoperability and portability.
“In terms of operations, the CISO is responsible for traditional security and BCP-DRP, encryption and key management, identity and access management, data centre ops, application security and virtualisation and so on,” he says.
From his role perspective, Pandey says, “A CISO may have independent accountability or has to work in tandem with other department(s) because more than necessary information is exposed to internal users and confidential data is accessible to external users or simply outsiders.”
“A CISO should ensure that organisational digital assets are personally used, compliance to regulatory standards/requirements is mandated and organisational data in cloud must not be visible to third part entities,” says Pandey.
Pandey gives a connotation of the past, where complex infrastructures led to complex security strategies, not to mention technologies, with many moving parts and countless points and modes of failure. “The cloud is pretty simple, with the vendor handling the gears and levers of the data centre and extending that simplicity to security is the true north of cloud security philosophy,” he says.
a) Pandey puts across a three pronged approach to deal with cloud governance: Accept the cloud and try to protect the data in the cloud, as opposed to, from the cloud. The goal is governance of the data you collaborate with, not isolation of data and users from the infrastructure where they can be productive. Define the use cases that matter in the cloud.
b) Leverage your end users. A model aimed at reinforcing individual accountability will be more effective than one that enforces obedience. This is aligned with the people-centric principle enunciated by Gartner.
c) Choose an architecture that will scale across the enterprise and align with the goals of governance and individual accountabilities.
A CISO should ensure organisational digital assets are personally used, compliance to regulatory standards/requirements is mandated and organisational data in cloud must not be visible to third part entities” Atul Pandey, The ICT Rainmaker: GRC, GSD, PMO & BPM