Five Steps to Creating a Governance Framework for Cloud Security
The cloud is your investment, your IP, your resource, and you should make sure it is protected
By: Tom Cecere
Nov. 28, 2011 08:15 AM
Cloud computing has revolutionized the way organizations around the world use technology. Despite the fact that many refer to 2011 as the Year of the Data Breach, and cloud computing has earned a reputation of being inherently insecure, that stigma is simply just not true. Most cloud providers have much higher security measures for their systems than even the most sophisticated IT departments can afford to deploy. The perceived lack of security comes from the mismatch between on-premise security assumptions and the expanded needs driven by the use of cloud.
Cloud computing is a significant technology trend that is set to dramatically change the nature of business. We have witnessed a recent spate of high-profile security attacks and data security breaches - from Amazon to Epsilon - and as worrisome as these incidents are, they are not as worrisome as the reputation of cloud computing being insecure. In fact, cloud computing seems to have become a scapegoat for failed security measures. On closer examination of some larger incidents, it's clear that many data breaches are a result of inadequate cloud security practices.
Without a set of widely adopted cloud security standards and practices amongst the various cloud vendors, the adoption of cloud computing has created significant challenges for IT security professionals. A governance framework for cloud security is a viable solution to address these challenges organizations face.
A governance framework stretches across all aspects of IT, reaches every facet of an organization and touches each employee. Creating a governance framework for cloud security is no different. It must allow the CIO and CSO to view, assess and manage all risks, security, and compliance for the cloud environment. While the Cloud Security Alliance has developed a framework of risk issues that need to be addressed in a cloud computing context, their "Security Guidance for Critical Areas of Focus in Cloud Computing" is not mandated and by no means does it ensure your own security.
A governance framework allows organizations to devise an individual security strategy with checks and balances that fit their own environment. Even when working with Managed Service Providers that claim to be secure, SLAs will only take you so far - ultimately you are responsible for your own data and auditors will be the first ones to let you know that. Security, compliance, IT and the business must be on the same page, and a governance framework for cloud security will help pave the way.
Five Steps for Implementing a Governance Framework for Cloud Security
1. Understand the Insider Threat; Set Policies to Address
2. Implement a Horizontal Audit Compliance Framework
3. Manage Identity and Access
As part of a governance framework, put a solution in place that looks beyond just the operating system to incorporate all platforms, applications and databases, and then places an access governance tool over the top.
Insider threats can be overcome by a strict Identity and Access Management solution or even an IDentity as a Service (IDaaS) solution that will allows IT managers to track privileged access to sensitive data and also allows them to assign or revoke these privileges. Support the identity management solution with security data logging and auditing that allows management to know who does what, where and when, and that any changes are logged and audited sufficiently.
4. Leverage Your Security Information and Event Management Deployment
Lately, we see security being offered as a service (SecaaS). This could be a solution for newcomers to the cloud or organizations that cannot build such security measures themselves either due to lack of funding or internal resources.
5. Consider a Governance Framework Solution
Ultimately, organizations need to develop strict governance frameworks to ensure cloud infrastructure and operations are as secure - if not more secure - than traditional on-premise approaches to protect corporate data and critical systems. As hybrid on-premise cloud environments become the norm in the coming years, organizations will need a comprehensive way to protect data across this environment. Data will need to be secure regardless of where it resides and governance frameworks are a key component to ensuring a comprehensive approach to information protection.
Data breaches will continue to be highly visible and will quickly become public knowledge, particularly in light of recent SEC guidance. From lost revenue, increased expenses and fines to damaged customer relationships and corporate brand reputation, the costs associated with data breaches are significant and far-reaching. The cloud is your investment, your IP, your resource, and you should make sure it is protected as much as if not more so than any other piece of the organization.
Reader Feedback: Page 1 of 1
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week