Which Governance Framework Is Right For Cloud Computing?
Cloud computing is revolutionizing how organizations use technology worldwide and for a good reason, it leverages on economies of scale more than any application of technology in recent history. And with the economic stability of the world swaying back and forth, organizations and businesses are forced to embrace that which makes them more stable and compete in a shaky market. Cloud computing allows them to do just that as it leverages their business processes with high returns and low costs. But the aggregation of data and information in a single virtual space has its own risks –it becomes a prime target for attackers and opportunists. This is more in line with the concept of data gravity. As data becomes more massive, the faster it attracts other services, application, customers, and yes even attackers. It also becomes harder to move which only assures attackers that the data they want is in the same place at any given time.
Cloud computing has received the brunt of most recent high-profile security attacks and data breaches, giving cloud computing a bad reputation of being unsecure, which now makes it a scapegoat for any failed security measure. But cloud computing can become very secure no matter the architecture or type used, but this would require a strong governance framework.
The Solution: Security Governance Framework
A governance framework is essential for any concept of technology to succeed. There are different types of governance frameworks for most concepts like how to run the organization itself, as well as the different departments in an organization, and of course a dedicated governance framework for IT. But for cloud computing, perhaps the most important governance framework would be that for security.
As with IT governance which stretches across all of its facets, from the people to the whole organization, the cloud computing security governance framework must do the same. The framework must allow the CSO and CIO to oversee and assess all risks and manage them accordingly, as well as the security and compliance of the organization’s cloud environment.
This governance framework must allow for security, compliance, and all of IT and the rest of the organization to be synergized to make the cloud secure. And therefore must do some of the following things.
1. Educate your workforce. Most security breaches and attacks stem from negligence or ignorance from the basic building block of the organization, the rank and file. Most breaches are a result of something that internal users have done or failed to do, and to prevent such things from happening again or at all, they must be made aware of the dangers of some actions and must be educated with security measures which they should always comply with.
2. Audit compliance. Use an audit tool which can view the organization’s vulnerabilities across the board. It is common for departments to be without contact with each other because they are not related whatsoever, and the solution to this is to create a framework for compliance across the organization which combines the different streams of information from different groups, giving security administrators a single overview.
3. Employ Identity and Access Management (IAM). This is one of the best ways to keep track of people who have access to sensitive data. This prevents or at least mitigates breaches and attacks from internal sources. Access management must be paired with a data logging solution which allows administrators to know who does what, when and where and that all changes are logged and audited properly.
4. Employ Security Information and Event Management (SIEM). The ideal cloud security solution should integrate the organization’s access management to secure a complete view of where the organization stands in terms of security. Security as a service is one solution that organizations may avail if they cannot provide their own.
5. Look for guidance but ensure your own security. Many organizations both government, academic, or private like the European Network and Information Security Agency (ENISA) and the Cloud Security Alliance (CSA) have published papers and guidance protocols for securing cloud environments. Organizations can consider them as guidance and must form their own way for securing their cloud based on the recommendations and incorporate their own twists into those depending on their needs.
A governance framework is essential for cloud computing but there shouldn’t be just one good way to do it. Since no two organizations are alike, it would make sense that no two frameworks are alike, but they would have a lot of similarities. But no matter the difference all organizations need a security governance framework for any cloud infrastructure that they may be using.
By Abdul Salam
He has recently co-authored: Deploying and Managing a Cloud Infrastructure: Real-World Skills for the CompTIA Cloud+ Certification (Wiley).