CIAA: What Should Matter Most For Online Security

92shares

CIAA Security

Everyday there are more articles citing security as the top concern holding back public cloud adoption. While cloud means many things to different people, so does the term security. In discussions with business and industry experts, security concerns really boil down to the classic CIA—now CIAA—triad: confidentiality, integrity, availability and the more recently appended “audit”.

Public cloud security concerns seem to be more focused on Infrastructure as a Service (IaaS) for sensitive type workloads and on newer Software as a Service (SaaS) services. Even with the latest concerns around PRISM and the intercepting of data on cloud servers, the economic viability of cloud computing is too good to hold back. Gartner has predicted 17.7% CAGR in public cloud services usage through 2016.

Below is a break down of CIAA and how it can be adapted to cloud security needs today.

Confidentiality is about limiting access or placing restrictions on information, and in order to do that successfully, information needs to be categorized according to its sensitivity and business risk level. Once that assessment has been made, organizations can use workloads of a lower risk level as a starting point for getting comfortable with public cloud services. Not all public cloud providers are created equal and a growing number have well established data handling and security procedures. Some cloud providers have tailored their services to different verticals such as healthcare, Government and retail mostly for compliance reasons, but many also cater to some of the more stringent needs around data protection.

However, both cloud providers and consumers would benefit from a model where cloud services could be universally classified according to different levels of trust. The Open Data Center Alliance has promoted such a model in its Provider Assurance usage model with categories ranging from bronze for less sensitive data to platinum at the higher level.

Integrity is focused on maintaining and assuring the accuracy and consistency of data. To do that, standards have to be implemented to ensure that data cannot be tampered with, and is only accessed by those who have the correct permissions. In addition to the data classification measures in the previous paragraph, integrity can also be ensured by putting in place strict monitoring controls – think threat data analytics and SIEM, encryption, and tokenization. In a public cloud IaaS model the application of these controls will be split between the provider and the end user. Part of establishing appropriate controls and being able to attest and report against these will be derived from drawing up SLAs and reviewing controls over time to ensure that they meet your organization’s needs.

Availability is simply ensuring that data or a service is available when needed. For the nature of today’s real-time transactions, even data or services with a lower risk level usually require high availability. Public cloud outages are often highly publicized, but the reality is that these are few and far between. Additionally, with the correct precautions, the impact of such outages can be lessened.

For organizations with limited IT staff, select a cloud provider that offers complete cloud redundancy. Onramps are often used to migrate data to the cloud, and a side benefit of that is that they can also provide cloud mirroring, which allows data to be written to two cloud providers at the same time. This is an ideal strategy as the chances of both providers having an outage at the exact same time would be extremely rare.

Audit refers to the examination and confirmation of controls around data and the IT infrastructure. This is perhaps the most complex aspect of the CIAA concept, as it can be difficult to navigate a maze of emerging regulatory standards—some of which have conflicting clauses. The good news is that the Cloud Security Standards Cloud Controls Matrix provides a cross walk of multiple standards and regulations broken down by cloud model. The benefit is a unified audit framework that organizations can use to audit once and report against multiple requirements simultaneously.

Remember that levels of confidentiality, integrity, availability and audit depend on the context—not just cloud context. Business, technical and human risk, governance and other regulatory standards will all condition how CIAA pertains to a particular cloud Instance.

By Evelyn de Souza

Evelyn de Souza

Evelyn de Souza focuses on developing industry blueprints that accelerate secure cloud adoption for business as well as everyday living. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn was named to CloudNOW’s Top 10 Women in Cloud Computing for 2014 and SVBJ’s 100 Women of Influence for 2015. Evelyn is the co-creator of Cloud Data Protection Cert, the industry’s first blueprint for making data protection “business-consumable” and is currently working on a data protection heatmap that attempts to streamline the data privacy landscape.

THOUGHT LEADERS

Ditching the Third Party: Enabling Privacy and Personalization with AI-ready Data

Enabling Privacy and Personalization Most businesses today rely on data collected online to better understand their customers and deliver more personalized products, services and experiences. These insights can be transformative for an organization, especially when ...

How AI is Reshaping Business Operations for MSPs

Fueled by extensive demand in IT, healthcare, financial services, and telecommunication—initially spurred by the pandemic-driven frenzy to transition to remote working—managed service providers (MSPs) are busier than ever. As businesses adopt MSP services to upgrade, ...

The Need for Experts Goes Beyond AI

The Need for Experts The explosion in AI technologies has brought with it clear concern that easy answers and intelligent copywriting are now the domain of machines. This has led to the question of whether ...

How to Enable Successful Remote Work Strategy with AI

How AI Is Important for Businesses Shifting to Remote Work The Coronavirus Pandemic has taught us that organizations must have remote work choices. It is no longer possible to work in a digital environment. The ...

AI-powered identity verification: what businesses need to know in 2023

AI-powered identity verification Even if you don’t want to admit it, doing business online in today’s environment poses a greater risk. Criminals are constantly on the lookout for vulnerabilities to exploit, including hacking, data breaches, ...

Get Smarter

Whether you're just starting out in the online industry or looking to take your skills to the next level, Get Smarter eLearning platform is the perfect choice for you. Sign up today and start your journey towards online success!

Use code LEARN15 to enjoy 15% off all courses.