Cloud Security Mindset
Businesses are becoming wise to the compelling benefits of cloud computing. When adopting cloud, they need a high level of confidence in how it will be risk-managed and controlled, to preserve the security of their information and integrity of their operations. Cloud implementation is sometimes built up over time in a business, while the technology and cybersecurity around it constantly evolves. This can lead businesses to finding themselves with a fragmented approach to cloud control and security, and this needs to be avoided through the implementation of a cohesive governance, risk and compliance (GRC) framework.
Cloud services are big business. In 2019, IDC predicts that worldwide spending on public cloud services will be $141 billion while last year, Amazon Web Services achieved net sales of $7.88 billion. Businesses get on board with cloud to perform better, to meet targets and objectives by being leaner, faster and more cost-effective.
Cloud helps businesses minimize the capital investment and maintenance costs of hardware and infrastructure. It supports rapid scaling up and down as needs dictate and brings elasticity to business operations, facilitating the addition and removal of user access more quickly and easily. Project deployment with cloud can be a more agile and faster affair. Efficient business operations are supported through improved access and information retrieval, while disaster recovery measures include robust backup and controls.
Being clear on risk
In the early days of cloud there were security concerns. It seemed to follow that assets residing ‘somewhere else’ were more at risk. Ownership and control of infrastructure gives a perception of security. However, the walls of a data center can be vulnerable to professional hackers, therefore it doesn’t automatically follow that infrastructure ownership provides greater security.
Cloud is a service based delivery model typically involving an infrastructure provider, a platform provider and a software provider. While service procurement of an IT solution delivers some benefits it also comes with some of its own risks. These include shared technology issues, the risk of insufficient due diligence and service reliability. And of course, it cannot be immune to the threat of data breaches and other potential security issues or data loss.
Clarity on the division of labor between company and service provider is an essential first checkpoint of a robust cloud service model – what are you responsible for? What is the service provider? This covers situations that include incident handling and virus infection on storage. Who manages such situations, should they arise, depends on the chosen service model. And this needs to be completely clear and transparent – there is nothing more valuable to a business than its data; its protection can’t be only half understood, governance around all aspects is essential.
Secure cloud service provision
The right cloud architecture is a second critical consideration. Virtualization was the first phase of cloud adoption now, isolation of data is also an imperative. While we saw multi-tenant solutions adopted first, the call is now for multi-instance to guarantee separation of company data. This is important because some regulation requires proof of data segregation and it also provides greater flexibility with faster implementation of changes.
A cloud solution should also provide federated identity management so that the business has control over the access its users and devices have. As users move around in the organization the system needs to be resilient to managing segregation of duties.
For continuous security assurance, quarterly or monthly testing is not enough. Real-time dashboards are needed and should be a part of the service model.
Cloud service providers are now adopting industry standard GRC solutions that include segregation of duties, change management, continuous monitoring and reporting and analytics. For best practice secure cloud implementation, businesses should start with a robust GRC framework, assess cloud service providers meeting industry standards against that framework, and then ensure governance and control through service level agreements and continuous monitoring.
The GRC framework
For a single source of truth on regulatory compliance, security and control, the company’s GRC framework should apply across the complete cloud infrastructure and cover:
- Continuous system controls monitoring – as business data and applications are mission critical
- Penetration testing and audit management – conducted to a defined schedule
- Incident response management – this is the norm with internally controlled assets and there should be no difference with cloud implementation. The process needs to detail response activities that kick-in immediately in the event of a security problem
- Compliance controls testing – the specifics of this will depend upon the industry as particular requirements will apply in the likes of healthcare and finance
- Disaster recovery and business continuity – this is about more than demonstrating disaster recovery on paper, the theory needs to be tested through disaster recovery operations
- Onsite and offsite backup audits – on a regular basis.
In addition, a comprehensive GRC framework will also cover data encryption audits, forensics log management and reporting, elasticity and load tolerance testing, advanced cyberattack prevention measures and advanced cloud security analytics.
Resilience and control
Effective governance and control is integral to business success and growth. A risk-managed company is more resilient to market and situational change. The culture and practice of risk management and control has to come from the top down, permeating the organization’s entire operations. As well as defining and enforcing the policies for complete cloud implementation across all instances and cloud providers, the GRC framework should also serve as the template against which future providers can be evaluated.
With a GRC framework on cloud, businesses can expect enhanced information security, compliance and risk management, the highest levels of reliability and operational control and continuous transparency and confidence. Business continuity will be robust with disaster recovery measures in place. Also, regulatory mandates will be complied with.
GRC on the cloud is a way of ensuring security risks are completely understood, and that management through manual processes and firefighting in the event of an incident are avoided. It is also a way of smoothly managing change when business decisions require it.
The right GRC approach will support informed decision-making and ongoing management, putting your business in a better position to reduce risk and to realize the benefits of cloud in enhancing business performance.
By Vidya Phalke, Chief Technology Officer at MetricStream
Vidya Phalke is responsible for MetricStream’s technical architecture and strategy. Prior to being promoted to the CTO position, Vidya served as Vice President of Product Management and Engineering where he was responsible for MetricStream’s Software Products and Platform Delivery. Starting with MetricStream in 2003, Vidya has been instrumental in developing an industry-leading GRC software platform. Before joining the software industry, Vidya earned a PhD in Computer Science from Rutgers University, where he won two Small Business Innovation Research grants for his research on databases and network optimization.