Day: May 19, 2016

Businesses want to move to the cloud, they really do. And more than ever, they’re starting to make the switch: A Cloud Security Alliance (CSA) study that polled more than 200 IT professionals found that 71.2 percent of companies now have a formal process for users to request new cloud services.

That CSA study also found that nearly two-thirds of IT professionals trust the security of cloud computing equally or even more than their on-premise systems. About a third of respondents cited better security capabilities to be a benefit of the cloud. However, almost 68 percent of respondents noted the ability to enforce their corporate security policies remains a barrier to cloud adoption.

Companies know there’s top-notch security in the cloud, yet security remains the biggest hurdle in getting over to the cloud. Kind of a catch-22, huh? Fortunately, there are a few things you can do to help assuage these fears.

Cloud security is something everyone in a company should be concerned with, not just the IT department or decision-makers. And while the tools we use are improving and more people are starting to better understand cloud computing, people still play a big part in security. Your team of security professionals should get the correct training early on in their tenure, and constant training will allow them keep their skills sharp.

Outside of security professionals, all employees within a company should know their role in maintaining a secure environment. Having a proactive approach to security risks is the first step, which is something that 82.2 percent of companies have. However, fewer than half of the companies that responded have a complete incident response plan. With real concerns like loss of reputation or trust, financial loss, and destruction of data, it’s imperative to have a plan in place to combat any potential security issues head-on, rather than reacting after the fact.

To help with the development of that plan, some businesses have turned to a managed service provider (MSP). Naturally, there are concerns surrounding that, as well­–the CSA report notes 87.3 percent of companies cite access control as an important asset of cloud security. Our Datapipe Access Control Model for AWS (DACMA) addresses this concern by letting a business stay in control by securely delegating access to Datapipe while retaining control of their credentials. DACMA’s role-based access and accountability elements also ensure the right people within an enterprise are accessing certain data. And with 24/7/365 security monitoring, you’ll be on top of the ball should an issue arise.

Whether or not you choose to partner with an MSP to assist with security, there are plenty of reasons to develop a cloud security strategy that works within your enterprise. There’s no one right method, but there is a wrong approach: not doing anything about it. To learn more about first steps you can take, visit our Managed Security page.

David Lucky, Director of Product Management, Datapipe

[Cloud Security Alliance Blog]

Cloud computing has probably been the most argued technological subject of the past 5-6 years. Throughout this period, cloud has evolved to become the top priority subject in organizations’ agendas, both in terms of governance (strategic decisions) and also as the unknown factor affecting the business.
The book, Controls and Assurance in the Cloud: Using COBIT 5, is a guide that addresses both issues.

More specifically, the book starts with a section outlining all of the business factors that make the transition to cloud an attractive business strategy. It then goes a step further by laying out cloud service and delivery (or deployment) models alongside the associated benefits and risks to an organization, whilst detailing cloud computing challenges that organizations need to address.

Having a deep understanding of the fact that any strategic decision needs to be accompanied by the relevant risk management approach, ISACA provides in the book a thorough risk assessment, coupling the impact of cloud migration with the associated cloud service model and deployment model being considered.

What makes this publication unique though is that it not only directly addresses major concerns regarding cloud migration and, more specifically, information security, it also provides a guide on the exact questions organizations need to ask before deciding on cloud service and deployment models.

As a cloud security officer, I have come across questions like “Are cloud infrastructures secure?” or “Will my data remain confidential in the cloud?” And what I have always tried to explain to organizations is that these questions cannot be answered without a point of reference. So, for example, the question “Are cloud infrastructures secure?” must be prefaced by, “In relation to my governance mandates, security strategy and security program currently in place,” for a chief information security officer (CISO) and upper management to obtain a clear view regarding what cloud migration entails. And this is exactly where the book succeeds and stands out from similar publications.

In a comprehensive section on governance and management in the cloud, the book puts into perspective and addresses major questions related to governance and the responsibilities of upper management. It then provides an overview of how the COBIT 5 framework can be leveraged to manage the migration to cloud, in strategic, as well as, tactical and operational terms. And, taking it even further, the book then proceeds to outline the path to a cloud decision and beyond, through practical guidance. A stepped approach, decision making models, considerations through the preparation phase, cloud provider selection, and assurance functions’ details are just few of the factors that are analyzed in an easy to read and follow manner.

Understanding that information security is the top consideration faced by organizations, the book then delivers an across-the-board threat matrix alongside mitigating actions and mapping to COBIT 5. It delivers an up-to-date list of cloud assurance frameworks and a detailed responsibility matrix for cloud service providers and potential customers.

The book could have concluded with mere notes and summaries of the issues addressed in its chapters. The uniqueness, however, of this publication is that it stands as a practical guidance, and as such it features seven appendices, full of ready to use information by organizations either wishing to migrate to the cloud or evaluating the offering they already have. The appendices provide COBIT 5 governance and management practices, the template of cloud computing assurance program, a process capability assessment, cloud risk scenarios, contractual provisions that need to be taken into account, a cloud enterprise risk management governance checklist, and a practical approach to measuring cloud return on investment (ROI).

All-in-all, Controls and Assurance in the Cloud:  Using COBIT 5 is the most definitive guide addressing all aspects of cloud computing migration and evaluation.

The book was recently featured as the Book of the Month in ISACA’s Bookstore. For more information click here.

Editor’s Note: Dr. Stergiou, CISM, was an expert reviewer of Controls and Assurance in the Cloud:  Using COBIT 5.

Dr. Theodoros Stergiou, security solutions product manager & cloud security officer, Intracom Telecom

[ISACA Now Blog]

There is no question that there are significant opportunities available in the cloud business. Many organizations are looking at cloud computing to increase the effectiveness of IT initiatives, reduce in-house operations cost, increase operational flexibility and generate a competitive advantage. However, like most technology changes, cloud computing presents its share of risks and challenges.

As the risks are better understood, businesses rely less on trust and put information security obligations on their cloud providers. Where security had been one of the main obstacles for cloud adoption in the past, vendors now understand the security and privacy concerns of their global customers and have adopted a business model built on enhanced security features such as encryption, and identity and access management, to name two examples. The result:  cloud services are heading to the next level of maturity.

A 2015 cloud survey  conducted by ISACA Germany and PwC (in German) found about one-third of organizations expected to achieve a better security risk profile by adopting cloud computing.

Whether we are security practitioners at the first line of defense, risk management professionals at the second line or information systems auditors at the third line, the challenges that come with cloud remain the same:  How do we achieve adequate assurance over our crown jewels in the cloud? There is no single answer, of course. In fact, we are all on a journey from trust to obligation!

Here are the five pillars of cloud security:

• Organization
• Technology
• Security and data protection
• Governance, compliance, legal and audit
• Service management

Auditors, security or risk professionals will look at some of what these areas cover naturally. Other factors might be overlooked but are critical to successful cloud migrations and should be given special attention.

Organization
The organizational aspects of cloud computing start with the organization’s strategy for cloud adoption (e.g., what benefits does my organization expect from cloud computing?) and include human resource planning (e.g., What roles do I need to create to manage relationships with a cloud provider? Do I need to re-think my team size by shifting some of the workload to the cloud?).

This task typically comes with organizational change management activities and review of business processes (e.g., How do I need to adapt my organizational structure and business processes to maximize benefits from the cloud?).

Technology
Technology is obviously the backbone of cloud computing that challenges us on numerous aspects and should be given due consideration around interoperability and compatibility of new cloud technology with existing (legacy) systems.

Looking at the cloud holistically, it requires us to re-think the application architecture, the supporting infrastructure capability, as well as a different application development and support model.

Security and Data Protection
In most cases cloud computing entails company data leaving the trusted perimeter of the organization. This brings multiple information security and data protection challenges into the game that we need to manage.

Namely, these are internal or external cybersecurity threats that require joint attention by the cloud service provider, but the organization that promotes data to the cloud has its role to play. This is particularly true for encryption of sensitive data and preventing data loss or leakage.

By nature, cloud resources are shared resources. In consequence, identity and access management becomes very critical and many questions should be asked, such as “How are my data segregated from other customers’ data?” or “Who has access to my data?” With cloud computing typically comes considerations about the geolocation of data. This has a direct legal impact on data protection.

In addition, we should consider business continuity management as part of security to reduce the impact of a negative event on our business.

Governance, Compliance, Legal and Audit
Vendors need to be actively managed. This is particularly true for cloud service providers. It puts additional governance, risk and compliance factors onto the agenda. First of all, this includes the legal requirements of having the right contracts, service levels and data protection specifications implemented. This typically depends on the industry and jurisdiction of the consumer of cloud computing.

Secondly, the right structures need to be in place to enable efficient governance that is a shared responsibility between the service provider and the customer of the services.

From a risk perspective, it is important to cover terms for sub-cascading outsourcing to another third party as well as the ability to audit the cloud service provider from end to end.

Service Management
Finally, we talk about outsourcing of services. Therefore, an ongoing effort to actively manage contracts and service levels are key. A cloud service provider should be assessed based on its ability to integrate service management with the consumer to manage availability of the service including seamless incident/problem management processes.

Successful service management also includes capacity management to handle the load of multiple customers on a shared environment.

Kraft will present IT Assurance in the Cloud – A Journey Between Trust and Obligation at EuroCACS in Dublin 30 May-June 1 2016.

Matthias Kraft, CISA, CISM, CGEIT, CRISC

[ISACA Now Blog]