There is no question that there are significant opportunities available in the cloud business. Many organizations are looking at cloud computing to increase the effectiveness of IT initiatives, reduce in-house operations cost, increase operational flexibility and generate a competitive advantage. However, like most technology changes, cloud computing presents its share of risks and challenges.
As the risks are better understood, businesses rely less on trust and put information security obligations on their cloud providers. Where security had been one of the main obstacles for cloud adoption in the past, vendors now understand the security and privacy concerns of their global customers and have adopted a business model built on enhanced security features such as encryption, and identity and access management, to name two examples. The result: cloud services are heading to the next level of maturity.
A 2015 cloud survey conducted by ISACA Germany and PwC (in German) found about one-third of organizations expected to achieve a better security risk profile by adopting cloud computing.
Whether we are security practitioners at the first line of defense, risk management professionals at the second line or information systems auditors at the third line, the challenges that come with cloud remain the same: How do we achieve adequate assurance over our crown jewels in the cloud? There is no single answer, of course. In fact, we are all on a journey from trust to obligation!
Here are the five pillars of cloud security:
- Security and data protection
- Governance, compliance, legal and audit
- Service management
Auditors, security or risk professionals will look at some of what these areas cover naturally. Other factors might be overlooked but are critical to successful cloud migrations and should be given special attention.
The organizational aspects of cloud computing start with the organization’s strategy for cloud adoption (e.g., what benefits does my organization expect from cloud computing?) and include human resource planning (e.g., What roles do I need to create to manage relationships with a cloud provider? Do I need to re-think my team size by shifting some of the workload to the cloud?).
This task typically comes with organizational change management activities and review of business processes (e.g., How do I need to adapt my organizational structure and business processes to maximize benefits from the cloud?).
Technology is obviously the backbone of cloud computing that challenges us on numerous aspects and should be given due consideration around interoperability and compatibility of new cloud technology with existing (legacy) systems.
Looking at the cloud holistically, it requires us to re-think the application architecture, the supporting infrastructure capability, as well as a different application development and support model.
Security and Data Protection
In most cases cloud computing entails company data leaving the trusted perimeter of the organization. This brings multiple information security and data protection challenges into the game that we need to manage.
Namely, these are internal or external cybersecurity threats that require joint attention by the cloud service provider, but the organization that promotes data to the cloud has its role to play. This is particularly true for encryption of sensitive data and preventing data loss or leakage.
By nature, cloud resources are shared resources. In consequence, identity and access management becomes very critical and many questions should be asked, such as “How are my data segregated from other customers’ data?” or “Who has access to my data?” With cloud computing typically comes considerations about the geolocation of data. This has a direct legal impact on data protection.
In addition, we should consider business continuity management as part of security to reduce the impact of a negative event on our business.
Governance, Compliance, Legal and Audit
Vendors need to be actively managed. This is particularly true for cloud service providers. It puts additional governance, risk and compliance factors onto the agenda. First of all, this includes the legal requirements of having the right contracts, service levels and data protection specifications implemented. This typically depends on the industry and jurisdiction of the consumer of cloud computing.
Secondly, the right structures need to be in place to enable efficient governance that is a shared responsibility between the service provider and the customer of the services.
From a risk perspective, it is important to cover terms for sub-cascading outsourcing to another third party as well as the ability to audit the cloud service provider from end to end.
Finally, we talk about outsourcing of services. Therefore, an ongoing effort to actively manage contracts and service levels are key. A cloud service provider should be assessed based on its ability to integrate service management with the consumer to manage availability of the service including seamless incident/problem management processes.
Successful service management also includes capacity management to handle the load of multiple customers on a shared environment.
Kraft will present IT Assurance in the Cloud – A Journey Between Trust and Obligation at EuroCACS in Dublin 30 May-June 1 2016.
Matthias Kraft, CISA, CISM, CGEIT, CRISC
[ISACA Now Blog]