Roman Sakhno - Fotolia
Companies want to use cloud-based services and applications; thus, security teams need to assess the risk and come up with controls that work in cloud environments. Sounds simple, right? Securing cloud assets presents numerous challenges, however -- from controls that don't translate well to lack of transparency from cloud providers. And one of the most pressing concerns sits squarely with the CISO: pushing for more ownership of cloud risks within the business.
CISOs juggle a lot of security responsibilities, including overseeing technical project teams and communicating cloud risks and possible resolutions to other executives and board members. Unfortunately, it's a common misperception that the information security organization "owns" the risks of IT projects, whether on premises or in the cloud. For CISOs trying to be flexible and amenable to rapidly changing and competitive business requirements, it's all too easy to gloss over this issue when discussing cloud providers, security controls and deployment scenarios with other stakeholders.
The time has come for security officers to steer the conversation toward risk assessment and review so that business owners actually understand the cloud risks presented and sign off on them -- not the information security organization.
Mature risk assessment
In many organizations -- at least, the ones I work with -- security teams are still struggling to develop and implement mature risk assessment and review processes for cloud projects. The reasons are many -- not enough resources on the security team, apathy from management, slow adoption of changes, pushback from DevOps teams and more. Buy-in from vendor management and procurement teams, with involvement from legal teams, is also critical in properly evaluating risk in contracts. Security officers should balance the input and involvement from all of these teams to provide objective recommendations regarding cloud risks. It's important to ensure business leaders understand the following:
- Moving assets to the cloud does not in any way absolve the organization of responsibilities in protecting systems, applications and data.
- Cloud providers are not wholly transparent in disclosure of security controls and internal security practices and processes. Any discussion of risk, as well as acceptance of risk, must come with the caveat that all stakeholders will likely be making decisions with limited information.
- Compliance requirements will need to be carefully reviewed prior to any cloud deployment, and this will require extra resources and time. In addition, for data governed by compliance and regulatory statutes, any cloud provider selected will have to meet all necessary requirements.
- Legal and vendor management teams will need to review any contract language carefully, requiring additional resources and time. Any new cloud service provider will have to be thoroughly scrutinized before business units sign up for applications and services.
- There is a high likelihood that not all in-house security controls and processes will work in the cloud environment, which may jeopardize compliance status or increase cloud risks significantly.
- Additional products and services may be necessary to help create parity with the organization's current in-house security status. Reviewing options will take time and resources, and it's highly likely that additional costs will be incurred to ensure coverage in the cloud. This cost will also need to be accommodated within any financial and pricing projections cloud teams propose.
Cloud security policy
In any organization, the board and CEO will ultimately own any risks new IT projects bring and will be held responsible for any breaches or compromise scenarios that arise from decisions. However, security officers should ensure that the business leaders realize that they do, in fact, own these risks; all too often, the perception is that the data custodians -- usually IT teams -- are responsible for cloud risks incurred during new projects. An excellent starting point to remedying this misconception is to develop a comprehensive cloud security policy that includes the following:
- A clearly stated executive sponsor: Without an executive sponsor or group, it's unlikely that a cloud policy will have enough support to be enforced throughout the organization. The cloud security policy should also include some statement as to who will "sign off" for cloud projects. Is this the CIO?
- Data types and classifications that are allowed in the cloud and those that aren't -- or what controls or additional measures are needed first.
- Compliance mandates that need to be addressed -- if any.
CISOs should ensure that use of cloud computing services complies with all current laws; IT security best practices, standards and requirements; and risk management policies. The same goes for all privacy laws and regulations. It's important to make sure that an executive or team explicitly signs off on all use of cloud computing and that they are properly informed with documented cloud risk assessment results. Until this process is accepted within the organization, true risk ownership won't reside where it should on cloud projects -- with the senior executives and data owners.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Implement a standards-based framework for cloud assessments
Tips to improve PaaS and lower security risks
How to manage security risks of shadow clouds