The very thing that end users love about the cloud -- its fast, flexible approach to adding, removing and modifying services -- is exactly what makes so many information security professionals wince. Without the proper controls and operational oversight, enterprises and cloud providers alike open themselves up to otherwise preventable cloud computing security risks. This makes it all the more important to have a framework for ensuring that any changes made to a cloud environment are authorized, auditable and in line with business requirements.
In this video, entitled "Ensure Compliance with Regulations and Controls," expert Adam Gordon, author of The Official (ISC)2 Guide to the CCSP CBK, Second Edition, reviews many of the important questions that infosec pros need to be asking before, during and after deployment in order to mitigate cloud computing security risks.
The cloud requires a structured, reliable approach to IT service management, and Gordon underscores the importance of having a consistent framework for managing configurations, permissions, incidents, deployment, service level and availability. For this reason, ITIL frameworks are a cloud security professional's best friend, Gordon says.
But no matter how carefully planned and organized an enterprise IT organization is in its approach, Gordon cautions that cloud computing security risks aren't completely avoidable, simply due to the fact that cloud providers control the environment. This makes it especially important for providers, customers and other stakeholders to communicate early and often.
"We will go through and hopefully get references, understand how to vet them and check on those references. We'll do our best, hopefully, as a customer, in other words, to exercise due care and due diligence," he says. "The challenge becomes, however, that at the end of the day, while we simply try to do our best, there may be unknowns that we can't qualify in the relationship."
The following is a full transcript of Adam Gordon's video. CCSP® is a registered mark of (ISC)².
Transcript - Curb cloud computing security risks with ITIL frameworks
Hello. Welcome to the "Ensure Compliance with Regulations and Controls" conversation within the operations domain, discussing cloud, cloud-related services, and cloud security.
When we think about needing to build the logical and the physical infrastructure, manage it, understand how to operate it, we've talked a lot about the different areas that are of concern to us as cloud security professionals. We've talked about the need for virtualization technology. We've talked about the need for security. We've talked about the need for awareness of cloud computing security risks, risk management. We've talked about the need for understanding how to deploy and provision different service levels, different service models, different ways of looking at it from the provider as well as the customer perspective the nature of cloud, what cloud means, how to consume it, how to interact with it.
Building a framework
What we're going to turn our attention to now is the way in which we actually can interact with cloud both from the security perspective, what we're going to do, how we're going to do it, how we're going to bring controls into the discussion, how we're going to implement them, how we're going to make sure we have the ability to track them and create auditability over time. But we're also going to look at it from the customer perspective and the provider perspective broadly, and talk about the overarching framework, the thought process that can drive the awareness, but also the understanding, implementation, and coordination of activities that are related to really be able to understand how to manage change, manage and identify cloud computing security risks, and understand how to create the opportunity to have the discussion on the business, but also have the discussion around the needs of the customer to ensure that all the activities we engage in and all the services we provide, and all the issues that we need to address within the cloud, around the cloud, and for the cloud-related services are brought to the table, "so to speak," in a productive and constructive way.
We really need to understand how to frame the conversation, in other words, around cloud, cloud services, and cloud consumption from the perspective of an overarching framework that helps us to understand how to have a discussion, making sure we are identifying the need for change, the drivers, the business requirements that are driving change. In other words, what is it that we're doing that will either affect, modify, add, or remove some sort of cloud-related service, understand then how to have that conversation in a way that allows us to identify the importance of the change, focus on the need, make sure we agree, we being the stakeholders, the customers, the providers, that the change or the need, or whatever it is we're talking about is going to be something that would be beneficial or whether it will lead to more cloud computing security risks.
If it is, come up with a process to, in effect, agree on what that change will look like. We're going to add this service. We're going to modify this offering. We're going to change or modify, remove, add, or somehow adjust the way in which we do something, whatever that something may be. And then, once we have agreement on that, we're then going to go ahead and walk through a fairly specific process and order of steps, and in the overall flow with how to manage that change that allows us to identify it, authorize it, figure out exactly what we're going to do, give permission to the appropriate parties to do whatever it is that needs to be done in order to implement a change, track the change, schedule it, tee it up, so to speak, so that we know that we're ready to go ahead and execute on it. We've done the due diligence about potential cloud computing security risks. We've exercised the due care. We've done the testing. We've figured out that the change will have hopefully a zero impact, or if any kind of impact at all, we've documented what that will be. We're prepared for and aware of those changes.
We then go ahead and actually put that change or that group of changes, whatever that release or release package may be, into play. We actually go ahead and implement them, in other words, but we do so in a time-bounded schedule, that controlled fashion. We don't, in other words, just simply go out, press a button, pull a lever, and implement some sort of new, modified, added, or removed change of some kind without planning, without forethought, without foresight, and most importantly, without awareness of the potential impact, and therefore, the strategies for mitigating cloud computing security risks and controls that need to be in place in order to drive that change through the system.
Incorporating IT service management
So, we're going to talk from a holistic standpoint about the processes involved in engaging in these activities as we look at compliance with regulations and controls. Specifically, we'll take a look at IT service management. We'll talk about the value and the importance of what the overarching thought process around IT services are, how to identify the IT service, what it means to the business, and then frame that within the conversation of configuration, change, incident, problem, release and deployment, service level, and availability management, be stepping through every one of those areas.
We will be framing this conversation for those of you that may look at this list, hear it, and see me and hear me talking about it, and have awareness of it if the proverbial light bulb is dawning and coming on for you. This is an ITIL-centric framework conversation. We will be talking about ITIL or using ITIL as the framework and the backdrop for this discussion, and using the various areas and stages of the ITIL framework to help us really draft the conversation, frame it, and understand on how to drive through it with regards to a very specific ordered set of processes, procedures, thought processes that allow us as cloud security professionals, as cloud providers, ultimately as cloud customers, to have an expectation of how something will be done, but to have an ordered expectation and a reliable expectation, a consistent expectation of what it means to be able to engage a cloud service, modify that over time for need as the appropriate changes may have to be brought in to keep relevancy associated with the service. And then, over time, ultimately, drive through managing the implementation of that change. But more importantly and more broadly, drive through the management of that service throughout the lifecycle of the opportunity to provide it to the customer, and what that management over that lifecycle means.
We'll continue that conversation by exploring capacity, continuity, information security, and continual service improvement or CSI management. All of these areas as well become very important to the conversation we're framing and having about minimizing cloud computing security risks. We're going to go through and examine each one in relation to not just the isolated events that are going to be part of the things that they have to manage. So, what impacts capacity management? What does it impact? We'll have that conversation.
But looking at how these things interlock with each other within the crucible or within the frame of ITIL and using that as the logical background for us then to understand better and more accurate service management, and better and more accurate provisioning of services to our customers is going to be the ultimate goal of this particular conversation.
So, as we begin the discussion, as we begin thinking about what it is that we have to understand how to do, when we think about regulatory compliance, when we think about the ways in which we have to manage, we have to understand that, obviously, contracting for cloud services becomes a focal point for this conversation.
We as cloud security customers, cloud security providers, cloud security professionals, when we think about the need for cloud security, we may internally, as a private cloud provider, the IT organization within the company, providing cloud services to the company, may be that point of contact, may be that focal point for cloud services. But we may have an outsourced relationship, as we've discussed in some of our prior conversations, where, as the cloud provider, we are contracted or contacted by the business and brought in in a contractual relationship to provide cloud services.
So, there may be that outsourced relationship and dynamic where the business has said, "Hey, Mr. and Mrs. Cloud Provider, you have the scale, the understanding, the technology, the skills, any or all of those things, and you have the service offering we need. We want to do business with you. We want to consume that service. We want to do so on a contractual basis." This introduces an element of risk into the conversation around cloud. Because although we will do our best to vet that relationship, we'll create an RFP, we'll have the vendor go through the process of applying and answering follow-up questions. We will go through and hopefully get references, understand how to vet them and check on those references. We'll do our best, hopefully, as a customer, in other words, to exercise due care and due diligence. The challenge becomes, however, that, you know, at the end of the day, while we simply try to do our best, there may be unknowns that we can't qualify in the relationship.
So, we're always introducing an element of risk and we have to understand how to manage cloud computing security risks. But if we do so effectively, as we indicate in the first bullet point here, an effective contracting for cloud services can reduce that risk by using the process that I was just discussing with you, using an RFP. Using a set of requirements and questions and a Q and A period around the RFP as follow-up to further narrow the focus and further vet the vendor or vendors that may be responding that feel they can offer that service.
Navigating vendor relationships
Asking for references, following up and checking those references, understanding the nature of the service that the cloud provider is offering, consuming smartly and consuming securely by having knowledge to really make us an informed consumer of cloud services reduces that risk. It reduces the risk of contracting and trusting the vendor. It reduces the risk of vendor lock-in as we call out here, improves potential portability of our solution and our data, and overall, it's going to make for a better solution.
So, we have to be thinking about that as we start our conversation. Because just going out and finding the lowest cost cloud provider regardless of the nature of the relationship, regardless of the nature of the need, regardless of the regulatory and statutory compliance requirements we may have as a customer, the cloud provider may or may not be able to meet as a provider. These things become important and this is where cloud computing security risks are introduced into the system that if not effectively dealt with, identified, and therefore mitigated through the application of controls and just sheer common sense, can get in the way of us having a successful solution.
So, establishing explicit comprehensive SLAs, really the ability to negotiate and manage the relationship by documenting the success points, measurable success points that are metricized, metrics associated with them in the SLA, what is our availability quotient. We're measuring that in terms of three, four or five nines, let's say, and the vendor has to approve, and therefore, agree to provide the service at that level. If they violate that availability requirement, so, system is supposed to be up four nines, which means we're supposed to approximately have about six to seven, maybe eight or nine minutes of downtime that we can entertain within that certain period of time. If they miss that mark, then we have to go ahead and we have to think about the fact that there may be financial penalties.
So, having those comprehensive SLAs, focusing on the continuity of operations, remember the cloud is a continuously operating environment. We have to understand that, to take that to heart. We have to scale our structure and our system accordingly. We have to have frameworks in place that reinforce the idea of continuous operation, continuous monitoring, and continuous improvement. And this is where ITIL can come in, and be a very, very helpful thought process. And, of course, as a result to that, focusing on service quality, which is key not just for the organization but for the entire relationship. The provider, the customer, and of course, the security aspects of that relationship all have to be focused on improvement overall and service quality as a result of that, which will engender, and therefore, drive forward the idea of the ability to improve over time.