Creating a governance framework for cloud security
- 30 November, 2011 12:13
Cloud computing is revolutionising the way organisations across the world use technology. Despite the stigma cloud computing has gained following a series of high-profile data breaches, the cloud CAN be secure. Patrick Eijkenboom, principal consultant at NetIQ, discusses the importance of using a governance framework for a secure cloud computing environment, regardless of the model you adopt.
Cloud computing is undoubtedly a significant technology trend that is set to dramatically change business. A recent Frost and Sullivan report# indicates that 43 per cent of Australian companies now use cloud computing in some form, while 41 per cent of IT decision-makers say cloud computing will be a top priority in the current fiscal year.
We have witnessed a recent spate of high-profile security attacks and data security breaches – from Amazon to Sony to Epsilon. As worrying as these incidents are, what is more worrying is that the cloud now has the stigma of being unsecure.
Having borne the brunt of most recent attacks, cloud computing, seems to have become a scapegoat for failed security measures. On closer examination however, it is clear that these data security breaches are a result of inadequate cloud security practices within these organisations.
Rest assured that the cloud can be very secure regardless of the cloud model adopted. Organisations that are using the cloud, or considering a move to cloud computing, simply need to treat the cloud as they would any of their assets. The creation of a secure cloud environment requires the implementation of a strong governance framework.
The adoption of cloud computing has created significant challenges due to the absence of a set of widely adopted cloud security standards and practices amongst the various cloud vendors, and the ever changing threat environment. While the security challenges are not new, the cloud seems to simply intensify their magnitude.
An IT governance framework stretches across all aspects of IT, reaches every facet of an organisation and touches each employee. Creating a governance framework for cloud security is no different. It must allow the CIO and CSO to view, assess and manage all risks, security, and compliance for the cloud environment.
As we have learned from the recent data security breaches reported, in most cases the initial breach was actually recorded and the cause identified. Unfortunately, however, the events were simply collected to fulfil basic audit requirements and not used to alert or tie in with any SIEM (security information and event management) or compliance tool. A governance framework allows security, compliance, IT and the business to connect thus paving the way for a secure cloud environment.
- Start with your people
This may sound trite but it is the first step for good reason; almost all security vendors claim that a large percentage of data breaches stem from internal users. For powerful cloud security, develop strong policies that do more than just tick a compliance box. Create awareness amongst all employees about what security means, how it can affect the organisation and what they can and must do.
- Audit compliance
Use an audit tool that has the capability to show where the organisation is vulnerable across the board, rather than in disparate silos. In large organisations it is common for vertical business units to rarely communicate with one another. To overcome this, create a horizontal audit compliance framework that provides a view across all business units and combines the respective information streams.
- Identity and access management (IAM)
IT departments need to either extend existing identity management initiatives to include the cloud or establish a process to collectively manage identities across all systems to best protect corporate data and systems.
As part of a governance framework, put a solution in place that looks beyond just the operating system to incorporate all platforms, applications and databases, and then places an access governance tool over the top.
Insider threats can be overcome by a strict Identity and Access Management solution or even an IDentity as a Service (IDaaS) solution that will allow IT managers to track privileged access to sensitive data and also allow them to assign or revoke these privileges. Support the identity management solution with security data logging and auditing that allows management to know who does what, where and when, and that any changes are logged and audited sufficiently.
- Security information and event management (SIEM)
Some organisations may consider increasing security controls when moving to the cloud. A solution is required that is not only a log management tool, but one which combines security incident and security event management to ensure a complete view of the organisation’s security posture. The ideal cloud security solution should integrate the organisation’s identity and access management solution.
Lately we see security being offered as a service (SecaaS). This could be a solution for newcomers to the cloud or organisations that cannot build such security measures themselves either due to lack of funding or internal resources. A SecaaS offering is designed to create a secure environment that complies with many different standards for organisations across a broad range of verticals. As a result, a SecaaS solution is already more secure from the outset.
- Look for guidance but ensure your own security
While the UK and New Zealand’s cloud vendors have agreed to a cloud code of practice, this is little more than a general commitment to certain business etiquette and will certainly offer no protection to users.
The Cloud Security Alliance (CSA) provides good security guidance for cloud computing. As a matter of fact, CSA is about to release its third version of the Security Guidance for Critical Areas of Focus in Cloud Computing. This version looks not only at security and compliance, but also the entire framework of computing and networking in the cloud.
The European Union (EU) plans to draft a new data protection law in November — The Binding Safe Processor Rules — designed to ensure cloud providers are offering a safe service. The draft will effectively request cloud service providers working in the EU to agree to become legally liable should any data offences occur at their data centres.
It is vital to remember that this is still a pre-standards era in cloud computing. Organisations that want a secure cloud environment must develop their own watertight governance framework.
- Use a governance framework solution
There’s no need to build a framework from scratch. Use a Business Service Management (BSM) solution or a dashboard that has drill-down functionality to all IT governance, risk and compliance (GRC) and security elements. If you already have a BSM solution in place, it’s a good idea to extend this to also include security and compliance.
Organisations must develop strict governance frameworks to ensure cloud infrastructure and operations are as secure — if not more secure — than traditional on-premise approaches to protect corporate data and critical systems.
Every other week we hear of a high profile organisation scandalised by data loss or theft. Data breaches will continue to be highly visible and will quickly become public knowledge. From lost revenue, increased expenses and fines to damaged customer relationships and corporate brand reputation, the costs are significant and far reaching. The cloud is your investment, your IP, your resource. Make it secure like you would do with the rest of your organisation.
Patrick Eijkenboom is the principal consultant with NetIQ Australia. NetIQ, part of The Attachmate Group, provides security and compliance management solution. As a corporate member of the Cloud Security Alliance (CSA), NetIQ is committed to participating in the development and implementation of best practice recommendations for addressing security, audit and compliance needs specific to cloud computing.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
