Security and the Cloud, concerns of larger organizations

Falling laptopsGovernance and security has been always a major concern for large organizations, and with the introduction of cloud computing, organizations have to change the way they look at these concerns.

CSA identifies 12 domains that are related to ensuring and mitigating security concerns when shifting or utilizing cloud , the focus of this posting to it look at these domains from the aspect of large organizations such as banks for example.

  • Governance: large organization have specialized departments that tackle governance, these departments will need to start looking at items such as
    • Governing laws: if your cloud provider is in a different country, and they follow the laws and regulation of that country, how would this affect you?
    • As your data is stored on a cloud, who has the responsibility to protect this data, and what are the liabilities of breach?
    • How to you assess the risk of a certain cloud provider?
  • Compliance and Audit: how does cloud computing affects your audit, can you even audit the compliance of a third party, how does cloud affect your internal security policies,
  • Information Lifecycle Management: organizations will need to look at issues like disclosures, and also, assign responsibility, and segregate responsibility between the organization itself and the cloud services provider.
  • Portability: how do you move your data to the cloud, what if you decided to bring it back to the organization, can you do that? What happens if the cloud service provider goes out of business would it be easy to move the data to another cloud service provider?
  • Internal support management, incidents reports: how to you escalate problems from your clients reported to your service desk to the cloud service provider. If you have a certain SLA defined between your IT services department and other department, how do you ensure the compliance of this SLA when you now have an external third party?
  • Application Security: what changes do you need to make sure that you applications are secured over the cloud, what if these applications are provided by a third party, how do you ensure compliances with cloud requirements?
  • Encryption: moving data to the cloud will require some sort of encryption, this is the known part, but it also means that you have introduced a whole new concept to the organization, now you need to worry about things like where do you store your keys, what are the procedures needed to change these keys, and who has access to these keys.
  • Identity and Access management: : this is a minefield by itself, how do you ensure that whoever is accessing data on the cloud is authorized, how do you integrate with your identity management applications with the cloud provider, and how does it affect your procedures and policies

The key trick is to think of cloud as your think about any other supplier, it is looking at your data from a supply chain management concept, now you have external suppliers providing basic parts of your IT and IS services.

Also, larger organizations have heavily invested in developing internal policies, guidelines, regulations, and procedures, all of these needs to be looked at.

Leave a Reply