Four steps for minimising cloud deployment risks
Companies are no longer tolerant of security-and-compliance teams telling them they cannot go to the cloud: instead risk teams must learn how to adapt to the cloud environment. This is the view of John Overbaugh, managing director of Security Services at Caliber Security Partners.
Writing for http://www.isaca.org, Mr. Overbaugh suggests
1. Adopting and adapting application-security-assessment tools. Questionnaires for cloud services need to go beyond the standard set of questions and dig into important questions like framework compliance, monitoring/reporting, and even secure-development practices. By devising (or revising) questionnaires that help uncover where risk will be transferred successfully, where the client will need to mitigate risk, and where risk will be accepted, teams enable their companies to benefit from cloud efficiencies while retaining relevance in the conversation.
2. Recognizing that going to the cloud has benefits. Yes, it involves some transfer of risk, for instance, physical access control and disaster recovery. And other data center / centre controls traditionally owned by the company get transferred to the cloud provider. But these risk transfers should not be made blindly. Cloud customers should have their providers document how they manage these risks and attest to or provide appropriate proof of compliance. In the end, the transfer of these risks can often be financially advantageous.
3. Redefining controls required for risk mitigation. In IAAS and PAAS environments, controls such as encryption-at-rest are absolutely required for sensitive data. (In many organizations, data-at-rest has been ‘overlooked’ because data centers/ centre provide compensating controls that prevent physical access to sensitive data.) Strict controls on administrative access to systems and resources need to be implemented and validated regularly to ensure cloud providers are not able to gain unauthorized access. In SAAS environments, strong monitoring and reporting tools must be made available to the client for the very same reason.
4. Educating IT and business leaders on risks being accepted. Risk managers are, by nature, extremely risk averse and the idea of accepting risk is a scary one. But businesses accept risk all the time (often unknowingly). By identifying risk and alerting leaders, risk managers can help the business put risk into business contexts so leaders can make informed decisions.
Read the full article here.
•Date: 12th February 2014 • World •Type: Article • Topic: Cloud computing