Top 5 Cloud security questions for CIOs

NetIQ consultant, Patrick Eijkenboom, advises CIOs to ask five security questions before moving to the Cloud

Cloud computing is one of the most significant technological trends we have witnessed and has the potential to change the very way we work. It is, however, important for CIOs to understand that we are currently in a pre-standard era of cloud computing and as such each organisation needs to be mindful of the myriad of security issues surrounding the cloud. Patrick Eijkenboom, principal consultant at NetIQ, suggests taking a measured approach and asking five security questions before jumping into the cloud.

The cloud is going to disrupt everything in every industry. Organisations are going to remake themselves along the lines of cloud computing. Governments and media across the globe are supporting initiatives where organisations are encouraged to look to the cloud first for any new IT environments or updates.

The adoption of cloud computing has created significant challenges due to the variable security standards and practices in place for different cloud vendors and the changing threat environment. While these challenges may not be new in terms of security, the cloud quite simply amplifies these issues.

The best advice for CIOs is not to get caught up in the hype and rush to put everything into the cloud. Not all applications are necessarily appropriate for moving to the cloud, especially when it comes to security. CIOs should carefully consider the following five security questions.

1. How big is your organisation? We don’t need to be told that the size of an organisation has large implications on relevant security issues. For smaller businesses, the cloud can often be a more secure way to operate by moving all systems into a common management framework. For medium to large enterprises, there has been a lean toward more private cloud adoptions, with public cloud adoptions not inclusive of all key systems, but a justifiable percentage.

2. What cloud environment are you looking to adopt? CIOs need to define the cloud environment, looking at the fundamental choices between public cloud, private cloud and hybrid cloud models, and taking into consideration there is no ‘one size fits all’ approach. Private clouds often enable greater protection of an organisation’s IP and allow SLAs to be protected and maintained, while public clouds allow for the utilisation of public cloud services. Most organisations are finding that a hybrid cloud model enables greater capabilities, but it is important to ensure security is applicable to both sides of the cloud.

3. What are the security regulations and requirements you must work within? And what are the gaps between those requirements and the available parameters on the cloud? Define the regulations your organisation needs to work within. Take note of sensitivity of company data and customer data. Look at your regulatory environment closely and ensure that clouds can support those international regulation and standards requirements. Ensure encryption requirements can be applied to all cloud environments and ensure you can manage access in public cloud.

4. What are the risks and threats of your cloud strategy? Taking a risk-based approach is critically important – CIOs need to look at the sensitivity level of information and applications, and make sure decisions are made based on provider controls and specific virtualisation controls offered. Consider:

  • Trust related to transparency of cloud providers – highly important in public clouds where visibility is low, as well as private clouds where you need to be aware of controls. Draw boundaries of who is responsible for what services.
  • Data concerns – ensure you know that your data is being protected, fully deleted, properly backed up and existing in the correct geography for regulatory requirements.
  • Governance model – ensure that your governance model is not just governance for policies but user access management and incident response and that there is a good flow between the cloud provider and your organisation.
  • Asset management system – look at a system that can track resources, data and access. Ensure data classification runs with the application.
  • Security data logging and auditing – in order to limit damage, make sure you have the ability to know who does what and when, and that any changes are logged and audited sufficiently.

5. Are you using best practice? As adoption of cloud computing increases, there will be a growing pool of specific reference models and guidance. Review best practice and tools, and talk to the Cloud Security Alliance (CSA) or cloud providers that are members of CSA.

If you’re looking at creating a cloud environment, it is important that you start building in the instruments to be able to answer compliance questions and risk management questions that will be posed internally from within the organisation and externally from partners, auditors and regulators. The easiest place to start is to first ask yourself these questions.

In this pre-standards era of cloud computing, CIOs need to be smart when thinking about cloud computing and ensure all due diligence is made before taking the plunge.

Patrick Eijkenboom is the principal consultant with NetIQ Australia. NetIQ provides security and compliance management solutions and, as a corporate member of the Cloud Security Alliance (CSA), is committed to participating in the development and implementation of best practice recommendations for addressing security, audit and compliance needs specific to cloud computing.

Join the CSO newsletter!

Error: Please check your email address.

Tags virtualizationsecuritycloud securitycloud computingNetIQ Australiavirtualisation

More about CSANetIQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CIO Staff

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts