Creating a governance framework for cloud security

NetIQ principal consultant, Patrick Eijkenboom, talks about the importance of using a governance framework for a secure cloud environment

Cloud computing is revolutionising the way organisations across the world use technology. Despite the stigma cloud computing has gained following a series of high-profile data breaches, the cloud CAN be secure. Patrick Eijkenboom, principal consultant at NetIQ, discusses the importance of using a governance framework for a secure cloud computing environment, regardless of the model you adopt.

Cloud computing is undoubtedly a significant technology trend that is set to dramatically change business. A recent Frost and Sullivan report# indicates that 43 per cent of Australian companies now use cloud computing in some form, while 41 per cent of IT decision-makers say cloud computing will be a top priority in the current fiscal year.

We have witnessed a recent spate of high-profile security attacks and data security breaches – from Amazon to Sony to Epsilon. As worrying as these incidents are, what is more worrying is that the cloud now has the stigma of being unsecure.

Having borne the brunt of most recent attacks, cloud computing, seems to have become a scapegoat for failed security measures. On closer examination however, it is clear that these data security breaches are a result of inadequate cloud security practices within these organisations.

Rest assured that the cloud can be very secure regardless of the cloud model adopted. Organisations that are using the cloud, or considering a move to cloud computing, simply need to treat the cloud as they would any of their assets. The creation of a secure cloud environment requires the implementation of a strong governance framework.

The adoption of cloud computing has created significant challenges due to the absence of a set of widely adopted cloud security standards and practices amongst the various cloud vendors, and the ever changing threat environment. While the security challenges are not new, the cloud seems to simply intensify their magnitude.

An IT governance framework stretches across all aspects of IT, reaches every facet of an organisation and touches each employee. Creating a governance framework for cloud security is no different. It must allow the CIO and CSO to view, assess and manage all risks, security, and compliance for the cloud environment.

As we have learned from the recent data security breaches reported, in most cases the initial breach was actually recorded and the cause identified. Unfortunately, however, the events were simply collected to fulfil basic audit requirements and not used to alert or tie in with any SIEM (security information and event management) or compliance tool. A governance framework allows security, compliance, IT and the business to connect thus paving the way for a secure cloud environment.

  1. Start with your people

    This may sound trite but it is the first step for good reason; almost all security vendors claim that a large percentage of data breaches stem from internal users. For powerful cloud security, develop strong policies that do more than just tick a compliance box. Create awareness amongst all employees about what security means, how it can affect the organisation and what they can and must do.

  2. Audit compliance

    Use an audit tool that has the capability to show where the organisation is vulnerable across the board, rather than in disparate silos. In large organisations it is common for vertical business units to rarely communicate with one another. To overcome this, create a horizontal audit compliance framework that provides a view across all business units and combines the respective information streams.

  3. Identity and access management (IAM)

    IT departments need to either extend existing identity management initiatives to include the cloud or establish a process to collectively manage identities across all systems to best protect corporate data and systems.

    As part of a governance framework, put a solution in place that looks beyond just the operating system to incorporate all platforms, applications and databases, and then places an access governance tool over the top.

    Insider threats can be overcome by a strict Identity and Access Management solution or even an IDentity as a Service (IDaaS) solution that will allow IT managers to track privileged access to sensitive data and also allow them to assign or revoke these privileges. Support the identity management solution with security data logging and auditing that allows management to know who does what, where and when, and that any changes are logged and audited sufficiently.

  4. Security information and event management (SIEM)

    Some organisations may consider increasing security controls when moving to the cloud. A solution is required that is not only a log management tool, but one which combines security incident and security event management to ensure a complete view of the organisation’s security posture. The ideal cloud security solution should integrate the organisation’s identity and access management solution.

    Lately we see security being offered as a service (SecaaS). This could be a solution for newcomers to the cloud or organisations that cannot build such security measures themselves either due to lack of funding or internal resources. A SecaaS offering is designed to create a secure environment that complies with many different standards for organisations across a broad range of verticals. As a result, a SecaaS solution is already more secure from the outset.

  5. Look for guidance but ensure your own security

    While the UK and New Zealand’s cloud vendors have agreed to a cloud code of practice, this is little more than a general commitment to certain business etiquette and will certainly offer no protection to users.

    The Cloud Security Alliance (CSA) provides good security guidance for cloud computing. As a matter of fact, CSA is about to release its third version of the Security Guidance for Critical Areas of Focus in Cloud Computing. This version looks not only at security and compliance, but also the entire framework of computing and networking in the cloud.

    The European Union (EU) plans to draft a new data protection law in November — The Binding Safe Processor Rules — designed to ensure cloud providers are offering a safe service. The draft will effectively request cloud service providers working in the EU to agree to become legally liable should any data offences occur at their data centres.

    It is vital to remember that this is still a pre-standards era in cloud computing. Organisations that want a secure cloud environment must develop their own watertight governance framework.

  6. Use a governance framework solution

    There’s no need to build a framework from scratch. Use a Business Service Management (BSM) solution or a dashboard that has drill-down functionality to all IT governance, risk and compliance (GRC) and security elements. If you already have a BSM solution in place, it’s a good idea to extend this to also include security and compliance.

Organisations must develop strict governance frameworks to ensure cloud infrastructure and operations are as secure — if not more secure — than traditional on-premise approaches to protect corporate data and critical systems.

Every other week we hear of a high profile organisation scandalised by data loss or theft. Data breaches will continue to be highly visible and will quickly become public knowledge. From lost revenue, increased expenses and fines to damaged customer relationships and corporate brand reputation, the costs are significant and far reaching. The cloud is your investment, your IP, your resource. Make it secure like you would do with the rest of your organisation.

Patrick Eijkenboom is the principal consultant with NetIQ Australia. NetIQ, part of The Attachmate Group, provides security and compliance management solution. As a corporate member of the Cloud Security Alliance (CSA), NetIQ is committed to participating in the development and implementation of best practice recommendations for addressing security, audit and compliance needs specific to cloud computing.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cloudsecuritygovernance frameworkcloud securitycloud computing

More about Amazon Web ServicesAttachmateCSAEpsilon InteractiveEUNetIQNetIQSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Eijkenboom

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts