Cloud computing is one of the most significant technological trends we have witnessed and has the potential to change the very way we work. It is, however, important for CIOs to understand that we are currently in a pre-standard era of cloud computing and as such each organisation needs to be mindful of the myriad of security issues surrounding the cloud. Patrick Eijkenboom, principal consultant at NetIQ, suggests taking a measured approach and asking five security questions before jumping into the cloud.
The cloud is going to disrupt everything in every industry. Organisations are going to remake themselves along the lines of cloud computing. Governments and media across the globe are supporting initiatives where organisations are encouraged to look to the cloud first for any new IT environments or updates.
The adoption of cloud computing has created significant challenges due to the variable security standards and practices in place for different cloud vendors and the changing threat environment. While these challenges may not be new in terms of security, the cloud quite simply amplifies these issues.
The best advice for CIOs is not to get caught up in the hype and rush to put everything into the cloud. Not all applications are necessarily appropriate for moving to the cloud, especially when it comes to security. CIOs should carefully consider the following five security questions.
1. How big is your organisation? We don’t need to be told that the size of an organisation has large implications on relevant security issues. For smaller businesses, the cloud can often be a more secure way to operate by moving all systems into a common management framework. For medium to large enterprises, there has been a lean toward more private cloud adoptions, with public cloud adoptions not inclusive of all key systems, but a justifiable percentage.
2. What cloud environment are you looking to adopt? CIOs need to define the cloud environment, looking at the fundamental choices between public cloud, private cloud and hybrid cloud models, and taking into consideration there is no ‘one size fits all’ approach. Private clouds often enable greater protection of an organisation’s IP and allow SLAs to be protected and maintained, while public clouds allow for the utilisation of public cloud services. Most organisations are finding that a hybrid cloud model enables greater capabilities, but it is important to ensure security is applicable to both sides of the cloud.
3. What are the security regulations and requirements you must work within? And what are the gaps between those requirements and the available parameters on the cloud? Define the regulations your organisation needs to work within. Take note of sensitivity of company data and customer data. Look at your regulatory environment closely and ensure that clouds can support those international regulation and standards requirements. Ensure encryption requirements can be applied to all cloud environments and ensure you can manage access in public cloud.
4. What are the risks and threats of your cloud strategy? Taking a risk-based approach is critically important – CIOs need to look at the sensitivity level of information and applications, and make sure decisions are made based on provider controls and specific virtualisation controls offered. Consider:
- Trust related to transparency of cloud providers – highly important in public clouds where visibility is low, as well as private clouds where you need to be aware of controls. Draw boundaries of who is responsible for what services.
- Data concerns – ensure you know that your data is being protected, fully deleted, properly backed up and existing in the correct geography for regulatory requirements.
- Governance model – ensure that your governance model is not just governance for policies but user access management and incident response and that there is a good flow between the cloud provider and your organisation.
- Asset management system – look at a system that can track resources, data and access. Ensure data classification runs with the application.
- Security data logging and auditing – in order to limit damage, make sure you have the ability to know who does what and when, and that any changes are logged and audited sufficiently.
5. Are you using best practice? As adoption of cloud computing increases, there will be a growing pool of specific reference models and guidance. Review best practice and tools, and talk to the Cloud Security Alliance (CSA) or cloud providers that are members of CSA.
If you’re looking at creating a cloud environment, it is important that you start building in the instruments to be able to answer compliance questions and risk management questions that will be posed internally from within the organisation and externally from partners, auditors and regulators. The easiest place to start is to first ask yourself these questions.
In this pre-standards era of cloud computing, CIOs need to be smart when thinking about cloud computing and ensure all due diligence is made before taking the plunge.
Patrick Eijkenboom is the principal consultant with NetIQ Australia. NetIQ provides security and compliance management solutions and, as a corporate member of the Cloud Security Alliance (CSA), is committed to participating in the development and implementation of best practice recommendations for addressing security, audit and compliance needs specific to cloud computing.