GOVERNANCE, OVERSIGHT, POLICY, AND CAPABILITY IN CLOUD SECURITY
Two converging technologically transformative forces are changing the landscape of IT and security.
-
The world has been steadily embracing user choice – devices, flexible locations and work schedules, and Software-as-a-Service (SaaS) productivity tools. Businesses must adapt or go extinct.
-
The world is shifting application services and workloads to public cloud Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS); enabling speed, flexibility, and reduced cost.
As a result, business cloud footprints are growing exponentially and the line between “inside” and “outside” is blurring. Our increasing interconnectedness fosters collaboration, but the ease and speed to share data without proper security checks has created new risks and challenges. Further, because some businesses are making mistakes with personal information, the public has demanded that third party oversight exist to systematically enforce good behaviour with personal and financial data of all types. Now, regulatory compliance mandates are increasing in both number and complexity at national, state, and local levels.
Cloud security must be addressed in a way that enables user collaboration and the inherent agility and value of the cloud; while providing enterprise-grade security to “the right things” at “the right time.” It must do this while simultaneously meeting or exceeding regulatory compliance requirements. As more data is moved onto or into devices, applications, and data centers not under direct control; Information security, risk management, and cyber security teams must mitigate risk in new ways while enabling the business to move swiftly and remain competitive using the cloud.
We’ve seen many cloud security vendor products that offer solutions to these problems. However, there is a limit to where the vendor can provide guidance to your specific business risks and compliance requirements. Many of these best practices come in the form of policy-specific packaged configurations such as “GDPR Compliance” policy or “PCI DLP Profile,” which are extremely valuable, yet incomplete.
Businesses need to establish guardrails on how cloud services should be used and managed, including identity, unstructured data, and enterprise on-premises integrations to name a few. To do this effectively, cloud risk governance groups must be established to carry business level guidance to the technical world of cloud security and periodically measure effectiveness of controls.
CEDRUS CAN HELP
1. Cloud Security Advisory:
Cedrus assists businesses in building cloud security governance, oversight teams, and the necessary processes for cloud adoption and usage. We help to clarify guidance and capture minimum requirements such as:
-
Legal considerations in engaging cloud a vendor such as terms and conditions, license agreements, or data jurisdictions
-
Compliance considerations in engaging a cloud vendor such as data center compliance, Payment Card Industry Data Security Standard (PCI DSS) compliance, or Service Organization Control (SOC) reporting
-
Information Security considerations for engaging a cloud vendor such as security controls and encryption capabilities
-
Information Protection considerations for engaging a cloud vendor such as data ownership or data deletion upon service termination
-
IT department architecture considerations such as protocol requirements or integration requirements
Ready to Get Started? Contact us!
2. Cloud Security Standards:
Cedrus assists businesses in the creation of reference documents in the area of cloud security standards and guidelines to be used for internal project teams embarking upon initiatives leveraging the cloud.
Step 1: Perform a Gap Analysis that provides evaluation of existing cloud-relevant Information Security Policies and Standards to incorporate into the process, including:
-
Acceptable use
-
Identification and Authentication
-
Application Security
-
Data Classification / Handling
-
Vendor Risk Management
-
Encryption
-
Logical Access Control
-
Compliance
Step 2: Create a Guidelines and Standards Document that will outline the security governance criteria including, but not limited to, general standards such as:
-
Regulatory Mandates
-
Enterprise Risk Levels
-
Vendor Trust Criteria
-
Data Classification and Data Leakage Prevention (DLP)
-
Identity and Access Management, Access Control, Privileged Access
-
Encryption and Key Management
-
Mobile and Endpoint
Ready to Get Started? Contact us!
3. Cloud Security Capability Assessment:
Cedrus also assists businesses with cloud security capability mapping, ensuring that control gaps can be identified and closed and that best practice security approaches for operating in the cloud can be met. We partner with Cloud Security Alliance (CSA) and leverage the Cloud Controls Matrix (CCM) and our consultants all hold the CSA Certificate of Cloud Security Knowledge (CCSK). [CSA LOGO]
Step 1: Capability Map - In this process the Cedrus consultants analyze the existing cloud security technology capabilities as compared to the relative guidance provided in the CCM. We assist in determining:
-
Does a capability exist where a control is recommended by CCM?
-
Do any gaps exist where a control is required by business policy?
-
If capabilities exist, are they implemented and managed?
-
Are there redundant tools/solutions in any area?
-
Are tools/solutions cloud ready and/or cloud aware and supported/supportable?
Step 2: Create a recommendations and roadmap document to outline recommended solutions to control gaps or under-configured solutions along with a suggested timeline and budget to implement the controls.
Ready to Get Started? Contact us!