How to Maintain Security Due Diligence in the Cloud
Cloud offerings have greatly improved in scale and economic efficiency, making it a relevant and viable choice for the computing needs of organizations in every industry. While cloud delivers a host of new benefits to its users (public, private, and in-between), it also exposes organizations to new kinds of security risks. As a result, CIOs and business leaders need to incorporate and maintain a security due diligence approach in the cloud. For many, this is a paradigm shift.
Security frameworks for older, on-premise technologies are guided by established regulatory compliance guidelines such as FISMA, NIST 800-53, HIPAA, PCI-DSS, and IRS 1075. Even associated certifications used as a standard for security expertise, such as CISSP, do not fully address the experience and expertise necessary to counter cloud risks. This is especially evident given the recent FTC rulings with Wyndham, and the liability findings against Target.
As the application of cloud due diligence continues to unfold, cloud service providers and cloud users can adopt three important security practices as a baseline for their preemptive protection of data and applications hosted in the cloud.
- Document Security Controls
An effective security policy is based upon an analysis of organizational risk and contains procedures that mitigate identified vulnerabilities and validate compliance.
Management of people, roles, and identities plays a critical part in mitigating risk during daily operations. Your organization should control and monitor which members have access to sensitive data or systems. By using an identity management system to allow access to the cloud, you can ensure data access is limited only to qualified individuals. Robust identity management can also allow you to track and narrow down possible sources of an information breach, should one occur.
Designing a standard security policy that addresses all relevant risks allows your organization to prevent breaches and demonstrates its commitment to excellent data security.
- Commit to SLA Monitoring and Auditing
When entering into a contract with a cloud service provider, it is incumbent upon your organization to understand your business arrangement and the performance metrics captured within your service level agreements. This information is essential from a security perspective and provides demonstrable proof that your organization understands its accountability requirements and is taking due diligence steps.
All SLAs should measure performance and security practices in a way that is consistent with your organization’s assets, data, and mission. By monitoring and auditing SLAs, you ensure your cloud services comply with security standards and regulations, and pass on that peace of mind to your clients.
- Conduct Periodic Third-Party Cloud Risk Assessments
Ensure you have a plan in place to regularly review the security of your cloud data.
This plan should include hiring independent auditors, reviewing data access rules, and adding layered security elements such as encryption or data resilience features to mitigate risk. It is also important to regularly review and update business practices and process as part of the risk framework.
By implementing periodic reviews, your organization can identify and fix weaknesses in its security practices. Third-party cloud risk assessments can also identify and replace security measures that have become outdated or otherwise ineffective. A regular risk assessment keeps your security program on the cutting-edge. It also offers a visible demonstration of your organization’s willingness to be evaluated by other credible entities, thus building customer trust.
Cloud computing services offer a plethora of new benefits, but they also present new security challenges that organizations must address. By implementing these three security measures, your organization can begin to build a solid security framework to protect against the cloud’s unique risks.
About the Author:
Maria C. Horton, CISSP, ISSMP, IAM, is president and CEO of EmeSec Inc. (EmeSec).
Ms. Horton founded EmeSec in 2003 after retiring from two decades as a Navy Officer where she rose to the rank of Commander. She saw firsthand during her final active duty assignment as the CIO for National Naval Medical Center (NNMC) the requirements and implications for security and emergency management during the Sept. 11, 2011 terrorist attacks. Ms. Horton has hands-on cybersecurity and cloud security experience, and has created new business through networking, teaming with other small businesses, and communicating the strengths and creditability of her small business to others Her security and technology background includes the initiation and direct leadership of e-health applications, teleradiology, and digital imaging for Army, Navy, and Air Force; multiple publications and presentations and awards. Her company has been recognized on the INC 500|5000 list and as a GovSTAR SmartCEO winner.
