Some CISOs get led into the cloud by their organizations, who decide they have to take advantage of the power and flexibility of distributed systems. Others are pushed into it by employees who simply sign up for cloud services without management approval or knowledge.
Whichever way, the organization is going to run into trouble if it doesn’t have a cloud security technology strategy, says Andras Cser, a Forrester Research vice-president and principal security analyst.
It’s not that in today’s world many CISOs are leery of cloud computing. If nothing else sales figures for the gamut of cloud services – SaaS, PaaS, IaaS – are prove the opposite. CISOs are increasingly comfortable with the cloud for a number of reasons, Cser said. These include data protection tools such as encryption and key management provided by some services, and products such as cloud access security brokers/gateways, which enforce data security policies, and data tracking technologies.
But technology alone won’t make an organization secure – including encrypting everything that goes to the cloud. Among other things, it’s impractical. Cser says only sensitive data has to be encrypted.
But the point is encryption and a security gateway alone won’t make an enterprise secure without an overarching cloud security strategy.
There are different opinions on where to start. “Before you even think about a strategy do an audit and get some visibility into what is really happening in your cloud.” says Kamal Shah, vice-president of products and marketing at Skyhigh Networks, a cloud access security broker provider. “It could be something as broad as understanding how many cloud services are being used, by which department, how much data is in the cloud, and this could be used to formulate your strategy, Or it could be specifically for a cloud application to understand how users are using it, what data is being stored, how is it being shared outside the enterprises, who is data being shared with, how many are trusted suppliers versus personal email addresses.”
Beyond that, he said, the industry an organization is in – healthcare, retail – may put regulatory constraints on what can be in the cloud or how it has to be protected if it is allowed.
Finally, management may declare that certain sensitive data – say, intellectual property – is completely forbidden.
Then there’s finding a provider. Tim Kelleher, vice-president of IT security at managed service provider CenturyLink, says CISOs should question the provider protects its environment in a variety of ways including meeting needed regulations for a particular industry (such as the Payment Card Industry’s data security standard), how it secures the environment for each customer and if it offers additional security services (say, virtual firewalls that can be spun up), and how it can prove these points for auditing purposes.
A place to start researching may be the Cloud Security Alliance, an industry group with a wide range of members from Bell Canada to VMware, offers a certification to members.
Forrester’s Cser recommends a five-stage process for creating a cloud security strategy leading to a three-year technology road-map:
1 – Define the business justification for cloud security
To get buy-in CISOs have to show why spending on security is needed. Quantify the benefits including the cost of a breach, compliance costs versus operational efficiencies (for example, there may be cost savings because the service provider patches apps, looking after encryption);
2 — Identify stakeholders and their security needs
Business units will want assurance cloud security won’t get in the way of their work. Single sign-on and provisioning integration will help make it easier for organizations with multiple cloud apps, Cser said. Developers may also need help ensuring cloud security doesn’t interfere with workloads. Also, compliance and audit staff will need assurance going to cloud meets their requirements;
3 – Define your cloud security governance process
You can’t have governance without data discovery and knowing where traffic goes, said Cser. and the ability to tag information. That will help define what needs to be encrypted, who gets access to what attributes in the cloud and on premise and how to classify unstructured data.
This is the step where unsanctioned cloud applications have to be discovered.
4 – Assess your current cloud security capabilities and identify gaps
Here is where the impact of cloud security gateways, tokenization and encryption on performance has to be measured, as well as identity and access management.
Other considerations include whether solutions meet regulatory requirements, data loss prevention and intrusion detection, user behavior monitoring, monitoring the integrity of cloud workload (configuration) files.
5 – Create a three-year technology road map.
Forrester calls this an overview for executives that describes how you plan to implement recommendations.