A CIO's guide to cloud risk management
A comprehensive collection of articles, videos and more, hand-picked by our editors
There are many benefits to moving operations to the cloud, but doing so also creates new risks for many organizations. By staying proactive and understanding their unique needs, however, businesses can alleviate risk when moving to the cloud, according to Chenxi Wang, a former vice president and principal analyst at Forrester Research Inc.
In this three-part SearchCompliance webcast, Wang discusses cloud-based cybersecurity and how organizations can protect data when moving operations to the cloud. Here in part three, she offers practices companies can implement to reduce cloud computing risks.
There are some simple practices that we recommend you can deploy, or use to educate to your workforce that can significantly mitigate your cloud computing risks. We talked earlier about how improper user password management is often one of the big security challenges for clouds. Many of the big cloud providers now provide second factor verification, or what is sometimes called two-step verification or second-factor authentication. If they offer that, deploy it. Don't think that because you're only using email in the cloud that you don't need second-factor verification.
Before you go to the cloud, have a set of good policies written and know your business requirements. What does your business want out of the cloud?
There's the horror story of the editor of Wired magazine who had his entire Gmail history erased because passwords were reused. Deploy second-factor authentication or two-factor verification across your user base the minute you go to cloud, if the provider offers it. Don't think twice about it. That is one of the most effective ways you can mitigate your cloud risk. Evidence suggests that static user passwords are just not enough to protect yourself against cyberthreats. Even if your users are extremely conscientious and use really complex passwords, that's still not enough. You need to educate your users on deploying second-factor authentications and two-step verification.
The second thing is to have an approved vendor list. Some companies go as far as having an approved vendor service catalog. They maybe have a small list of approved vendors for travel services in the cloud, and smaller vendors for human resources applications or CRM applications.
For large organizations, this is a very beneficial thing to do. It provides guidance and the ability to choose an account provider from that list. For one, departments don't have to do the vetting themselves. Second, they know that if they go to one of these vendors, they are conforming to the organization's policies. You're giving them the flexibility of choice, but also helping them complete the cloud deployment within the boundaries that you've set up.
When they move to the cloud, a lot of companies want the cloud to be more secure than they ever could be on-premises, but some of those requirements are not necessarily needed. For instance, don't ask questions such as "Can you guarantee our data will definitely be in jurisdiction X?" unless your company policy or your country's data protection laws specifically stipulates it. The right questions to ask are "Can we get real time visibility to where our data is?" and "Can we get alerted if the data location changes?" That should provide good enough controls.
More from this SearchCompliance webcast
So, what are we going to expect going forward in terms of the cloud industry and cloud security? We are really in the era of what Forrester calls the extended enterprise. Today, a typical enterprise workflow is not self-contained. Workflow will most likely at least touch on an external hosted application like the cloud. You very well likely will be dealing with entities or users that are not in your identity directory. This is what we call the three axes of the extended enterprise.
We're really starting to see a new market emerge, and this is called cloud API management. This is a trend in cloud security. You might get middleware that regulates access management, and it might even do a real-time threat assessment that does logging, auditing and identity management. We see this as the emerging market. We think this is where you'll also be able to do things like traffic monitoring, application-level filtering and identity-based security policies.
With that, I want to finish with a sort-of checklist for cloud security IQ. First of all, you have to know your own security requirements and policies. Before you go to the cloud, have a set of good policies written and know your business requirements. What does your business want out of the cloud?
Earlier, I suggested having a short list of approved vendors, to understand your cloud risk, and to have a good strategy for managing your users. Look into cloud API management products and platforms, see if that's something you can leverage. And when in doubt, really go big on log forensics and logging analytics. Many cloud providers today are really big on providing log analytics for their customers because that's where business intelligence comes from.
Please visit SearchCompliance.com to view the rest of this webcast on cloud cyberthreats and defense strategies.