As the cloud becomes increasingly popular for business process management, the somewhat tenuous state of cloud risk management and security also makes it attractive to hackers. If incorporated and monitored correctly, however, cloud deployment could ultimately benefit cybersecurity, according to Chenxi Wang, a former vice president and principal analyst at Forrester Research Inc.
In this three-part SearchCompliance webcast, Wang discusses cloud security and how organizations can protect data when moving operations to the cloud. Here in part two, she explains how evolving cloud governance models are influencing organizational risk management and security processes.
Chenxi Wang: I want to switch gears from the cloud provider standpoint to organizations as cloud users. How are we going to manage cloud security going forward knowing that cyberthreats are targeting large cloud providers and cloud services in general? But before we think about how to manage cloud security, let's take a step back and not forget that cloud deployments can really be beneficial in terms of helping with security.
If you are a somewhat smaller business, you may have trouble getting IT security initiatives conducted because you don't have the right amount of people, you don't have the right amount of resources. If you move to the cloud, however, you'll be able to take advantage of some of the large-scale infrastructure security measures that are embedded, by default, in the services.
If you move to the cloud, you'll be able to take advantage of some of the large-scale infrastructure security measures that are embedded, by default, in the services.
Some of the examples I listed here include distributed denial-of-service (DDoS) protections. If you're using SaaS [Software as a Service], they regularly come with DDoS protection because the provider doesn't want their services to be affected. Even infrastructure services may have DDoS protection capabilities that you can leverage.
Certainly, you get the benefits of timely patching and extensive logging. You'll also be able to derive forensics benefits from the extensive logging mechanisms completed by cloud providers. The scaling and business continuity benefits goes without saying, and typically these cloud services have very solid perimeter protections: firewalls and Internet Provider Security that can be really expensive deployments that you might not able to afford on-premises.
Now we're going to switch gears and talk about how people are dealing with cloud security in general. One of the visible trends is that cloud strategies are developing. Two years ago, cloud deployments were ad hoc; it was sort of the Wild, Wild West. Now, if you look at the results of this Forrester survey, the number of people who say they don't have any formal cloud strategy or approach is decreasing. The number of folks who say they are executing a formal cloud migration plan increased 75% from 2011 to 2012. We also see more sanctioned buying by business outside of IT. These three different data points are an indication that cloud strategies are maturing and the industry is maturing.
However, we still see a gap between how IT feels about cloud security and how the business approaches cloud security. Of the T-shirt-wearing IT guys, 41% think that cloud security is critical. Of the suit-wearing guys on the business side, however, only 26% of them think cloud security is critical. There is a gap there, and the different points of view need to be bridged. Otherwise, we're going to see different priorities and different approaches, which could lead to discrepancies later.
We need to make sure that businesses get what they want in terms of cloud benefits, and that IT can still retain the right amount of controls, and that your company can continue to be compliant with policies and secure with respect to data protection.
In terms of cloud discovery, it's about having a somewhat comprehensive knowledge of what cloud deployment that your users are using and then understanding what risk it represents to your business. What clouds are we using? What clouds should we be using if we're not using it today? What clouds can bring us optimal business benefits that we're not leveraging? What level of risks do these cloud deployments bring? That includes both business risks and technology risks.
On the technology side, how much integration effort does it require to outsource this cloud deployment? Does it represent any kind of security risk down the road? Does it bring potential data leaks? Does it decrease the level of competency in terms of security posture? And can we tolerate the risks?
Any operation will have certain levels of risks, but you have to do a risk-benefit analysis and say, 'If this is something the business really wants, then IT needs to work with the business to find out a way to tolerate and mitigate and manage the risk.' This is really what we're focusing on today: how to implement governance, how to implement control.
To do that, first remember that not all clouds are created equal. Significant differences exist in different cloud services. For example, security for infrastructure service deployment really is a shared responsibility. In fact, in this environment, most of the responsibilities lie with the user of the cloud as opposed to the provider.
For example, Amazon really doesn't have access to the guest virtual machine unless you create an account for them. If you want to do things like managing user identities, do DLP [data loss prevention] or encryption, it's really all your responsibility. If you look at the continuum of the security-capability side, the ones that are marked in red are typically the function that does not come with the cloud environment. The security-capabilities ones marked green are provided by default, even though you may have to configure it. As for the capabilities in the middle, however, you can't necessarily count on them being there -- or it may be there, but it may not meet your needs and requirements.
More on cloud strategy
Use cloud SLAs to reduce data-related risk, boost information recovery
You really need to have a strategy for identity access management. How are you going to manage user identities? Are you going to integrate with your directories internally? Will you need identity verification if this service is provided to both internal and external entities? Will you need data arrest protection? In the infrastructure service deployment scenarios, you typically have to bring in an encryption capability yourself to perform encryption, if that's a requirement.
There are also vendor solutions like secure storage that you may be able to leverage to secure your data. But this is still something you need to take care of. Keep this continuum of security responsibilities in mind when you go to deploy an application in the infrastructure service cloud, and make sure you have a good strategy for each of the boxes.
For software service, security is again a shared responsibility, but much more of the capabilities lie within the provider's domain. For instance, if you go to Salesforce.com, they actually have a field encryption capability that you can use. But it's not something that you bring in, or it's not something you can manage from the ground up. You can say, 'I would like this customer field to be encrypted, and do it for me.' This is the way a lot of the security options are provided in the SaaS environment. You use the SaaS provider's APIs, or you use embedded functions to do the security operation, as opposed to you doing it yourself.
There are certain things that you can do yourself as compensating controls. As I said, Salesforce has its own encryption function. But other SaaS providers may not have encryption capabilities, so you may have to go and acquire a third-party solution to help you complete encryption before you put data in the cloud.
Identity access management is something that you need to do together with a cloud provider. The cloud provider may give you a piece of software for you to integrate in your identity infrastructure with the access methods that the cloud uses. Or you can incorporate something like a third-party access gateway, such as Okta. In the SaaS environment, the line in the middle of the security continuum shifts a little bit so that you don't have control over network security or some of the server security. In terms of data security, however, you still have much of the responsibilities.
Please visit SearchCompliance.com to view the next segment in this webcast, where Chenxi Wang will continue her discussion on cloud cyberthreats and defense strategies.