Companies looking to expand their infrastructure capabilities are increasingly turning to cloud service providers (CSPs), which have proven to be a very cost-effective, highly efficient resource for businesses of all sizes. Cloud-based solutions are used for remote hosting, colocation data centers or full infrastructure outsourcing. As these companies move operations to the cloud, confidence is growing that the technology can be an effective way to not only host data and applications, but also reduce key infrastructure costs.
But as CSPs continue to evolve so, too, does the related cloud computing security infrastructure required to ensure that client data remains safely segregated and accessible only to authorized users.
Cloud service providers must be managed proactively, aggressively and with a carefully structured approach.
The key to managing cloud computing information security is to understand that it cannot be managed using an 80/20 rule -- that is, mitigating the obvious risks and then dealing with the rest as they occur. Unlike other forms of operational risks, this is an area that has to be managed to a "zero event" -- a data loss just cannot happen. Simply put, businesses can outsource the technology but can't outsource the risk. Therefore, cloud service providers must be managed proactively, aggressively and with a carefully structured approach based on enterprise risk management frameworks.
Applying risk frameworks to the cloud
While there are a number of standards and frameworks available, very few specifically address any outsourced IT services, let alone CSPs. Nevertheless, many of these standards and frameworks can be helpful to risk management in the cloud. The frameworks described in the following list address some key cloud risk management processes.
COBIT. The Control Objectives for Information and Related Technology remains the gold standard for IT governance. It is the most widely used control framework and integrates easily with both COSO and ISO 27000. It is fairly inexpensive and is available to all ISACA members. COBIT is not strong on information security, so it does need to be amended with an organization's specific security standards. However, COBIT's fundamental processes for identifying potential risks and implementing suitable mitigating controls applies and extends to CSP management as much as it does other internal business processes.
ITIL. The IT Infrastructure Library provides some strong guidance for the IT environment's service aspect. It is not a governance framework and does not address enterprise architecture, but the ITIL processes depicting the "availability" aspect of IT services certainly relate to the cloud environment. ITIL aligns very well with the COBIT framework and includes a certification process.
ISO 27000. The international standard for information security practices remains one of the best resources for information security guidance. The standard follows a risk-based approach to prioritizing security emphases and contains practical data control strategies. In addition, the standard goes beyond confidentiality and also covers availability and integrity -- all of which are applicable to managing third-party service providers. All CSPs should attest to being ISO 27000 compliant.
PCI DSS. Although the Payment Card Industry Data Security Standard is only applicable to companies that store or process credit card data, it is still a very good standard to use as a reference tool. It does not provide a governance structure and is fairly high level, but it provides some input on managing third parties. It also contains a decent self-assessment and is free to download.
CSA. Finally, while not a standard or framework, the latest entrant into the risk governance universe is the Cloud Security Alliance, a not-for-profit organization with a mission to promote best practices for providing cloud computing security assurance. The CSA provides a "Cloud Controls Matrix," as well as mapping tools to other standards and frameworks (including ISO, COBIT, PCI and more). The CSA is a relatively new resource, but one that should be in every IT manager's risk assessment toolbox.
Cloud provider due diligence
Regardless of whether you use one or more standards or frameworks, there are some basic risk-management principles that must be followed when managing outsourced cloud service providers. The essential elements of third-party due diligence are fairly straightforward. These include:
- Third-party reviews (SSAE 16, PCI certification and so on);
- Documentation on the provider's information security and business continuity programs;
- Financial and insurance information;
- References and independent research; and
- Vendor history (service interruptions, security breaches, legal or regulatory issues, and the like).
More on cloud risk and security management
Make data security, compliance work together during cloud deployment
Prepare your organization for cloud-associated risks
It is critical not just to acquire this information, but also to conduct a detailed review and analysis of it. Any information that raises issues or concerns should be addressed promptly with the CSP.
While there are an almost infinite number of questions that can be asked of any CSP, ultimately all of the due diligence comes down to answering two key questions:
- How do you know the cloud provider can support your operation to your service-level expectations?
- How do you know the provider can protect your data?
Acquiring enough governance and technical information to answer both of these questions satisfactorily is the key to CSP management. If any other IT or risk management frameworks help in this management process, then they also may be worth considering as part of your overall risk management program.
Eric Holmquist is the managing director for enterprise risk management at Accume Partners, and has more than 30 years of experience in the financial services industry. He has authored Right-Sizing ORM: Scaling Operational Risk Management for the Small and Medium-Sized Market, and is a contributing author to Operational Risk 2.0 and The Advanced Measurement Approach to Operational Risk.