Building Trust in the Cloud: Managing the Risk
Low costs and few barriers make it attractive for organizations to take advantage of cloud-based applications. In seeking to leverage cloud services, organizations should weigh the potential risk against the benefits. Does the low cost, for example, mean that security controls are lacking? Or do the economies of scale exist because the cloud services provider specializes in a delivering functionality that would too expensive to implement and maintain within your IT organization. And would the operations personal be able to keep up the skill set as technology evolves?
As organizations move more and more applications to the cloud, the CISO is emerging as the broker for all business integration strategies. By placing security at the front of the process, organizations can ensure that security, privacy and compliance controls exist and that baseline standards are met.
In evaluating cloud service providers, points to address include:
- What is the security architecture and is it robust enough?
- Will the cloud service provider conduct at least the same level of security, if not better, that you would perform?
- Does the cloud service provider have security certifications?
- Who is the data owner?
- What controls are in place?
- How is the data classified?
- How will the data be managed as it moves through various jurisdictions?
- What is the culture of the company in terms of sharing information and fostering transparency?
- Is it possible to contractually provide for business continuity and disaster recovery?
It is incumbent on the cloud service provider to gain the customer’s trust, and
transparency is a key factor in building that trust. Cloud service providers can foster transparency and build trust by allowing for onsite audits, sharing third-party assessments and audit documents and allowing larger customers to conduct their own pen-tests.
The practice of “exercising an incident” with the cloud provider is emerging as a way to build trust. By exercising an incident, security organizations can better judge how a cloud services provider executes incident response, how long disaster recovery will take, and how long it will take to extract data, among other things.
Security standards for cloud services and cloud applications continue to evolve. While both consumers and service providers continue to exert pressure toward defining the standards, the CISO and security function is emerging as the leader in defining the current and future standards. |