Convergence of the Cloud – A Nexus of Forces
Is the cloud an old problem with a new name? CISOs say: “Yes, in that organizations have been using outsourcing providers to solve issues for at least the past ten years.”
The level of adoption of Cloud services (Iaas, Paas, etc.) varies depending upon who is driving the adoption and for what purpose. The bottom line is that using Cloud services leaves some level of exposure. While security leaders cannot stop the business leaders from leveraging the Cloud in order to grow the business, there is a general agreement that security leaders have the responsibility to get in front of the business issues, educate the business users on types of data (especially regulatory data), explain the security risks and how they will be mitigated, and point out the potential loss of functionality that may occur as a result of using cloud services.
Challenges surrounding the use of the Cloud include:
- Uninformed users regarding security issues
- Regulatory data and country restrictions relating to the exportation of data
- Maturity of Cloud security technologies
- Varying levels of ability to encrypt data
- Potential loss of application functionality
While progress has been made, working with third-party cloud providers still remains an issue. CISOs are still seeing the right to audit being denied. It is felt that if one can work with a provider on the right level and be contractually up front, that more cooperation may be forthcoming.
Best practices for moving data to the Cloud include:
- Start small with a non-sensitive application and non-PII type data
- Leverage the success of small trials in order to move more sensitive applications to the Cloud, such as email processes and HR applications
- Use the Cloud Security Alliance for practical guidance
- Include rigorous contract language surrounding right to audit
- Use data classification, but understand the ramifications of data classification, in that it might require process changes
- Leverage the classification of sensitive data to drive for better data encryption
Finally, it is generally felt that the cloud security framework is making progress, but that more maturity is still required. |