Cloud Computing: Managing Risk and Compliance in the Cloud


Cloud computing represents today's big innovation trend in the information technology (IT) space. Because it allows enterprises to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at enterprises of all sizes.
Unfortunately, in their eagerness to adopt cloud platforms and applications, enterprises are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud - a credit card and a few keystrokes is all that is required - provides a false sense of security.
However, shortcomings in the cloud providers' security strategy can trickle down to the businesses that leverage their services. In this context, damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss.
Risk in the Cloud
For enterprises planning to transition their IT environment to the cloud, it is imperative to be cognizant of issues such as loss of control and lack of transparency, which are often overlooked. Cloud providers may have service level agreements in place, but security provisions, the physical location of data, and other vital details may not be well defined. This leaves enterprises in a bind, as they must also meet contractual agreements and regulatory requirements for securing data and comply with countless breach notification and data protection laws.

Whether organizations plan to use public clouds, which promise an even higher return on investment, or private clouds, better security and compliance is needed. To address this challenge, organizations should institute policies and controls that match their pre-cloud requirements. At the end, why would you apply less stringent requirements to a third-party IT environment than your own - especially if it potentially impacts your business performance and valuation?
Recent cyber-attacks and associated data breaches of Google and Epsilon (a marketing services firm) are prime examples of why companies need to think about an advanced risk and compliance plan that includes their third-party managed cloud environment.
To protect your business, you should insist that your cloud service provider provides visibility into security processes and controls to ensure confidentiality, integrity, and availability of data.
Best Practices for Cloud Risk Management
According to Jim Reavis, co-founder and executive director of the Cloud Security Alliance (CSA), main inhibitors to the adoption of cloud computing in large organizations are consistent and standardized frameworks, open standards, interfaces that address security controls, and easy-to-implement processes to provide assurances on levels of Governance, Risk, and Compliance and security in cloud environments.
According to a report by Forrester Research (Compliance with Clouds: Caveat Emptor, August 2010) organizations should not wait for the cloud industry to step up its support for regulatory compliance, but instead security professionals should look beyond their cloud providers for compensating controls to aid cloud sourcing.
This view is obviously shared by IT and security leaders, who responded to the 2011 Global State of Information Security Survey of PricewaterhouseCoopers, CIO Magazine, and CSO Magazine, as they identified compliance (34%) and regulatory compliance (33%) among the top five business issues that will drive information security spending in their organization in 2011.
As cloud computing is still an emerging technology space, advice on how to address cloud risk management is limited. What best practices should organizations follow? Probably the best bet are the guidelines developed by the Cloud Security Alliance, a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing.
The CSA defines three distinct stages of a cloud adoption life cycle, starting with cloud risk readiness assessment, cloud risk operations monitoring, and finally leading to cloud audits (an area that still requires further standardization).
Cloud Risk Readiness
When you transition your IT infrastructure to a cloud environment you have to find ways to determine how to trust your cloud provider with your sensitive data. Practically speaking, you need the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.
To quickly evaluate your tolerance for moving asset to various cloud computing models (e.g., public cloud, private cloud, community cloud, or hybrid cloud) you should apply the followings steps:
  1. Identify the assets for the cloud deployment (e.g., data, applications, functions, processes)
  2. Evaluate the assets as it relates to criticality to the business and answer questions such as:
    • What impact would the business face if the asset became public information?
    • What impact would the business face if the asset would be accessed by the cloud service provider?
    • What impact would the business face if the application would be attacked or corrupted by an outsider?
    • What impact would the business face if the stored data were unexpectedly modified?
    • What impact would the business face if the asset were unavailable for a period of time?
  3. Map the asset to the potential cloud deployment model
  4. Evaluate potential cloud service models and providers and answer questions such as:
    • Does the cloud service provider meet current standards for security (e.g., assessment of threat and vulnerability management capabilities, continuous monitoring, business continuity plan)
    • Is the cloud service provider compliant with applicable regulations and can it pass a regulatory audit?
    • Can the cloud service provider generate dynamic and detailed compliance reports that can be used by the provider, auditors, as well as your internal resources?
Considering that many organizations deal with a heterogeneous cloud eco-system, comprised of infrastructure service providers, cloud software providers (e.g., cloud management, data, compute, file storage, and virtualization), platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option, especially if the same software tool can be leveraged for the other stages of the cloud adoption life cycle.
In addition, it's important to select a software tool that provides compliance controls assessment frameworks and content from regulations such as PCI DSS 2.0, FISMA 2010, SOX, NIST, ISO, CSA, SANS and BITS, threat controls content from CSA, as well as cloud risk dashboards and reports.
Cloud Risk Operations
A portion of the cost savings obtained by moving to the cloud should be invested into increasing the scrutiny of the security qualifications of an organization's cloud service provider, particularly as it relates to security controls, and ongoing detailed assessments and audits to ensure continuous compliance.
In this context, organizations should consider leveraging monitoring services or security risk management software that achieves:
  • Continuous compliance monitoring
  • Segregation and virtualization provisioning management
  • Automation of CIS benchmarks and secure configuration management integrations with security tools such as VMware vShield, McAfee ePO, and NetIQ SCM
  • Threat management with automated data feeds from zero-day vendors such as VeriSign and the National Vulnerability Database (NVD), as well as virtualized vulnerability integrations with companies such as eEye Retina and Tenable Nessus
Automated technology, which allows a risk-based approach and continuous monitoring for compliance, would be suitable for enterprises seeking to protect and manage their data in the cloud.
Cloud Risk Audit
This stage of the cloud adoption life cycle has not been very well defined yet and therefore requires further standardization driven by an increase in cloud deployments.
Nonetheless, when evaluating cloud service providers, organizations should ensure that they perform automated regulatory health checks and provide transparency in their infrastructure (IaaS), platform (PaaS), and software (SaaS) environments.
Practical Tips in Selecting the Right Cloud Risk Management Tool
When assessing Cloud Risk Management services or software, organizations should apply the following selection criteria:
  • Choose a vendor that offers an all-encompassing solution, meaning providing methodologies, frameworks, tools, and best practices to properly assess and manage your organization's cloud initiatives across all three stages of your cloud adoption life cycle. The solution should cover Governance, Risk, and Compliance (GRC), as well as Security in the form of threat and vulnerability management capabilities.
  • Choose an automated technology with an open architecture, since many organizations have invested heavily in security tools. This will allow data to be fed from the existing tools into the Cloud Risk Management tool and provide an aggregated view into both IT and business compliance and risk.
  • Make sure you work with a vendor that offers a solution that is content rich and includes many of the regulations (PCI, FISMA, SOX, etc.), frameworks, and standards that are applicable to your organization.
  • Seek out a vendor or service provider that can add value by offering innovative technology that goes beyond the traditional view of GRC. Namely, ensure that beyond governance and compliance, the areas of security (e.g., threat and vulnerability) and risk (e.g., enterprise risk management) are well covered, as it ensures higher return on investment.
  • Since you measure the success of a technology implementation by the time it takes to achieve value from its investment, it's crucial to engage with a vendor that offers the most efficient time-to-value. From a deployment perspective, this means that an on-site implementation should not exceed 90 days and as a managed service client, you should be up and running within 30 days.
Summary
There is no doubt that cloud computing will continue growing and, as it does, continue to get safer. But data breaches at some of the largest enterprises highlight the fact that there are still many risks associated with cloud adoption. Constantly changing government regulations are making it more difficult to keep compliant during the audit process as well. While it's exciting to be at the frontline when it comes to embracing a new technology that is poised to change the way we conduct business, we must remember that these technologies almost always come with new risks that have not yet been fully addressed.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Categories:

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...