Following on from my last blog ‘Re-enforcing our doors in 2013’ solving all of the issues of disruptive innovations isn’t going to be possible in a year but we must take strides towards making some of the changes. The four members of the disruptive family are Cloud Computing, Social Media, Big Data and Mobile. Let’s take Cloud Computing this week and examine some competencies organizations must start to build.
Cloud vendor management has been on our list for a long time but how effective are we at doing this? Ultimately, organizations are responsible for the information that’s held by the Cloud service provider (CSP). Information security teams must now switch their focus from implementing controls internally to controls implemented by third parties and asking themselves ‘how can we ensure that cloud services providers are meeting our trust levels?’ Are they are attuned to our particular threats?
The conventional controls assurance model is not sustainable the cloud. Client organizations cannot visit every cloud service provider to examine their security controls. Today, CSP’s provide assurance by using questionnaires. This is a wholly inefficient process as all organizations ask the same questions and it turns out to be a box ticking exercise. There are also no standards for these, apart from guidelines issued by the Cloud Security Alliance. A better approach would be third party assessment or certification like the AIPCA’s SOC 2 Report on Controls or the imminent ISO 27017 Standards for Security in Cloud Computing. In the meantime, organizations must find a happy medium to effectively measure controls and detect failures. The basic building blocks of an effective GRC implementations has some of the elements but while these need to mature companies will have to find their own way to measure assurance. Automated and transparent controls together with continuous monitoring will be an important part of the solution.
If mismanaged, this assurance process can add cost for sides, companies and service providers so it is important to ensure that overall budgets can be realigned. Companies have to realize that when moving to the cloud a larger portion of their budget is going to be needed to address cloud security. Budget realignment means reinvesting a portion of IT savings the organization achieves by moving to the cloud into managing risks. In the short term this realignment may not prove to be any more cost effective.
And finally, organizations must invest in technical proficiency for virtual and cloud environments. We know security controls change in the cloud e.g. the hypervisor in a virtual environment becomes a powerful software security control. Security teams must invest in these skills and ensure they have the knowledge to secure virtual environments within their own data centers and extend that knowledge to both private and public cloud models.
Look out my next blog on – Must have competencies for Social Media in 2013.