Must-have Competencies for the Cloud in 2013

Categories: IT Security

Following on from my last blog ‘Re-enforcing our doors in 2013’ solving all of the issues of disruptive innovations isn’t going to be possible in a year but we must take strides towards making some of the changes. The four members of the disruptive family are Cloud Computing, Social Media, Big Data and Mobile. Let’s take Cloud Computing this week and examine some competencies organizations must start to build.

Cloud vendor management has been on our list for a long time but how effective are we at doing this? Ultimately, organizations are responsible for the information that’s held by the Cloud service provider (CSP).  Information security teams must now switch their focus from implementing controls internally to controls implemented by third parties and asking themselves ‘how can we ensure that cloud services providers are meeting our trust levels?’ Are they are attuned to our particular threats?

The conventional controls assurance model is not sustainable the cloud. Client organizations cannot visit every cloud service provider to examine their security controls. Today, CSP’s provide assurance by using questionnaires. This is a wholly inefficient process as all organizations ask the same questions and it turns out to be a box ticking exercise. There are also no standards for these, apart from guidelines issued by the Cloud Security Alliance. A better approach would be third party assessment or certification like the AIPCA’s SOC 2 Report on Controls or the imminent ISO 27017 Standards for Security in Cloud Computing. In the meantime, organizations must find a happy medium to effectively measure controls and detect failures. The basic building blocks of an effective GRC implementations has some of the elements but while these need to mature companies will have to find their own way to measure assurance. Automated and transparent controls together with continuous monitoring will be an important part of the solution.

 
If mismanaged, this assurance process can add cost for sides, companies and service providers so it is important to ensure that overall budgets can be realigned. Companies have to realize that when moving to the cloud a larger portion of their budget is going to be needed to address cloud security. Budget realignment means reinvesting a portion of IT savings the organization achieves by moving to the cloud into managing risks. In the short term this realignment may not prove to be any more cost effective.

 
And finally, organizations must invest in technical proficiency for virtual and cloud environments. We know security controls change in the cloud e.g. the hypervisor in a virtual environment becomes a powerful software security control. Security teams must invest in these skills and ensure they have the knowledge to secure virtual environments within their own data centers and extend that knowledge to both private and public cloud models.

Look out my next blog on – Must have competencies for Social Media in 2013.

Rashmi Knowles
Author:

Rashmi is Chief Security Architect at RSA, The Security Division on EMC. In her role Rashmi is responsible for Technology and Compliance Solutions for the EMEA region. Her current responsibilities include working with customers in a Trusted Advisor role, Thought Leadership for emerging technologies and key spokesperson in the region for RSA’s Virtualisation and Cloud strategy and Compliance Solutions and a subject matter expert on Data Loss Prevention and Encryption Solutions. Rashmi has over twenty years experience in data communications, mobile communications and has focussed on Information Security for the last 15 years. Rashmi holds a degree in Computer Science from the De Montfort University and a Post Graduate in Computer Studies from the University of the South Bank, London. Subscribe to Rashmi's RSS feed