[BreachExchange] How to create a cloud security strategy

[Inga Goddijn]

http://www.itworldcanada.com/article/how-to-create-a-cloud-security-strategy/389402

Some CISOs get led into the cloud by their organizations, who decide they
have to take advantage of the power and flexibility of distributed systems.
Others are pushed into it by employees who simply sign up for cloud
services without management approval or knowledge.

Whichever way, the organization is going to run into trouble if it doesn’t
have a cloud security technology strategy, says Andras Cser, a Forrester
Research vice-president and principal security analyst.

It’s not that in today’s world many CISOs are leery of cloud computing. If
nothing else sales figures for the gamut of cloud services – SaaS, PaaS,
IaaS – are prove the opposite. CISOs are increasingly comfortable with the
cloud for a number of reasons, Cser said. These include data protection
tools such as encryption and key management provided by some services, and
products such as cloud access security brokers/gateways, which enforce data
security policies, and data tracking technologies.

But technology alone won’t make an organization secure – including
encrypting everything that goes to the cloud. Among other things, it’s
impractical. Cser says only sensitive data has to be encrypted.

But the point is encryption and a security gateway alone won’t make an
enterprise secure without an overarching cloud security strategy.

There are different opinions on where to start. “Before you even think
about a strategy do an audit and get some visibility into what is really
happening in your cloud.” says Kamal Shah, vice-president of products and
marketing at Skyhigh Networks, a cloud access security broker provider. “It
could be something as broad as understanding how many cloud services are
being used, by which department, how much data is in the cloud, and this
could be used to formulate your strategy, Or it could be specifically for a
cloud application to understand how users are using it, what data is being
stored, how is it being shared outside the enterprises, who is data being
shared with, how many are trusted suppliers versus personal email
addresses.”

Beyond that, he said, the industry an organization is in – healthcare,
retail – may put regulatory constraints on what can be in the cloud or how
it has to be protected if it is allowed.

Finally, management may declare that certain sensitive data – say,
intellectual property – is completely forbidden.

Then there’s finding a provider. Tim Kelleher, vice-president of IT
security at managed service provider CenturyLink, says CISOs should
question the provider protects its environment in a variety of ways
including meeting needed regulations for a particular industry (such as the
Payment Card Industry’s data security standard), how it secures the
environment for each customer and if it offers additional security services
(say, virtual firewalls that can be spun up), and how it can prove these
points for auditing purposes.

A place to start researching may be the Cloud Security Alliance
<https://cloudsecurityalliance.org/star/>, an industry group with a wide
range of members from Bell Canada to VMware, offers a certification to
members.

Forrester’s Cser recommends a five-stage process for creating a cloud
security strategy leading to a three-year technology road-map:

*1 – Define the business justification for cloud security*

To get buy-in CISOs have to show why spending on security is needed.
Quantify the benefits including the cost of a breach, compliance costs
versus operational efficiencies (for example, there may be cost savings
because the service provider patches apps, looking after encryption);

*2 — Identify stakeholders and their security needs*

Business units will want assurance cloud security won’t get in the way of
their work. Single sign-on and provisioning integration will help make it
easier for organizations with multiple cloud apps, Cser said. Developers
may also need help ensuring cloud security doesn’t interfere with
workloads. Also, compliance and audit staff will need assurance going to
cloud meets their requirements;

*3 – Define your cloud security governance process*

You can’t have governance without data discovery and knowing where traffic
goes, said Cser. and the ability to tag information. That will help define
what needs to be encrypted, who gets access to what attributes in the cloud
and on premise and how to classify unstructured data.

This is the step where unsanctioned cloud applications have to be
discovered.

*4 – Asses your current cloud security capabilities and identify gaps*

Here is where the impact of cloud security gateways, tokenization and
encryption on performance has to be measured, as well as identity and
access management.

Other considerations include whether solutions meet regulatory
requirements, data loss prevention and intrusion detection, user behavior
monitoring, monitoring the integrity of cloud workload (configuration)
files.

*5 – Create a three-year technology road map.*

Forrester calls this an overview for executives that describes how you plan
to implement recommendations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161221/3835f910/attachment.html>