Deciphering cloud strategy
Deciphering cloud strategy
Before a move to the cloud
Taking a somewhat more legalistic approach, Ben Tomhave, principal consultant at LockPath, a Overland Park, Kan.-based governance, risk and compliance software and service provider, suggests five points to consider before and after moving to the cloud.
Assess the risks: It is imperative, says Tomhave, that no cloud services agreement be inked without at least a cursory risk assessment. These should consider financial, legal and operational risks (inclusive of IT/information risk). For example, he says, consider the tradeoffs, the sensitivity of the data and potential regulatory requirements. However, he warns, “Don't overdo it.” Tomhave recommends that potential users ensure they also develop a fast-path risk assessment process that can be completed in hours so that the organization can move ahead when the data is not sensitive, there are no regulatory concerns and there are major potential cost savings from using the cloud. “Employing a tiered-risk assessment process can be useful,” he says.
Contract, contract, contract: Tomhave says it is vital to review terms and conditions through contracts and, if possible, negotiate for wording that best aligns to the required risk management strategy. “Ensure that legal is on board,” he says. “Work with legal to prepare a template of terms, conditions and service-level agreements (SLAs) that you would ideally have included to help expedite the process.” If the provider won't negotiate the contract, then Tomhave says reassess the risks and decide whether to use them. If a go-forward decision is made, then ensure that adequate compensating controls are identified and implemented. “Don't forget to look at breach notification duties, as well as the associated costs with customer notifications, incident response and ensuing clean-up – and make sure your contract doesn't prevent you from meeting your regulatory duties,” he adds.
Monitoring: If the contract has SLAs, then make sure to monitor for compliance, says Tomhave. Additionally, determine what other monitoring capabilities one is granted. “Ensure that as much monitoring and reporting as is needed gets fully and properly integrated with existing monitoring duties,” he says.
Response: Incidents will happen, says Tomhave. So it is important to know what response capabilities can be applied to the service.
“Commercially reasonable, legally defensible”: Tomhave's mantra is designed to ensure that “commercially reasonable” security measures are in place. This phrase represents an evolving duty of care, but it must be evaluated, demonstrated and documented, he says. Similarly, he says one should make sure that the entire-analysis process is documented, with specific notes on the final decisions about managing key risk factors. Then, he says, consider a potential worst-case legal scenario where a breach occurs and key stakeholders file a lawsuit. “Have you done enough to proactively defend yourself, demonstrating that a reasonable risk analysis and decision process were followed?” he asks.
Finally, Andy Maier, senior product manager of Savvisdirect, a Monroe, La.-based provider of cloud services, says most companies already have a number of security risks based on the choices they've made or avoided in their current IT configuration. Moving to the cloud is not inherently less secure for companies, especially those that don't already have significant IT resources. “Many businesses are subject to very specific security requirements based on their industry,” he says. “Complying with these requirements can include auditing and certification of implementations by third-party agencies.” Still, resting one's hat and reputation on a stack of certification documents won't guarantee job security, customer confidence or security, Maier warns.
Instead, Maier offers a range of suggestions, including figuring out what data needs to be encrypted in the cloud that isn't already. Also, he says, it is wise to determine if existing monitoring solutions can be integrated with the cloud. That should include not only intrusion detection and prevention technologies but application performance monitoring to help assure business continuity.
And, he adds, be sure to find out what kind of mitigation help a provider offers. Does the cloud vendor have a DDoS prevention solution, for example? “Information security alone shouldn't be the only concern,” says Maier. “If you take all the steps of the best security experts, but implement a brittle deployment, lost transactions and customer records could still result in the ruin of your business.”
