Eight questions CIOs should ask on cloud security
Eight questions CIOs should ask on cloud security
Cloud computing disrupts an organization's style of working by altering business processes, information flows and, above all, the control over IT systems exerted by individual departments.
The adoption of cloud-based services affects the level of control that an organization has on data security within the cloud.
The shift toward cloud services is more than just a shift in technology. It fundamentally alters the way business and IT systems function.
But while there are many security concerns, there are also equal benefits.
Organizations considering a shift to cloud computing should clearly understand the security tradeoffs in the selection of cloud architectures, deployment models and ownership structures.
Here are top eight security questions each CIO should ask while using cloud-based services.
1. Am I using a trusted vendor?
The dependence of an organization on a cloud vendor for business continuity and data security will increase significantly. Every CIO must critically evaluate vendors based on their financial viability, ability to provide service quality, meet service-level agreements and keep services and underlying technologies updated to business requirements.
CIOs also need to make a judgmental call on the ability of the chosen vendor to scale its business model, as those vendors unable to do so may eventually not survive.
2. Have I considered the value and risk to the information that I am outsourcing to the cloud provider?
Information is the key item of value that any organization risks exposure to in a cloud environment. Risks may emerge from external hackers, internal employees or employees of the provider manipulating or stealing data. It is important to evaluate the risk of this data being made available to competitors, or simply widely available in a manner which affects customer confidence, competitive advantage or violates compliance and regulatory requirements.
A point to note is that while the management of data can be undertaken by a third party, the ownership of the data and resulting accountability lies with the organization itself. Every CIO needs to undertake a comprehensive examination of the associated risks before entrusting organizational data to a cloud-based service. This should cover all security controls used in the information lifecycle to ensure the confidentiality, integrity and availability of data during creation, processing, transmission, storage, archival and deletion.
3. What business continuity and disaster recovery measures are in place in the cloud infrastructure? Does the cloud provider have a backup in place?
Use of cloud-based services is akin to outsourcing a portion of your business process to a third party. It is essential to consider the business continuity measures put in place by the cloud service provider should a disaster occur. A provider should ensure replication of data and timely availability of services in case of an outage.
In addition, the recovery point and time objectives of the business need to be built into the provider's disaster recovery plan. The provider should be able to demonstrate the presence and effectiveness of any such plans through frequent tests.
4. Have I considered the potential implication of employees wanting to sabotage a successful cloud migration strategy?
A shift to a cloud-based services may result in a reduction of existing staff. This inference or implication may result in employees turning hostile to resist the move, with possible malicious intent and sabotage attempts.
CIOs should ensure that the existing environment/code prior to migration to a cloud is well documented, versioned and archived. Application security measures, especially code reviews, offers key mechanisms to ensure that no trojans that create backdoors or time bombs have been maliciously embedded in application source code.
5. Have I considered how knowledge of the business process would be retained and versioned, should I wish to switch cloud providers at a future date?
Clouds today are built on proprietary and not easily interoperable technology. A shift from one service provider to another may be difficult.
In the instance of software-as-a-service, an organization's business process and data is modeled on a proprietary application, and porting this data to another vendor may be tedious.
CIOs must evaluate how this data can be exported and the inbuilt business processes documented to ensure that, at regular frequencies, this data can be backed up at an alternate location or in an emergency ported to another cloud or platform.
6. Do I have a detailed list of security controls based on security, operational and business risks to determine how the cloud vendor complies with them?
Organizations need to ensure specific compliances to mitigate their own risks. For CIOs it is therefore critically important to create a set of clearly stated security requirements which a cloud services provider needs to comply to, based on an information risk assessment. Many times, it may be easy to get carried away with the security features presented by the cloud service provider which use generic statements of compliance to industry standards.
7. Does your cloud provider meet the regulatory or compliance requirements needed by your organization?
To satisfy requirements, a generic statement of control compliance may not be sufficient. Access to certain transactions, events and audit logs may be crucial for auditors. CIOs should ensure that these requirements are catered to responsibly by the provider, in a manner that can stand legal and regulatory scrutiny.
8. How do I audit or evaluate security controls placed on the cloud-based infrastructure?
In a cloud, the accessibility of a company to audit security controls is low. In many cases, one may need to rely on the results of an audit performed by an independent third-party auditor, which are made available to all customers.
CIOs must build contractual guarantees, based on the organization's security requirements, into a cloud service provider's contract and evaluate the provider's security posture against industry best practices.