Companies transitioning to the cloud have to think of cybersecurity as more than firewalls, access controls and incident response, and define goals of security that go beyond confidentiality, integrity and availability, said Randy Vickers, chief information security officer for the U.S. House of Representatives.
“It’s about how you can do your business mission" in a different environment, with its own requirements for protecting data, Vickers said during his talk at the RSA Show’s Cloud Security Alliance CISO Summit. “You have to be allowed to exchange data with cloud service providers, with on-prem systems, and with other individuals and organizations, but in a secure way.”
During his talk, Vickers outlined five considerations for security teams as they migrate to the cloud. Below is the break down.
Compliance and monitoring capabilities
Companies have to understand that with the cloud there’s still data on-premises that gets transferred to the cloud service provider (CSP). Lean on the cloud access security broker (CASB) to take you through this process. Find out what tools the company needs to have in place to make sure that the data gets monitored properly and is secure and compliant while it’s being processed at the CSP.
Cloud service provider fitness review
Google, Amazon Web Services, and Oracle are very large companies that have a deep bench for software development. They can maintain patches and upgrades and have security teams to make sure the tenancy remains secure. They can also provide customers with information on the environment. But what happens when people look at a small company? Do they have that depth of knowledge? Do they have that depth of experience to maintain the service that the customer pays for? Do they have a security team to ensure the data is secure? What happens if the smaller provider gets bought? Are they small enough that they can’t maintain the resiliency and redundancy needed for your business process needs?
It’s crucial to understanding the fitness of the CSP to assess future risk. Find out if that company will be around and remain as a partner in years to come. If they are bought, you have to react quickly. Ask if you can get your data back.
Security risk review
Whenever looking at a CSP, there are standards that customers can use to understand what security controls the CSP has in place. Start by consulting with the NIST 800-53 standards. The General Services Administration has developed the Federal Risk and Management program to help manage the NIST controls. Yes, it’s a federal program, but it’s a good standard to use when evaluating a CSP. Even in year, two, three and four, make sure they are adhering to those standards to maintain a proper security posture. Other standards to consider are the Center for Internet Security (CIS) Controls and FedRAMP.
Whenever a company establishes a connection to a CSP, it has to consider whether to change its architecture. Does the company have to make DNS, firewall, or routing changes to make sure data can cleanly get from on-prem systems to the CSP? Some CSPs have dedicated links. Some require companies put in special virtual private networks. Knowing that up front as part of the review will help customers determine how best to implement a cloud service or which one they select. Ensuring clean connectivity will reduce risk so there’s less of a chance for outages.
Contract and legal review
The CSP will have terms and conditions as all businesses do. Here’s where customers have to work closely with the legal team to find out the answers to important questions, such as: What happens if data gets lost? What happens if there’s an incident? What happens if you want to terminate the relationship? Does money have to be paid if they don’t meet the standard of quality? These are all the questions that need to go through the legal department before a contract gets signed.