By Dan Lohrmann
Over the past decade, I have read articles and listened to speeches and panels from hundreds of experts who discuss strategies around cloud computing and protecting your data. If I had to boil down their “words of wisdom” into one sentence, it would be this: You can’t secure the entire cloud, but you can take meaningful steps to secure your data – in your piece of the cloud.
OK, you may be thinking, but how do we do that? Read on…
First, Some Historical Context
There’s an ongoing debate about when the term “cloud computing” first appeared. But there’s no debate about the cloud’s positive impact over the past decade. Whether discussing technology infrastructure, new data center needs, software as a service, disaster recovery, mobile app delivery or other aspects of future technology innovation, cloud computing is at the center of the conversation.
But security continues to top the list of cloud concerns. To prep for an online symposium on improving cloud security, I reviewed 2008 presentations from when I was Michigan’s CISO describing the good, the bad and the ugly in the cloud. Here were some of the bullets:
Good (promises): Lower costs, on-demand access and self-service, rapid provisioning and deprovisioning, minimal manual effort, ubiquitous network access, measured service.
Bad (concerns): Loss of control, trust, security, data privacy (demonstrating compliance), resiliency, where’s my data? (meeting) legal requirements, proving hosting claims and promises when not in your region — with no employee travel allowed.
Ugly (keeps me up at night): Below the cost threshold for procurement scrutiny, explosive growth/migration of service consumption and bandwidth, fewer eyes on service use, contract hell, vendor management skill sets lacking or nonexistent, paradigm shift for IT rate reimbursement models from agencies, how to block rogue cloud providers.
Do these topics sound familiar? We still struggle with the same challenges that were identified when we drew our first cloud architecture on a whiteboard. Meanwhile, the online threat situation has worsened, with relentless cyberattacks continually moving the “secure” target for even the best cloud providers.
How can you address concerns and drive greater cloud adoption? How can we get to those cost-saving and service delivery benefits, while minimizing risk?
I offer five recommendations to reduce your risk of data loss and protect your data in the cloud:
1. Perform an enterprise cloud risk assessment. This process is focused on your cloud applications and finding out where data is being stored. The goal? Develop an “as is” cloud assessment. What’s really happening now?
- Survey the network to ID your SaaS footprint.
- Build a data flow map. You’ll need tools to help, but you need to know where your data is going.
- Risk score applications and data found. After you know where the data is, you can use tools to build a score of the level of trust in the cloud service and process.
- Consider using a cloud access security broker to help in this process.
2. Business requirements specification and gap analysis. This step maps what you know about business compliance needs (like PCI, HIPAA and tax data) with what’s actually happening on your network.
3. Build a plan to address “shadow IT.” This step pulls together data from steps one and two to obtain an action plan that brings strategic results. Include legal, procurement and security specialists. There are companies that can help you through this planning and remediation process.
4. Choose a cloud governance framework to implement. This recommendation is independent of the first three. Here are two options:
- The Federal Risk and Management Accreditation Program (FedRAMP), which is based on security standards, including FISMA, NIST 800 and FIPS-199 and aims to build a catalog of prescreened cloud providers for government agencies. Learn moreabout FedRAMP.
- The United Kingdom’s Government G-Cloud framework offers another excellent approach, and the security principles are online.
- This video discusses related options and details regarding the implementation of a cloud governance framework.
5. Examine and implement cloud best practices.
- The Cloud Security Alliance promotes the use of best practices for providing security assurance in cloud computing.
- The Cloud Best Practices Network offers case studies and social media connections to help build enterprise solutions.
A final thought: Frederick the Great of Prussia once said, “He who defends everything defends nothing.”
We’ll never finish securing the entire cloud. (We’ll always have new online threats and vulnerabilities.) Your goal is to build resilience into your cloud situation and know what to do if an incident occurs with your data.
What did I miss? What are your thoughts on securing your data in the cloud?
Source : LinkedIn