Trust in the cloud hasn’t always been universal. There was a time when security and risk management leaders feared entrusting critical data and infrastructure to a third-party cloud provider. This was understandable, arising from the history of network management, where IT teams were intimately familiar with managing the resources that made up their IT infrastructures, from the buildings they were housed in, to the electricity and cooling supply, through to the server, all the way down to the storage and networking infrastructure.
However, this familiarity isn’t possible when you delegate responsibility to your cloud provider and hanging onto it can prevent organisations from gaining optimal cloud efficiency and security. Clearly, a shift in mindset is needed.
In their report, “CISO Playbook: How to Retain the Right Kinds of Control in the Cloud” Gartner make the analogy that moving to the cloud is a bit like flying somewhere on a plane, compared to driving your own car on a journey. You are relinquishing control of your journey to the flight crew of a plane, which can cause anxiety. However, this anxiety is not rational because whereas you might check the oil, tyres and windshield washer fluid on your car once in a blue moon, the plane will be checked rigorously, every flight. To sum up, this means that migrating to the cloud requires a new outlook on how you control your data and a better understanding of what cloud service providers do to ensure security so that you feel comfortable giving up ownership of the underlying platform.
In today’s context, customers still own their data but share stewardship with cloud providers. The concept of “control” has changed from physical location-based ownership to control of processes. Information security and risk management leaders therefore need to adopt a new approach of indirect control to achieve efficiency, security and above all peace of mind. With this in mind, we will try to define how you can get the right kind of control over your cloud.
Design the right identity and access management strategy
Security teams and developers can find cloud-based control concepts difficult to grasp. But really, it’s a similar situation to giving up ownership of the fibre and copper in their wide-area networks: telecommunications carriers own the physical infrastructure, but data remains owned and controlled by their customers. It’s all about delineating security responsibility. Once you’ve defined the hand-off point, you’ll know that beyond this your CSP is responsible for security.
Your responsibility lies in designing an Identity Access Management strategy that covers not only the cloud platform but also the applications and services that the cloud platform is presenting to the outside world. Access should be based on giving users permissions on a “least privilege” basis, rather than giving blanket authority to all. This improves audit capabilities and reduces the risk of unauthorised changes to the platform.
On top of that, you should work with your cloud provider to ensure encryption for higher degrees of logical isolation. Encryption of data at rest and in transit is often seen as another way to secure, segregate and isolate data on a public cloud platform. While it is highly unlikely that anyone would be able to break into a public cloud data centre and physically steal a disk drive containing your data, it is highly recommended that you consider using encryption of data at rest.
Increase monitoring and re-orient audit objectives
With the regulatory environment growing in complexity, organisations using the cloud are increasingly asked to demonstrate their strong governance. The fact that you’ve delegated some control to your CSP means that you’ll have to demonstrate that governance procedures are in place and are being followed.
In order to do so, you should seek to work with a cloud service provider that provides security and compliance monitoring and reporting. And, has the necessary approach and compliance attestations that ensures your cloud workloads will be able to meet the necessary requirements come audit time.
Compare your security requirements and measure CSP performance against SLAs
Another point to pay close attention to is the contractual terms that bind the CSP with respect to protection of customer data and privacy. Contracts with hyperscale cloud providers tend to overwhelmingly protect those CSPs, but it is possible to work with some CSPs to reach agreement on terms more favourable to customers.
The final impact and recommendation is around cloud service provider contracts and SLAs. Many CSPs, especially the hyperscale providers, can be extremely rigid with their SLAs, and can be very inflexible when asked to change them. It’s important to find out where your CSP stands on different aspects of compliance. Are they able to share their certifications and attestations? How flexible are they with their SLAs on subjects such as availability? Will they pay out service credits if service is not available according to the SLA? These are questions you will need to have answers to before going forward with your CSP. An extra piece of advice I would give is to compare your security requirements for externally hosted data to the capabilities of CSPs in the context of your risk appetite.
To summarise, with security risks and compliance regulations only increasing, along with the adoption of cloud services, it’s important to understand shared responsibility with regards to cloud security. Striking the right balance between relinquishing and maintaining control in the cloud will enable your business to securely leverage the many benefits of cloud services. Having control of your cloud doesn’t mean you should manage every aspect of it, but make sure you know what you are accountable for instead to gain the right kind of control.