Chief information officers (CIOs) today face a cloud conundrum with many competing stakeholder priorities. Stakeholders on the business side are seeking the robust feature sets, cost savings, and fast implementation times found in the cloud. Meanwhile, stakeholders in information security fear the cloud; more particularly, they fear losing transparency and control. And the CEO and board of directors expect CIOs to achieve corporate objectives, while often not fully understanding the tradeoffs that come with building infrastructure vs. buying cloud solutions.
As a result, CIOs often feel caught in an adversarial position, torn between maintaining security (and peace) internally and wanting to support smart investments in technology that help move the business forward. Making a bet on the cloud can also feel scary—the CIO’s title is on the line. The wrong technology selection can create immense business risk. And no one wants to harm their customers, their company or their own reputation.
"Security in the cloud is more about managing risk than managing absolute security"
Faced with growing movement toward cloud services, discerning CIOs need to ask the hard questions. What protections and service level agreements (SLAs) will we have for customer data? What about for information security and availability? Creating good cloud policy takes asking the right questions and building the right working relationships.
Here are six areas of focus to help you better manage your organization's on-going transition to the cloud.
• Accept the New Normal: It’s happening—the cloud is here to stay. In most cases, you can’t stop this transition, but you can better manage your company’s move to the cloud. Accepting that fact and building internal processes that reduce risk to your business is the first step to moving to the cloud.
• Do Your Homework: Your best defense in the cloud is to complete robust due diligence for third-party vendors. Due diligence should be more than just a check box. Make sure your security team is integrated with the business early in the procurement cycle. Get third-party audit reporting from the cloud provider, such as SSAE 16, SOC 2, and PCI DSS. Have a conversation or in-person visit with the cloud provider security team. Ask for additional evidence to support your due diligence process.
• Create a Shared Responsibility Model: Understanding roles and responsibilities is the single most challenging aspect of moving to a cloud-based model. In the past, companies owned and managed every layer of technology including the hardware, operating systems, databases, and applications. Things were black and white. But under platform as a service (PaaS) or software as a service (SaaS) models, the responsibilities are grayer. Who owns what? Who does what? Work with your cloud provider early in the sales cycle to understand who is responsible for which security aspects of the cloud solution. Establishing responsibility can be more complicated than you think, so be sure to ask detailed questions.
• Establish a Level of Visibility: Moving to the cloud, you won’t necessarily miss all of the mundane responsibilities of owning and managing your own infrastructure—buying servers, racking, cabling, patching, re-booting, security event monitoring, or getting a call at 2am, for example. What you will miss is the visibility in knowing that all of those tasks are being done, and being done correctly. The visibility gap between what enterprise organizations are accustomed to seeing and what they can see in the cloud is a big change. Ask your cloud service provider for more visibility, including cloud provider logs sent into your security information event management (SIEM) system, access to vulnerability scan results, and access to your instances in cloud systems.
• Understand Your Business Context: Is your cloud provider hosting a web application advertising the national sheep shearing championships? Or are you a major university hospital system putting protected health information (PHI) and cardholder payment data into the cloud? These two organizations have very different security concerns and requirements. Your company’s unique context around types of data and use cases for cloud services will be critical to understanding the different levels of security and compliance requirements you need from a cloud service provider. All too often, I speak with chief information security officers (CISOs) who are more concerned with cloud security implementation details than understanding risk and cyber threats when determining security controls to protect data.
• Meet Your New Security Team: Think of your cloud provider's security team as an extension of your internal security team. You are paying this provider to secure your systems and data, and if they let you, try and integrate their team into your team. Exchange contract information, become LinkedIn connections, set up a quarterly check-in call, or share cyber threat intelligence. Remember you have the business context for your data, and your cloud provider has the most visibility and cloud security expertise. Work together.
In the end, security in the cloud is more about managing risk than ensuring absolute security. Companies will continue to rush to small- and medium-sized cloud service providers, all of which will be offering the latest and greatest technology to run their businesses. CIOs will find the most success securing the cloud if they understand how to filter through which companies really present a risk to their organizations, and then press the higher risk vendors for security features, compliance, visibility, partnership, and engagement. Cloud security is a partnership, not a panacea.