A Cloud Services Security Playbook

Arun DeSouza, CISO & CPO, Nexteer Automotive

Arun DeSouza, CISO & CPO, Nexteer Automotive

The Winds of Change are blowing through the world of work today. Macro trends such as the Fourth Industrial Revolution and the era of Distributed Work require that companies enact and accelerate digital transformation. Technologies such as Artificial Intelligence, Blockchain, Autonomous Vehicles, Robotic Process Automation, Edge Computing, and Internet of Things are enabling innovation, competitive advantage and cost savings.

Amidst this backdrop, Cloud Computing has become central to digital business to enable business process re-engineering efficiently and effectively to drive companies forward and fuel competitive advantage. Cloud security and privacy are now mission critical. Thus, envisioning and enacting a governance lifecycle for cloud applications and services is necessary for enterprise risk management. This article recommends best practices for cloud security and governance.

Initiate the process by developing and communicating a company policy for cloud computing. This policy can be used as a foundation to have conversations and educate business partners. It is important to reinforce that before they buy cloud services due diligence and due care are required. The internal Purchasing organization is a key ally in implementing full lifecycle service assurance for cloud contracts. They can ensure that all necessary checks have been completed prior to contract execution.

It is important to ensure that cloud providers have appropriate administrative, technical and physical safeguards in place by verifying their compliance with corporate security policy. Purchasing should provide a standard screening checklist to potential providers before contracts are signed. The Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ) is a great framework for this purpose to evaluate and compare cloud providers. Additionally, Purchasing should request Service Organization Control (SOC) reports from independent third parties which clearly illustrate the security posture of the cloud service being considered.

The Office of the CISO should conduct an in-depth review of the completed forms and SOC reports. This vetting process can help enact a risk-based decision about the potential cloud provider based on technical fit and risk considerations along with commercial modalities. It is also advisable to include appropriate security constructs in the contracts, including right to audit. The ability to conduct on-site auditing of cloud data centers to confirm adequacy whenever feasible is desirable.

Confidentiality is about data, and privacy is about people. Confidentiality and privacy become intertwined when data is about people. Privacy is the real wild card now due to global regulations (e.g., GDPR) which have significant penalties for data breaches. In addition, companies may face reputational harm and loss of trust. Sector specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) also have a role to play.

Thus, it is also important to address privacy posture at the cloud provider. Storing EU resident data in data centers in other regions may be tricky due to stringent regulations. It is important to execute Data Processing Agreements (DPA’s) with cloud providers during contract execution to ensure that their privacy and security safeguards are comprehensive and adequate.

Once the contract is signed and deployment can begin, leverage the CSA Cloud Controls Matrix as a framework to design appropriate protections.

The first step to integrate the new cloud service with the corporate identity management framework to enable secure “Anytime, Anywhere, Authorized” access while enacting Single Sign on (SSO) complemented by multi-factor authentication for off campus access.

A paradigm shift is needed as the traditional layered perimeter approach to network security is insufficient. Zero Trust transforms conventional network-based security by changing the focus of security to be centered on users and data. Zero Trust abandons the old “castle and moat” approach of the network perimeter to leverage and strengthen Identity as the new digital perimeter. Zero Trust requires organizations manage security from the inside out:

• Grant users the least amount of access they need to accomplish a specific task

• Verify, always – whether users are internal or external

• Leverage strong technology controls to secure application access

Business process architecture and data flow mapping are critical to enact Zero Trust protection schemes. The key principle is to deploy governance centered on role-based access controls and “minimum necessary” access. This, a significant value add of Zero Trust is enhanced privacy safeguards and a risk-based approach to granting access to cloud applications.

A strategic choice is to use identity lifecycle management driven provisioning and de-provisioning to cloud applications. This can help minimize the risk of intellectual property loss when people leave the company by automatically deactivating the cloud access, while increasing the overall process efficiency from onboarding to off boarding. Powering the automatic provisioning and deprovisioning by integrating the identity management framework to the HRIS system is strongly recommended as well.

Use encryption for protecting data at rest and in transit when consuming cloud services. Certificate services and proper application control - ensuring controls such as Web Application Firewalls are used in front of web servers can also help strengthen security of cloud services.

"It is important to ensure that cloud providers have appropriate administrative, technical and physical safeguards in place by verifying their compliance with corporate security policy"

Consider leveraging Cloud Security Access Brokers (CASB) technology for intellectual property and data protection. CASB’s can enable visibility to both sanctioned and unsanctioned cloud usage. This can help enable proactive controls and remediation.

Confirm that cloud service security protocols such as automated discovery, access monitoring, alert management and threat protection are active for cloud services. Ensure that responsibilities for monitoring of policy compliance and coordinating corrective actions for non-compliance have been set both at the provider level and inside the internal IT organization.

A keen focus on risk management is needed to protect the enterprise. Due care and diligence are paramount for mitigating risk. At stake are corporate brand reputation and competitive advantage. Data protection is critical as regulations such as the GDPR become stronger and more potent. With GDPR, companies can face potential fines of up to 4 percent of global revenue in case of a data breach or privacy violation.

The Cloud is the de-facto the hub for digital transformation. Cloud governance and security are extremely important and are essential for mitigating enterprise risk. A well thought out cloud strategy and playbook can help protect enterprise data, systems and applications.

Read Also

How to Leverage Zero Trust to Combat Fraud

How to Leverage Zero Trust to Combat Fraud

John Kupcinski, Director, Information Security Transformation, Freddie Mac
Mitigating Cybersecurity Risks

Mitigating Cybersecurity Risks

Giuseppe Donvito, Partner, P101 Ventures
The Evolution of Cybersecurity in the COVID-19 Era

The Evolution of Cybersecurity in the COVID-19 Era

Cedric Gourio, Chief Information Security Officer, Allianz Partners
The Key Practices to Reduce Turnover and Shorten Time to Fill Positions

The Key Practices to Reduce Turnover and Shorten Time to Fill...

Dave Stirling, Chief Information Security Officer, Zions Bancorporation
In 2021, the Last Thing We Need is Another Security Tech Hero

In 2021, the Last Thing We Need is Another Security Tech Hero

Henry Mason, VC Investor, Dawn Capital
 Are You an Information Security Manager?

Are You an Information Security Manager?

Jana Puskacova, CISO, Slovnaft