Cloud Security: It’s in the Cloud - But Where? (Part III)

Monday, July 06, 2015

Steve Durbin


In Part II, I discussed how organizations can enable cloud resilience and why it’s necessary to secure the cloud provider.

Today, let’s look at the need to institute a cloud assessment process and the four actions that organizations of all sizes can take to better prepare themselves as they place their sensitive data in the cloud.

While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore has adequate protection.

There are many types of cloud-based services and options available to an organization. Each combination of cloud type and service offers a different range of benefits and risks to the organization. Privacy obligations do not change when using cloud services – and therefore the choice of cloud type and cloud service require detailed consideration before being used for PII.

Unfortunately, there is often a lack of awareness of information risk when moving PII to cloud-based systems. In particular, business users purchasing a cloud-based system often have little or no idea of the risks they are exposing the organization to and the potential impact of a privacy breach. In some cases, organizations are unaware that information has been moved to the cloud. Other times, the risks are simply being ignored. This is at a time when regulators, media and customers are paying more attention to the security of PII.

Here are four key issues:

  • Business users often have little or no knowledge of privacy regulation requirements because privacy regulation is a complex topic which is further complicated by the use of the cloud
  • Business users don’t necessarily question the PII the application will collect and use
  • Business users rarely consider cloud-based systems to be different from internal systems from a security perspective, and thus expect them to have the same level of protection built in
  • Application architects and developers often collect more PII than the applications need.

These issues often expose the organization to risks that could be completely avoided or significantly reduced.

The Cloud Assessment Process

Not to sound like a broken record, but putting private information into the cloud will certainly create some risk and must be understood and managed properly. Organizations may have little or no visibility over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered around the world. If the data being moved is subject to privacy regulations, and data centers are in different jurisdictions, this can trigger additional regulations or result in a potential compliance breach.

The decision to use cloud systems should be accompanied by an information risk assessment that’s been conducted specifically to deal with the complexities of both cloud systems and privacy regulations; it should also be supported by a procurement process that helps compel necessary safeguards. Otherwise, the tireless pressure to adopt cloud services will increase the risk that an organization will fail to comply with privacy legislation.

The ISF cloud assessment process has an objective to determine if a proposed cloud solution is suitable for business critical information. When assessing risk, here are a few questions that you should ask of your business:

1.       Is the information business critical?

2.       Where is it?

3.       What is the potential impact?

4.       How will it be used?

5.       How does it need to be protected?

6.       What sort of cloud will be used?

7.       How will the cloud provider look after it?

8.       How will regulatory requirements be satisfied?

Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.

Better Preparation

Demand for cloud services continues to increase as the benefits of cloud services change the way organizations manage their data and use IT. Here are four actions that organizations of all sizes can take to better prepare:

  • Engage in cross business, multi-stakeholder discussions to identify cloud arrangements
  • Understand clearly which legal jurisdictions govern your organizations information
  • Adapt existing policies and procedures to engage with the business
  • Align the security function with the organizations approach to risk management for cloud services

With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.

But remember: privacy obligations don’t change when information moves into the cloud. This means that most organizations’ efforts to manage privacy and information risk can be applied to cloud-based systems with only minor modifications, once the cloud complexity is understood. This can provide a low-cost starting point to manage cloud and privacy risk.

Possibly Related Articles:
Cloud Security General HIPAA PCI DSS Infosec Island Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Cloud Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.