Friday, February 21, 2014

Risk changes in the cloud

Article worth reading in ISACA. ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.

It is 2014. The cloud is here.
Companies are no longer tolerant of security-and-compliance teams telling them they cannot go to the cloud. The benefits of cloud technologies are too many to ignore in a business strategy: commodity pricing, flexible scaling, low staff needs, and (for SAAS) a rent-to-own model.
Risk teams must learn how to adapt to the cloud environment, which means changing how they measure and respond to risk in cloud situations. Risk leaders who refuse to make this change are likely to find themselves irrelevant in their organization, suffering not only career immobility but also standing on the sidelines as they watch their company take on increasing risk with little or no care for mitigation.
Risk leaders should follow four steps to help their companies adopt cloud technologies while minimizing overall risk:
  1. Adopting and adapting application-security-assessment tools. Questionnaires for cloud services need to go beyond the standard set of questions and dig into important questions like framework compliance, monitoring/reporting, and even secure-development practices. By devising (or revising) questionnaires that help uncover where risk will be transferred successfully, where the client will need to mitigate risk, and where risk will be accepted, teams enable their companies to benefit from cloud efficiencies while retaining relevance in the conversation.
  2. Recognizing that going to the cloud has benefits. Yes, it involves some transfer of risk, for instance, physical access control and disaster recovery. And other data center controls traditionally owned by the company get transferred to the cloud provider. But these risk transfers should not be made blindly. Cloud customers should have their providers document how they manage these risks and attest to or provide appropriate proof of compliance. In the end, the transfer of these risks can often be financially advantageous.
  3. Redefining controls required for risk mitigation. In IAAS and PAAS environments, controls such as encryption-at-rest are absolutely required for sensitive data. (In many organizations, data-at-rest has been “overlooked” because data centers provide compensating controls that prevent physical access to sensitive data.) Strict controls on administrative access to systems and resources need to be implemented and validated regularly to ensure cloud providers are not able to gain unauthorized access. In SAAS environments, strong monitoring and reporting tools must be made available to the client for the very same reason.
  4. Educating IT and business leaders on risks being accepted. Risk managers are, by nature, extremely risk averse and the idea of accepting risk is a scary one. But businesses accept risk all the time (often unknowingly). By identifying risk and alerting leaders, risk managers can help the business put risk into business contexts so leaders can make informed decisions.
As we are all aware, moving to the cloud can introduce companies to new risks. Security, audit and GRC leaders who proactively engage business leaders in understanding and managing risks associated with cloud technologies help their companies minimize risk while maximizing cloud efficiencies.
Business is about results. Risk teams that achieve results will become increasingly valuable in their organizations.
John Overbaugh
Managing Director, Security Services
+Caliber Security Partners