CIO Leadership, Security

How to achieve stronger cloud security

As cloud security evolves, how should CIOs and CISOs assess and govern security risks?

Blog-post by,
HP Blogger
,

Despite growing cloud adoption in the enterprise, security remains a concern. How cloud vendors—and customers—approach security is still developing, and best practices and policies are just emerging.

On the other hand, the rise of cloud solutions can help reshape the role of IT security teams. After all, one advantage of the cloud is that it drives the organization to take a more comprehensive, and effective, approach to risk governance.
 
Nonetheless, security consistently ranks among the top three concerns that business leaders express when asked why they’re reluctant to move critical data to the cloud. It’s imperative that you understand how your team should approach security when evaluating cloud options.

To help ensure you’re taking the right steps, make sure you’re implementing these four best practices:

1. Measure your vendors’ security compliance against standards and best practices

It would be great to perform a direct audit of your IT vendors, examining every aspect of cloud security compliance against an industry standard. But direct auditing is rarely, if ever, allowed, and industry standards are still being drawn up. The next best thing is to rely on verified compliance, but against what standards?
 
Start by looking for a vendor that has proven compliance with ISO—that’s the big one. Drill down to discuss CSA recommendations, SAS 70 and other guidance that suits your specific use cases.

And most importantly, you or your chief security officer need to understand what is most important to you and your business when it comes to security and discuss it with the vendor’s CISO.

2. Weigh the criticality of your data versus potential security risks

Certain types of sensitive data—HR files, healthcare records, payroll info, sensitive product plans—are at great risk if shared via solutions that are not sufficiently secure. The key is to risk-rank your data from highly critical to public, then think about where it should reside, how long it needs to be protected, and what protection schemes are appropriate. Consider the business value versus risk.

3. Create an internal team that’s responsible for continuous risk assessment

Many businesses find that the best way to avoid “point in time” risk assessment is to create an internal team specifically tasked with this responsibility. Companies that already have external and internal audit functions to meet regulatory requirements may incorporate cloud risk assessment into those processes.
 
This doesn’t have to be a new layer of bureaucracy—this internal IT security layer can provide proactive risk assessment and recommendations across the organization. Aim to automate these practices where possible, eliminating manual steps and/or repetitive tasks to enhance efficiency and accuracy.

4. Educate your employees about how the cloud changes the role of IT security

Security is everyone’s concern—and everyone’s responsibility. This has always been the case, but the cloud only emphasizes this fact. The challenge is to make sure every employee understands the implications of allowing critical business data to be inadequately secured in a cloud context.

You can help by shifting the mindset from “controlling security” to “governing security and risk.” This means being proactive instead of reactive—putting governance processes in place to avoid problems before they ever arise.

The most recent issue of the Discover Performance newsletter (from which this post was adapted) has more insights and best practices about cloud security. Sign up today to receive the newsletter and get more articles that can help you turn IT performance into business success.

 

 

(2) (2)

Discussion
Would you like to comment on this content? Log in or Register.
pcalento
Paul Calento 256 Points | Mon, 10/22/2012 - 18:27

Cloud security success (described as detect, deter, respond by HP's Rafal Los) requires something other than merely tech ... URGENCY. And best practices and policies are crucial to making that happen, as does an embedded culture of security.

--Paul Calento

(note: I work on projects sponsored by EnterpriseCIOForum.com and HP)

pearl
Pearl Zhu 90 Points | Fri, 10/05/2012 - 17:15

Hi, Judy, enjoy your security blog, a few key point you list here are consisitent with conclusions from many good cloud secury/GRC debates, fucs on protecting data, not end point, culiivate security-enforcement culture and education, evaluate vendors of their capabilities and best practice for security, and streamline business process and team effort to enhance security/GRC discipline. thanks

Judy Redman
Judy Redman 55 Points | Tue, 10/09/2012 - 15:56

Thanks, Pearl, for your comments. Do you think that the team effort and training that "security is everyone's job" is the most important best practice?