Always take a risk-based approach to cloud adoption, a panel has told security professionals at the (ISC)2 Security Congress 2013 in Chicago.
“This requires involving a company legal representative from the start, at the negotiation stage to ensure the business understands the risk it is taking on,” said Ken Stavinoha, a solutions architect from Cisco.
Paul Yates who works in field sales at Intel said that legal is often involved only after the deal is done.
Read more about cloud security
- Public cloud secure, G-Cloud conference told
- Cloud adoption immature, shows security survey
- Cloud security for SMEs: Seven key steps
- Cloud endpoint security considerations: Endpoint security management
- How to assess the security of a cloud service provider
- Security Think Tank: Cloud, BYOD and security – lock your doors
- An introduction to enterprise hybrid cloud security
- Securing and mitigating risk in the cloud
- Transparency, not security, is biggest cloud challenge, says Verizon
“They are called in only to check the language of contracts or when something has gone wrong, which is too late,” he said.
The panel said that the decision to move to the cloud should be a group decision that involves all stakeholders: the business, legal and compliance, risk managers and IT security.
“That is why, when moving to cloud, it is important for an organisation to know exactly what its risk tolerances are and that the benefits can balance the risks,” said Stavinoha.
Organisations should review all technologies and processes with cloud in mind and try to negotiate some level of involvement or oversight in any infrastructure changes involving high-value assets.
The panel advised that those organisations moving to cloud should make use of attestation services to ensure platform integrity, workload classification, and context aware access control.
Classification is especially important when moving to cloud said Stavinoha to ensure appropriate data protection for different types of data and workloads.
“But organisations are often not prepared to do the groundwork of looking at what types of data they process and what controls need to be placed around each,” he said.
The panel said role-based monitoring and real-time alerting were good strategies when moving to cloud.
“It is important for organisations to ask if they will be notified if the cloud service provider is breached,” said Hemma Prafullchandra, chief technology officer, HyTrust.
However, she noted that in practice, business units are buying cloud services directly, bypassing the controls that IT security may have in place for other workloads.
“IT security professionals should educate the business about what they do to ensure the business knows what controls they are bypassing and should be asking for from providers, said Prafullchandra.
The panel said organisations using cloud services should seek to automate infrastructure hardening and request service providers to do this if possible.
In choosing cloud service providers, Prafullchandra said organisations should look to the consensus assessments published by the Cloud Security Alliance (CSA).
Yates said organisations should also look at the history and reputation of cloud service providers, and speak to your peers to get their opinion.
Stavinoha said due diligence is critical when it comes to cloud.
“This can involve a lot of investigatory work to get as many reference because at this relatively early stage of cloud adoption, organisations have to build their own trust model,” he said.
Yates said planning is also critical success, yet typically security is not part of the initially planning, and like traditional IT deployments, security is something that tends to be added afterwards.
To address the security challenges inherent in the move to cloud, the panel said organisations should look to new and emerging technologies such as host and virtual machine integrity capabilities.
Other examples include geo fencing, security stack integrity, security data analytics, hardware based root of trust using trusted platform modules (TPMs), continuous monitoring and contextual integrity.