Naive presumptions and the typical fear of diminished responsibilities, coupled with the media’s continuous use of “the cloud” to describe the once segregated IT functions, may be among several reasons why the information security community remains as probably the last stubborn bastion of resistance to the cloud and beyond.
However, the open, navigable and internet-friendly nature of the cloud, coupled with the increasing internet-automation and “app-isation” of almost every process and procedure (there is an app for that), can make it easier and, more importantly, provide more effective security to adopt and implement information security governance, risk and compliance in the cloud.
Opportunities of adopting the cloud include the following:
An ongoing challenge facing the CISO is scalable and effective security. Without scalability, solutions are often rendered ineffective. The cloud model appears to be able to accommodate a more scalable, agile and user-friendly offering.
Historically, the phrases “user friendly” and “security” appeared to be at odds with each other, either by design or simply because industry experts have always dictated this incompatibility. The cloud often enhances the user experience, however, partially because of the perceived sense of freedom, brought about by use-your-own-device or access-from-anywhere policies associated with the cloud.
The wholesale adoption of the cloud allows for significant automation of the majority of business functions. This automation and integration of IT services and business functions makes it easier to offer “transparent” but robust security to the user.
Read more from ISACA
- How to negotiate and assure cloud services
- Global C-level executives block business move to cloud, says ISACA
- ISACA releases cloud computing governance guide
- New ISACA audit programs include cloud computing focus
- ISACA to revamp IS Audit and Assurance Standards
- ISACA: Update to COBIT 5 governance framework maximizes IT assets
However, as always, the grass is not all green. Consider the following challenges and risks that remain largely ignored:
Questions that remain unanswered include:
- What assurances are provided for data integrity, confidentiality and the availability when, in the cloud, data is most likely spread across multiple datacentres and regions?
- During an incident, what kind of forensic investigation would you be able to carry out using your own resources?
- Are you going to be able to receive and analyse logs from or in the cloud?
How reliable, accurate and true are the assurances provided by the cloud provider on key topics such as:
- Data residency (data and region segregation)?
- Data confidentiality?
- Detection of privileged and/or hacker abuse?
Data migration, business continuity planning (BCP) and disaster recovery (DR)
Think about things such as:
- The like of Amazon and Google may not be at immediate risk, but what happens if your cloud provider packs up?
- What happens when you want to move to another provider?
- You are giving all your DR and BCP planning headaches to the cloud – is that acceptable?
The cloud route is inevitable, and the smart, astute CISO should embrace, rather than reject, its offerings.
ISACA’s 2012 IT Risk/Reward Barometer for the UK shows that 56% of those surveyed think the benefits of the private cloud outweigh the risks.
Needless to say, it is critical to carry out a rigorous risk and opportunity assessment, such as Calculating Cloud ROI, a complimentary guide from ISACA. This will enable the CISO to build a greater understanding of the effect of adopting the cloud and the risks and opportunities. A well-governed cloud initiative can deliver significant value to an enterprise.
Amar Singh is a member of the ISACA London Chapter Security Advisory Group and CISO of News International.
This was first published in April 2013