Welcome!

@CloudExpo Authors: Ed Featherston, Rostyslav Demush, Jamie Madison, Jason Bloomberg, Greg Pierce

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Managing Risk and Compliance in the Cloud

Whether organizations plan to use public or private clouds, better security and compliance is needed

Cloud computing represents today's big innovation trend in the information technology (IT) space. Because it allows enterprises to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at enterprises of all sizes.

Unfortunately, in their eagerness to adopt cloud platforms and applications, enterprises are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud - a credit card and a few keystrokes is all that is required - provides a false sense of security.

However, shortcomings in the cloud providers' security strategy can trickle down to the businesses that leverage their services. In this context, damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss.

Risk in the Cloud
For enterprises planning to transition their IT environment to the cloud, it is imperative to be cognizant of issues such as loss of control and lack of transparency, which are often overlooked. Cloud providers may have service level agreements in place, but security provisions, the physical location of data, and other vital details may not be well defined. This leaves enterprises in a bind, as they must also meet contractual agreements and regulatory requirements for securing data and comply with countless breach notification and data protection laws.

Whether organizations plan to use public clouds, which promise an even higher return on investment, or private clouds, better security and compliance is needed. To address this challenge, organizations should institute policies and controls that match their pre-cloud requirements. At the end, why would you apply less stringent requirements to a third-party IT environment than your own - especially if it potentially impacts your business performance and valuation?

Recent cyber-attacks and associated data breaches of Google and Epsilon (a marketing services firm) are prime examples of why companies need to think about an advanced risk and compliance plan that includes their third-party managed cloud environment.

To protect your business, you should insist that your cloud service provider provides visibility into security processes and controls to ensure confidentiality, integrity, and availability of data.

Best Practices for Cloud Risk Management
According to Jim Reavis, co-founder and executive director of the Cloud Security Alliance (CSA), main inhibitors to the adoption of cloud computing in large organizations are consistent and standardized frameworks, open standards, interfaces that address security controls, and easy-to-implement processes to provide assurances on levels of Governance, Risk, and Compliance and security in cloud environments.

According to a report by Forrester Research (Compliance with Clouds: Caveat Emptor, August 2010) organizations should not wait for the cloud industry to step up its support for regulatory compliance, but instead security professionals should look beyond their cloud providers for compensating controls to aid cloud sourcing.

This view is obviously shared by IT and security leaders, who responded to the 2011 Global State of Information Security Survey of PricewaterhouseCoopers, CIO Magazine, and CSO Magazine, as they identified compliance (34%) and regulatory compliance (33%) among the top five business issues that will drive information security spending in their organization in 2011.

As cloud computing is still an emerging technology space, advice on how to address cloud risk management is limited. What best practices should organizations follow? Probably the best bet are the guidelines developed by the Cloud Security Alliance, a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing.

The CSA defines three distinct stages of a cloud adoption life cycle, starting with cloud risk readiness assessment, cloud risk operations monitoring, and finally leading to cloud audits (an area that still requires further standardization).

Cloud Risk Readiness
When you transition your IT infrastructure to a cloud environment you have to find ways to determine how to trust your cloud provider with your sensitive data. Practically speaking, you need the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.

To quickly evaluate your tolerance for moving asset to various cloud computing models (e.g., public cloud, private cloud, community cloud, or hybrid cloud) you should apply the followings steps:

  1. Identify the assets for the cloud deployment (e.g., data, applications, functions, processes)
  2. Evaluate the assets as it relates to criticality to the business and answer questions such as:
    • What impact would the business face if the asset became public information?
    • What impact would the business face if the asset would be accessed by the cloud service provider?
    • What impact would the business face if the application would be attacked or corrupted by an outsider?
    • What impact would the business face if the stored data were unexpectedly modified?
    • What impact would the business face if the asset were unavailable for a period of time?
  3. Map the asset to the potential cloud deployment model
  4. Evaluate potential cloud service models and providers and answer questions such as:
    • Does the cloud service provider meet current standards for security (e.g., assessment of threat and vulnerability management capabilities, continuous monitoring, business continuity plan)
    • Is the cloud service provider compliant with applicable regulations and can it pass a regulatory audit?
    • Can the cloud service provider generate dynamic and detailed compliance reports that can be used by the provider, auditors, as well as your internal resources?

Considering that many organizations deal with a heterogeneous cloud eco-system, comprised of infrastructure service providers, cloud software providers (e.g., cloud management, data, compute, file storage, and virtualization), platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option, especially if the same software tool can be leveraged for the other stages of the cloud adoption life cycle.

In addition, it's important to select a software tool that provides compliance controls assessment frameworks and content from regulations such as PCI DSS 2.0, FISMA 2010, SOX, NIST, ISO, CSA, SANS and BITS, threat controls content from CSA, as well as cloud risk dashboards and reports.

Cloud Risk Operations

A portion of the cost savings obtained by moving to the cloud should be invested into increasing the scrutiny of the security qualifications of an organization's cloud service provider, particularly as it relates to security controls, and ongoing detailed assessments and audits to ensure continuous compliance.

In this context, organizations should consider leveraging monitoring services or security risk management software that achieves:

  • Continuous compliance monitoring
  • Segregation and virtualization provisioning management
  • Automation of CIS benchmarks and secure configuration management integrations with security tools such as VMware vShield, McAfee ePO, and NetIQ SCM
  • Threat management with automated data feeds from zero-day vendors such as VeriSign and the National Vulnerability Database (NVD), as well as virtualized vulnerability integrations with companies such as eEye Retina and Tenable Nessus

Automated technology, which allows a risk-based approach and continuous monitoring for compliance, would be suitable for enterprises seeking to protect and manage their data in the cloud.

Cloud Risk Audit
This stage of the cloud adoption life cycle has not been very well defined yet and therefore requires further standardization driven by an increase in cloud deployments.

Nonetheless, when evaluating cloud service providers, organizations should ensure that they perform automated regulatory health checks and provide transparency in their infrastructure (IaaS), platform (PaaS), and software (SaaS) environments.

Practical Tips in Selecting the Right Cloud Risk Management Tool
When assessing Cloud Risk Management services or software, organizations should apply the following selection criteria:

  • Choose a vendor that offers an all-encompassing solution, meaning providing methodologies, frameworks, tools, and best practices to properly assess and manage your organization's cloud initiatives across all three stages of your cloud adoption life cycle. The solution should cover Governance, Risk, and Compliance (GRC), as well as Security in the form of threat and vulnerability management capabilities.
  • Choose an automated technology with an open architecture, since many organizations have invested heavily in security tools. This will allow data to be fed from the existing tools into the Cloud Risk Management tool and provide an aggregated view into both IT and business compliance and risk.
  • Make sure you work with a vendor that offers a solution that is content rich and includes many of the regulations (PCI, FISMA, SOX, etc.), frameworks, and standards that are applicable to your organization.
  • Seek out a vendor or service provider that can add value by offering innovative technology that goes beyond the traditional view of GRC. Namely, ensure that beyond governance and compliance, the areas of security (e.g., threat and vulnerability) and risk (e.g., enterprise risk management) are well covered, as it ensures higher return on investment.
  • Since you measure the success of a technology implementation by the time it takes to achieve value from its investment, it's crucial to engage with a vendor that offers the most efficient time-to-value. From a deployment perspective, this means that an on-site implementation should not exceed 90 days and as a managed service client, you should be up and running within 30 days.

Summary
There is no doubt that cloud computing will continue growing and, as it does, continue to get safer. But data breaches at some of the largest enterprises highlight the fact that there are still many risks associated with cloud adoption. Constantly changing government regulations are making it more difficult to keep compliant during the audit process as well. While it's exciting to be at the frontline when it comes to embracing a new technology that is poised to change the way we conduct business, we must remember that these technologies almost always come with new risks that have not yet been fully addressed.

More Stories By Torsten George

Torsten George is vice president worldwide marketing, Agiliance Inc. He brings more than 16 years of global experience in promoting software (e.g., enterprise applications, security software, and SaaS solutions) and network equipment products to Agiliance.

Prior to joining Agiliance, Torsten was vice president of worldwide marketing at ActivIdentity, where he redefined the company's product and go-to-market strategy and repositioned the company as the leader in the strong authentication and credential management space.

Before ActivIdentity, Torsten served nearly six years as chief marketing officer for Digital Link, a leading network communications equipment vendor. He holds a doctorate in Economics, a master of business administration degree in Marketing and Business Strategy, and a Bachelor of Science degree in Law.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
"ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
"Infoblox does DNS, DHCP and IP address management for not only enterprise networks but cloud networks as well. Customers are looking for a single platform that can extend not only in their private enterprise environment but private cloud, public cloud, tracking all the IP space and everything that is going on in that environment," explained Steve Salo, Principal Systems Engineer at Infoblox, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventio...
Data scientists must access high-performance computing resources across a wide-area network. To achieve cloud-based HPC visualization, researchers must transfer datasets and visualization results efficiently. HPC clusters now compute GPU-accelerated visualization in the cloud cluster. To efficiently display results remotely, a high-performance, low-latency protocol transfers the display from the cluster to a remote desktop. Further, tools to easily mount remote datasets and efficiently transfer...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We're developing a software that is based on the cloud environment and we are providing those services to corporations and the general public," explained Seungmin Kim, CEO/CTO of SM Systems Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, provided a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to oper...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...