Nowadays more and more organizations are choosing cloud services for their operations.
Software publishers spotlights their solutions in I-P-S aaS models and they no longer automatically offer on-premises products. Indeed, challenges and issues of the Day for organizations are to reduce IT operating costs, increase collaborators’ mobility, while maintening availability of their business services.
In this context of relative outsourcing, cloud computing must be considered as a form of outsourcing, but risks and security measures are different from classic outsourcing.
Future days in IT should not be foggy days !
Risks are shared between the organization and its Cloud Service Provider (CSP). Therefore, security measures should be addressed differently.
Efforts of implementation and control of security measures are moving from IT security teams to other departments without mandates nor skills to challenge security aspects of cloud services.
Fog is beginning to show and fog limits visibility.
We are not discussing about fog computing, which is an intermediated layer of computing. We are discussing about the visibility on risks that is disappearing, for all the organization, with cloud services :
- Where are my security requirements in contracts ?
- Where is my exit strategy ?
- Am I still owner of the data I put in cloud services?
To address these concerns and to avoid a such situation, a set of actions shall be conduct at several steps of the contract with the CSP.
On the way to the cloud
During the selection phase, the following points shall be addressed :
- The owner of the service shall identify business needs and conduct a Business Impact Analysis (BIA) with the help of the security team, the CISO or the Risk Management team ;
- Once this qualification is performed, an Information Security pre-assessment shall quickly identify and evaluate the type of data processed and the need of confidentiality, integrity and availability ;
- Based on these business and security requirements, a risk analysis of shortlisted Cloud Services should be conduct. Data Privacy aspects can be included in the assessment or can be subject to a dedicated assessment by the Data Protection Officer (not necessarily in the form of a Data Privacy Impact Assessment (DPIA)).
The assessment should have its proper methodology. Do not use your classic IT Security Risk Assessment methodology. Several communities have created specific tools that can help you in that process like the Cloud Security Alliance (CSA) (https://cloudsecurityalliance.org/) and the ENISA (https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security).
You are the boss
Your data must not become CSP-owned Data.
In the preliminary examination of the contract, you have to exercised your rights as customer and owner of processes and data you will transfer in cloud services.
When appropriate, these following few items should be challenged :
- How your security requirements are implemented ;
- The possibility to perform a due diligence ;
- SLAs and how to check them during the course of the contract ;
- Exit clauses.
During the contract, don’t hesitate to perform regularly audits, penetration tests and vulnerability scans.
Finally, as each IT project, you should check legal and regulatory requirements you (and your provider) must comply (i.e. GDPR, CSSF circular 19/714, HIPAA, the NIS Directive).
In this way future days will be sunny days with cloud computing.