August 22, 2017 By Brian Evans 4 min read

According to a recent Forrester report, enterprise cloud computing adoption accelerated in 2016 and will do so again in 2017. Software-as-a-service (SaaS) remains the largest portion of the public cloud market, with global spending expected to reach $105 billion in 2017 and $155 billion by 2020. Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) will experience the fastest growth rate, fueled by the global expansion and success of the leading megacloud vendors.

Still, security remains the top enterprise concern for both public and private clouds. That’s why your company should have a formal cloud vendor risk management program in place. A cloud vendor risk management program is intended to handle information security in a consistent manner, regardless of how varied or unique the cloud computing environment may be. The use of standard methods helps ensure that security decisions and actions are based reliable, consistent information.

Managing Cloud Vendor Risks

The objective of a cloud vendor risk management program is to provide a tailored set of security controls and requirements within a cloud computing environment. It focuses on the processes necessary to effectively address information security controls, requirements and considerations through a phased life cycle approach.

All IT assets require some form of protection. The appropriate level of security should be commensurate with the value of the asset, including the value of the information the asset contains, the magnitude of harm that would result from a loss of confidentiality, integrity or availability, and the impact such a loss could inflict. These factors represent important drivers for securely managing cloud computing operations.

Five Phases of Enterprise Cloud Computing Risk Management

The program can be organized into five phases. Each phase outlines steps to validate and incorporate security into enterprise cloud computing operations as part of an end-to-end life cycle approach to risk management.

1. Initiation Phase

During the initiation phase, your company identifies the need for cloud computing services and documents its purpose. This involves the participation of key stakeholders from business units such as legal, compliance, vendor management, IT and finance. During the development of the business case and cost benefit analysis, the information security team provides a voice in the critical decision-making process of moving to the cloud.

Security planning begins in the initiation phase with the identification of key security roles. Security requirements are evaluated for any confidential information intended to be processed, transmitted, stored or maintained within the cloud environment.

All stakeholders should have a common understanding of these security considerations. This should consist of a preliminary risk assessment of the basic security needs and requirements, which must consider applicable laws, regulations, organizational policies and controls to identify threats to the cloud environment. It also identifies the information classification to assist in making the appropriate selection of security controls. As part of your initial due diligence, your company should have a list of vetted cloud vendors.

2. Solution Development Phase

In the solution development phase, the cloud vendor solution is designed, purchased, programmed, developed or otherwise constructed. This ensures that security controls, requirements and all necessary components are considered when incorporating security into the life cycle.

A key activity in this phase is conducting a formal risk assessment and using the results to identify the baseline security controls and requirements. This includes requesting from the cloud vendor such items as its security policy, infrastructure geographic locations, technical security measures and other control documentation. The cloud vendor must meet or exceed the organization’s defined information security requirements. Additionally, the information security and vendor management teams must collaborate to define and incorporate baseline security requirements into contracts and agreements.

3. Implementation Phase

During the implementation phase, IT assets and services are integrated or implemented within the cloud vendor environment. Security controls are established and verified in accordance with organizational policy and expectations, cloud vendor instructions and available implementation guidance.

Prior to the migration, certain sensitive assets should be encrypted. In the event of a failed migration, establish a disaster recovery plan with back-out procedures. Finally, agreed-upon security controls should be fully documented to include the results of verification and validation reviews and tests.

4. Operations and Maintenance Phase

The operations and maintenance phase ensures that controls are effective in their application through periodic monitoring, testing and evaluation. It is critical to consider the potential security impacts of changes in the cloud environment. Cloud vendors should provide external assessment reports, such as the American Institute of Certified Public Accountants’ system and organization controls (SOC) reports, if they preclude their customers to directly conduct security assessments.

Your company should continuously monitor performance of the IT assets and services to ensure that they are consistent with pre-established security controls and requirements, and incorporate any needed modifications.

5. Termination and Disposal Phase

The termination and disposal phase ensures that your company’s information, IT assets, and hardware and software components within the cloud environment are moved, archived, sanitized or destroyed according to organizational policy. Termination and disposal requirements should be explicitly written in the cloud vendor’s contract. This phase ensures orderly termination and decommissioning so that your information is effectively migrated to another IT asset or archived in accordance with applicable regulations and policies.

Reimagining — Not Reinventing — Cloud Security

Cloud computing creates risks and may require a reimagining, but not a reinvention, of security programs and architectures. Your company should increase its skills and training to negotiate, monitor and enforce agreements with cloud vendors. It should also adapt technical security architectures for more open networks, rethink security zones for the cloud and conduct ongoing security assessments.

Although cloud computing may be perceived as less secure, this is more of a trust issue and is not based on any reasonable analysis of actual security capabilities. Fear of cloud security is largely unfounded, given vendors’ dedicated attention to managing reputational risk.

To date, there have been few security breaches in the public cloud, and most incidents involve on-premises data center environments. Cloud vendors typically offer more effective security than a lot of companies can afford. The majority of cloud vendors invest significantly in security technology and personnel, realizing that their business would be at risk otherwise.

Still, assuming cloud vendors are completely secure is not a good strategy, because bad things can still happen. Your company needs to combine a comprehensive approach with a structured methodology to manage enterprise cloud computing risks.

Read the white paper: Address six essential concerns of cloud security to build your business

More from Cloud Security

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Cloud security uncertainty: Do you know where your data is?

3 min read - How well are security leaders sleeping at night? According to a recent Gigamon report, it appears that many cyber professionals are restless and worried.In the report, 50% of IT and security leaders surveyed lack confidence in knowing where their most sensitive data is stored and how it’s secured. Meanwhile, another 56% of respondents say undiscovered blind spots being exploited is the leading concern making them restless.The report reveals the ongoing need for improved cloud and hybrid cloud security. Solutions to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today