According to a recent Forrester report, enterprise cloud computing adoption accelerated in 2016 and will do so again in 2017. Software-as-a-service (SaaS) remains the largest portion of the public cloud market, with global spending expected to reach $105 billion in 2017 and $155 billion by 2020. Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) will experience the fastest growth rate, fueled by the global expansion and success of the leading megacloud vendors.

Still, security remains the top enterprise concern for both public and private clouds. That’s why your company should have a formal cloud vendor risk management program in place. A cloud vendor risk management program is intended to handle information security in a consistent manner, regardless of how varied or unique the cloud computing environment may be. The use of standard methods helps ensure that security decisions and actions are based reliable, consistent information.

Managing Cloud Vendor Risks

The objective of a cloud vendor risk management program is to provide a tailored set of security controls and requirements within a cloud computing environment. It focuses on the processes necessary to effectively address information security controls, requirements and considerations through a phased life cycle approach.

All IT assets require some form of protection. The appropriate level of security should be commensurate with the value of the asset, including the value of the information the asset contains, the magnitude of harm that would result from a loss of confidentiality, integrity or availability, and the impact such a loss could inflict. These factors represent important drivers for securely managing cloud computing operations.

Five Phases of Enterprise Cloud Computing Risk Management

The program can be organized into five phases. Each phase outlines steps to validate and incorporate security into enterprise cloud computing operations as part of an end-to-end life cycle approach to risk management.

1. Initiation Phase

During the initiation phase, your company identifies the need for cloud computing services and documents its purpose. This involves the participation of key stakeholders from business units such as legal, compliance, vendor management, IT and finance. During the development of the business case and cost benefit analysis, the information security team provides a voice in the critical decision-making process of moving to the cloud.

Security planning begins in the initiation phase with the identification of key security roles. Security requirements are evaluated for any confidential information intended to be processed, transmitted, stored or maintained within the cloud environment.

All stakeholders should have a common understanding of these security considerations. This should consist of a preliminary risk assessment of the basic security needs and requirements, which must consider applicable laws, regulations, organizational policies and controls to identify threats to the cloud environment. It also identifies the information classification to assist in making the appropriate selection of security controls. As part of your initial due diligence, your company should have a list of vetted cloud vendors.

2. Solution Development Phase

In the solution development phase, the cloud vendor solution is designed, purchased, programmed, developed or otherwise constructed. This ensures that security controls, requirements and all necessary components are considered when incorporating security into the life cycle.

A key activity in this phase is conducting a formal risk assessment and using the results to identify the baseline security controls and requirements. This includes requesting from the cloud vendor such items as its security policy, infrastructure geographic locations, technical security measures and other control documentation. The cloud vendor must meet or exceed the organization’s defined information security requirements. Additionally, the information security and vendor management teams must collaborate to define and incorporate baseline security requirements into contracts and agreements.

3. Implementation Phase

During the implementation phase, IT assets and services are integrated or implemented within the cloud vendor environment. Security controls are established and verified in accordance with organizational policy and expectations, cloud vendor instructions and available implementation guidance.

Prior to the migration, certain sensitive assets should be encrypted. In the event of a failed migration, establish a disaster recovery plan with back-out procedures. Finally, agreed-upon security controls should be fully documented to include the results of verification and validation reviews and tests.

4. Operations and Maintenance Phase

The operations and maintenance phase ensures that controls are effective in their application through periodic monitoring, testing and evaluation. It is critical to consider the potential security impacts of changes in the cloud environment. Cloud vendors should provide external assessment reports, such as the American Institute of Certified Public Accountants’ system and organization controls (SOC) reports, if they preclude their customers to directly conduct security assessments.

Your company should continuously monitor performance of the IT assets and services to ensure that they are consistent with pre-established security controls and requirements, and incorporate any needed modifications.

5. Termination and Disposal Phase

The termination and disposal phase ensures that your company’s information, IT assets, and hardware and software components within the cloud environment are moved, archived, sanitized or destroyed according to organizational policy. Termination and disposal requirements should be explicitly written in the cloud vendor’s contract. This phase ensures orderly termination and decommissioning so that your information is effectively migrated to another IT asset or archived in accordance with applicable regulations and policies.

Reimagining — Not Reinventing — Cloud Security

Cloud computing creates risks and may require a reimagining, but not a reinvention, of security programs and architectures. Your company should increase its skills and training to negotiate, monitor and enforce agreements with cloud vendors. It should also adapt technical security architectures for more open networks, rethink security zones for the cloud and conduct ongoing security assessments.

Although cloud computing may be perceived as less secure, this is more of a trust issue and is not based on any reasonable analysis of actual security capabilities. Fear of cloud security is largely unfounded, given vendors’ dedicated attention to managing reputational risk.

To date, there have been few security breaches in the public cloud, and most incidents involve on-premises data center environments. Cloud vendors typically offer more effective security than a lot of companies can afford. The majority of cloud vendors invest significantly in security technology and personnel, realizing that their business would be at risk otherwise.

Still, assuming cloud vendors are completely secure is not a good strategy, because bad things can still happen. Your company needs to combine a comprehensive approach with a structured methodology to manage enterprise cloud computing risks.

Read the white paper: Address six essential concerns of cloud security to build your business

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…