Shrink Your Enterprise Cloud Computing Security Concerns With a Cloud Vendor Risk Management Program

According to a recent Forrester report, enterprise cloud computing adoption accelerated in 2016 and will do so again in 2017. Software-as-a-service (SaaS) remains the largest portion of the public cloud market, with global spending expected to reach $105 billion in 2017 and $155 billion by 2020. Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) will experience the fastest growth rate, fueled by the global expansion and success of the leading megacloud vendors.

Still, security remains the top enterprise concern for both public and private clouds. That’s why your company should have a formal cloud vendor risk management program in place. A cloud vendor risk management program is intended to handle information security in a consistent manner, regardless of how varied or unique the cloud computing environment may be. The use of standard methods helps ensure that security decisions and actions are based reliable, consistent information.

Managing Cloud Vendor Risks

The objective of a cloud vendor risk management program is to provide a tailored set of security controls and requirements within a cloud computing environment. It focuses on the processes necessary to effectively address information security controls, requirements and considerations through a phased life cycle approach.

All IT assets require some form of protection. The appropriate level of security should be commensurate with the value of the asset, including the value of the information the asset contains, the magnitude of harm that would result from a loss of confidentiality, integrity or availability, and the impact such a loss could inflict. These factors represent important drivers for securely managing cloud computing operations.

Five Phases of Enterprise Cloud Computing Risk Management

The program can be organized into five phases. Each phase outlines steps to validate and incorporate security into enterprise cloud computing operations as part of an end-to-end life cycle approach to risk management.

1. Initiation Phase

During the initiation phase, your company identifies the need for cloud computing services and documents its purpose. This involves the participation of key stakeholders from business units such as legal, compliance, vendor management, IT and finance. During the development of the business case and cost benefit analysis, the information security team provides a voice in the critical decision-making process of moving to the cloud.

Security planning begins in the initiation phase with the identification of key security roles. Security requirements are evaluated for any confidential information intended to be processed, transmitted, stored or maintained within the cloud environment.

All stakeholders should have a common understanding of these security considerations. This should consist of a preliminary risk assessment of the basic security needs and requirements, which must consider applicable laws, regulations, organizational policies and controls to identify threats to the cloud environment. It also identifies the information classification to assist in making the appropriate selection of security controls. As part of your initial due diligence, your company should have a list of vetted cloud vendors.

2. Solution Development Phase

In the solution development phase, the cloud vendor solution is designed, purchased, programmed, developed or otherwise constructed. This ensures that security controls, requirements and all necessary components are considered when incorporating security into the life cycle.

A key activity in this phase is conducting a formal risk assessment and using the results to identify the baseline security controls and requirements. This includes requesting from the cloud vendor such items as its security policy, infrastructure geographic locations, technical security measures and other control documentation. The cloud vendor must meet or exceed the organization’s defined information security requirements. Additionally, the information security and vendor management teams must collaborate to define and incorporate baseline security requirements into contracts and agreements.

3. Implementation Phase

During the implementation phase, IT assets and services are integrated or implemented within the cloud vendor environment. Security controls are established and verified in accordance with organizational policy and expectations, cloud vendor instructions and available implementation guidance.

Prior to the migration, certain sensitive assets should be encrypted. In the event of a failed migration, establish a disaster recovery plan with back-out procedures. Finally, agreed-upon security controls should be fully documented to include the results of verification and validation reviews and tests.

4. Operations and Maintenance Phase

The operations and maintenance phase ensures that controls are effective in their application through periodic monitoring, testing and evaluation. It is critical to consider the potential security impacts of changes in the cloud environment. Cloud vendors should provide external assessment reports, such as the American Institute of Certified Public Accountants’ system and organization controls (SOC) reports, if they preclude their customers to directly conduct security assessments.

Your company should continuously monitor performance of the IT assets and services to ensure that they are consistent with pre-established security controls and requirements, and incorporate any needed modifications.

5. Termination and Disposal Phase

The termination and disposal phase ensures that your company’s information, IT assets, and hardware and software components within the cloud environment are moved, archived, sanitized or destroyed according to organizational policy. Termination and disposal requirements should be explicitly written in the cloud vendor’s contract. This phase ensures orderly termination and decommissioning so that your information is effectively migrated to another IT asset or archived in accordance with applicable regulations and policies.

Reimagining — Not Reinventing — Cloud Security

Cloud computing creates risks and may require a reimagining, but not a reinvention, of security programs and architectures. Your company should increase its skills and training to negotiate, monitor and enforce agreements with cloud vendors. It should also adapt technical security architectures for more open networks, rethink security zones for the cloud and conduct ongoing security assessments.

Although cloud computing may be perceived as less secure, this is more of a trust issue and is not based on any reasonable analysis of actual security capabilities. Fear of cloud security is largely unfounded, given vendors’ dedicated attention to managing reputational risk.

To date, there have been few security breaches in the public cloud, and most incidents involve on-premises data center environments. Cloud vendors typically offer more effective security than a lot of companies can afford. The majority of cloud vendors invest significantly in security technology and personnel, realizing that their business would be at risk otherwise.

Still, assuming cloud vendors are completely secure is not a good strategy, because bad things can still happen. Your company needs to combine a comprehensive approach with a structured methodology to manage enterprise cloud computing risks.

Read the white paper: Address six essential concerns of cloud security to build your business

Brian Evans

Senior Managing Consultant, IBM

Brian Evans, CISSP, CISM, CISA, CGEIT is a Senior Managing Consultant for IBM Security Services and assists clients in building regulatory compliant information security programs. With over 20 years of combined experience in IT management, consulting and information security, Brian has served in the role of Chief Information Security Officer for a variety of organizations and worked in various industries. He has led the Incident Response and Computer Forensic Investigations teams for Nationwide Insurance and was Vice President, IT Risk Management at KeyBank and JPMorgan Chase. Brian held director level positions with CynergisTek and Computer Task Group consultancy firms and started his career in the U.S. Air Force. He has earned a Master’s in Public Administration from the University of Cincinnati and a B.S. in Business Management from the University of Maryland.