image not found image not found
image not found
image not found

Cloud Security Governance Considerations for Organisations

20 April 2020 | Shivani Jariwala

At no other point in time has there ever been such a need for the instant availability of IT resources enabled by the cloud than during this coronavirus pandemic. With the onset of COVID-19 restrictions, more companies are recognising the unquestionable value that cloud delivers.

However, cloud security is a primary concern due to loss, or perceived loss, of control. A survey conducted by Cloud Security Alliance CSA: Challenges in Managing Security in Hybrid and Multi-Cloud Environments identified potential disconnects and misinformation related to the importance of visibility into critical cloud resources. In particular, what levels of security experts are required when using cloud services? The vast majority of respondents (81%) expressed concerns about security when considering moving data to the cloud. Respondents’ concerns about data loss and leakage risks were also high (63% of respondents) when considering moving to the public cloud.

The reality is the cloud, and its ever-growing set of services is here, whether you have already adopted cloud services, are evaluating cloud options, or are still researching. To help, I have outlined some essential cloud governance recommendations that organisations should consider before adopting cloud.

Cloud Security Strategy and Policy

An organisation’s cloud security strategy sets the tone for its security posture. With a solid plan based on the right guidance, organisations can confidently move forward, making sound business decisions, charting a direct course through migration, and reaping the many benefits the cloud offers. A distinct “cloud computing services” policy must be defined, outlining:

  • Executive Sponsor or group, including who will “sign off” for cloud projects
  • Compliance
  • Data Governance: data types, sensitivity, and classification levels

Existing policies must be updated to accommodate cloud services such as incident management, access control, etc. New policies will also need to be developed for things like third-party outsourcing, external audit policies, etc.

Governance

Governance for cloud is critical for both customers and cloud service providers (CSP). This is especially important as organisations need to understand who will be managing the cloud and where assets are stored. The storage of confidential or ultrasensitive information could be at risk depending on the sovereign status and laws the storage facility must follow. Depending on the service model, control of various technology elements will shift from one party to another. Deployment model may define accountability and expectation. Cloud customers should review cloud service providers governance sufficiency, maturity and consistency, and collaborative governance should be considered where needed.

Compliance and Contracts

You must not assume that you can outsource the responsibility of compliance to CSP. Compliance requirements need to be mapped by organisations. Contracts should include a number of well-defined specifications:

  • Where / how data will be stored logically and geographically
  • Who is responsible for data lifecycle and management tasks
  • What happens during an outage and notifications expected
  • Provisions for data destruction and retrieval in case of contract termination, if the CSP gets acquired or goes out of business
  • Portability requirements
  • Data Breach Handling
  • Log requirements
  • Analytics of usage data
  • Metrics and compliance requirements
  • SLA requirements with regards to Uptime, Performance / response time, Error correction / response time and Infrastructure / security etc.
  • The process to respond to legal requests

Take Responsibility for Security Internally

Responsibility for security must be considered a shared mandate throughout the organisation. Complex cloud environments are the new reality for organizations. Digital14 recommends that organisations address security requirements before adopting cloud technologies in order to create realistic and manageable network environments rather than simply putting out fires as they arise after deploying new technologies.

To learn more, visit digital14.com/protect today.

We Are Digital14

Connect with us

© Digital14. All rights reserved.