How to drive out seven deadly sins of cloud computing
If you have not implemented some sort of cloud computing in your organisation by now, it is very likely that someone else is thinking about it. By Steve Durbin
For some organisations however, it is possible that cloud computing services are already being used ‘under the radar’, as individuals take it upon themselves to sign up to cloud services in a bid to drive down costs and boost efficiency.
However, in their enthusiasm to embrace all things cloud, organisations need to pause and consider whether they are sufficiently protected, and not exposing themselves unnecessarily to threats to their information security, integrity, availability and confidentiality.
Using the seven deadly sins as a framework, the Information Security Forum (ISF) has developed a business-focused approach to help fight the fires of ad hoc, unplanned cloud implementations. Our report, Securing cloud computing: addressing the seven deadly sins*, identifies the ‘sins’ of cloud computing implementation and offers practical guidance and solutions on how to tackle them.
The seven deadly sins
1. Ignorance – when cloud services are implemented without the knowledge or approval of senior management or the IT department, and without a full understanding of the potential security risks
2. Ambiguity – agreeing contracts with external cloud service providers without proper authorisation or review, and without identifying the security risks or addressing security requirements
3. Doubt – there is little or no assurance regarding cloud providers’ security arrangements and how they will protect a company’s information, plus most organisations will find it very difficult, if not impossible, to audit such arrangements
4. Trespass – there is no appreciation that putting data in the cloud might be illegal and by storing data in unknown locations, organisations might be in breach of privacy legislation and data controller obligations
5. Disorder – information placed in the cloud is not classified correctly, stored appropriately or destroyed completely. For highly regulated industries, like banks and pharmaceutical companies, this lack of formalised access control procedures could be very damaging
6. Conceit – a misguided belief that enterprise infrastructure is ready for the cloud when it is not. There is no corporate security architecture defined for cloud services and no standard approach to identity and access management. The security of organisations’ encryption solutions could also be compromised as keys are also stored in cloud providers’ systems
7. Complacency – most purchasers of cloud services assume they will have full availability, but experience shows that a variety of incidents can and often do cause cloud outages.
As well as tackling the seven deadly sins of cloud implementation in isolation, organisations need to take a much broader, holistic view to ensuring all aspects of their security are addressed.
Dealing with third party suppliers
Experience from the outsourcing model, and particularly IT outsourcing, has demonstrated that the need for a consistent approach to areas such as choosing a supplier, contracting, monitoring and information security, is critical in this the ‘age of cloud’. This experience, however, is often ignored and there seems to be no consistent approach to assessing, purchasing and monitoring cloud services.
Cloud service providers need to be treated in exactly the same way as any other external supplier, like an outsourcing company, and should therefore be covered by the same form of contract. The ISF has developed a four-step approach to working with external suppliers that provides a consistent way of dealing with any suppliers, and can equally be applied to cloud service providers:
Step 1 – identify and classify third parties
Step 2 – agree third-party security
Step 3 – validate third-party security
Step 4 – agree termination terms.
Organisations can no longer ignore the information security implications of cloud computing services. It may be happening under your nose, or more likely behind your back, but cloud services are here to stay and every organisation needs to adopt a practical business-led approach to dealing with the challenges.
Steve Durbin is Global Vice President for ISF
* An executive summary of the report Securing cloud computing: addressing the seven deadly sins is available from https://www.securityforum.org/about/sampledocuments/publicdownloadcloud/ while the full report – available only to ISF Members – offers more detailed practical guidance in the form of a checklist of actions and a set of common baseline arrangements that organisations can use to secure cloud services. The ISF also offers Members an external supplier assessment tool, which enables organisations to assess and record the maturity level of individual suppliers.