With the rapid expansion and development of cloud computing, and the internet of things Many CISO is struggling to keep pace.
The business potential, cost savings and the potential innovation continue to surge cloud development in a rapid pace.
According to Gartner, worldwide public cloud adoption is set to grow by 16.5 percent in 2016 to $204 billion, up from $175 billion in 2015.
Security concerns continue to represent the single greatest barrier to cloud adoption.
The “Everything into the cloud” rule is now echoing throughout many large companies.
As the ICT business is no stranger to such stormy developments, the services to accommodate this “Business Need” has been developing for years now, and technology is keeping fast track to the demands of the market.
While these developments are embraced from a technology point of view, Information Security is struggling to catch on.
The push to the cloud is often led by business stakeholders trying to respond more quickly to changing market dynamics by taking IT matters into their own hands.
In the push to adopt cloud platforms and applications, organizations often neglect to recognize and address the compliance and security risks that come with them, while the ease of getting a business into the cloud combined with service level agreements provides a false sense of security.
Shortcomings in the cloud providers’ security architecture and controls can impact you as a customer, in the form of power outages, data loss, unauthorized disclosure, data destruction, copyright infringement, brand reputation erosion. Meanwhile the business can procure cloud based services with a click of a button, without IT aware of this, creating Rogue applications and Shadow IT within the company, increasing the security risk.
This creates new challenges for the CISO, including but not limited to:
- Unknown security and compliance vulnerabilities;
- Misalignment of systems and internal policies;
- Inconsistent service level agreements;
- Lack of visibility of security controls.
- A software defined datacentre has a potential higher risk of human error then a physical datacentre. (Checkbox mouse click configuration, instead of physical cabling)
While most cloud providers have service level agreements in place, their security provisions, the physical location of data, and other vital details may not be well defined.
This creates a blind spot for organizations, especially those that must comply with contractual agreements, regulatory mandates, and breach notification laws for securing data.
Whether organizations plan to use public or private clouds, better security and compliance is needed.
Information Security will need to institute policies and controls that match those used in data center environments.
Third-party IT environments need to be as secure as their on premise counterparts – especially if they can impact business performance and valuation.
Updating the Toolkit
In order to keep pace with the Cloud race, the CISO should consider expanding His/Her toolkit with the following:
- leveraging monitoring services or big data risk management software
- Train staff in the risks and proper use of Cloud solutions
- Create awareness within the company.
Redcoat IT can deliver Cloud Readiness Assessment to evaluate potential cloud service models and providers. This assessment is focused on the Redcoat IT MASC principle:
- Maintain continuous compliance monitoring
- Ability to generate dynamic and detailed compliance reports
- Security practices (e.g., assessment of threat and vulnerability management capabilities, continuous diagnostics and mitigation, business continuity plan),
- Compliance posture
In addition Redcoat IT recommends that a portion of the cost savings obtained by moving to the cloud should be earmarked for monitoring cloud service provider’s security controls, and ongoing detailed assessments and audits to ensure continuous compliance.