Moving a company’s IT into the cloud is seen a reasonable thing to do for many companies as it has many attractions including cost, space savings, reduced headcount and performance bonuses. Tried and tested security paradigms are now being viewed as not fully fit for purpose where cloud-based operations are involved. But is this the case? Are there any trends that might offer improved security management and thus improvements in security posture.
While there is a good choice of monitoring and management tools available for both the physical and virtual IT world, most of these tools will be within the purview of the cloud operator or their contractors, not the end customer.
So what aspects of IT security can a customer reasonably expect to control and how might that control be exercised?
The starting point is for the security group to identify the key areas of the company’s IT, where it is located and for what purpose (AAA, email, firewall, etc.) using what technology and identifying who owns and manages what.
After this IT mapping exercise should come the development of a comprehensive and complete data asset register identifying where all data is located, who owns the data, what value the data has, who (or what) can access the data and for what purpose.
These two tasks would then feed into a comprehensive risk analysis and a map identifying who has what control over the various parts. We are identifying where a company has direct control, where it has indirect control and where it has no control.
Direct control
This is where a company owns (or leases) a device and has direct operational responsibility for its maintenance and management. Here the company needs comprehensive up to date policies and procedures and suitably trained staff.
Indirect control
This where the company is using a device or service that is owned and operated by a third party as would be the general case for cloud-based IT. Here the company needs the service contract to comprehensively cover the security requirements of the company, probably best accomplished with an annex that can be updated without requiring a re-negotiation of the main contract. Such security requirement should include incident reporting mechanisms and procedures.
It should be noted that a cloud service provider will generally have a number of functions and services it leases or rents from other third-parties and the contract needs to identify how these services or facilities are managed by the loud provider. Also the very large cloud companies will have a number of operational centres in different parts of the world and use a “follow the sun” management scheme. Staff vetting may not be to the same standard in every country and often contractors could be being used and again the vetting procedures need to addressed in the main contract (or contract annex).
No control
This is where the company needs to take steps to ensure security where it has no control. A good example is using end to end encryption where data is carried over the internet or other third-party networks.
To conclude, without knowing the value of the data held and or processed by your company, where the data is located and who or what should be allowed to access the data and for what purpose. You cannot realistically undertake an effective risk and threat analysis of your IT and without said risk and threat analysis and a comprehensive understanding of your IT map and its supply chains and so what is under your direct and indirect control (the IT map) you cannot effectively secure your company and its data.