Cloud Computing: 5 Topics for the Boss
Data Protection, Cost Are Two Key ItemsSecurity is a primary reason many organizations hesitate to move their data to the cloud. This means chief information security officers spend lots of time with senior leaders, advising them on how to safeguard their organizations' cloud computing initiatives.
Simply, executives seek the CISO's advice so they can determine whether the benefits the cloud provides outweigh its risks.
"It is this stuff senior executives are looking for from us in very simple terms," says Robert Glenn, chief information security officer at the National Institute of Standards and Technology. Glenn regularly meets with NIST managers while a cloud initiative is in development, when it's deployed and after it becomes operational.
Here are the top five cloud computing security risks and concerns CISOs must discuss with their managers.
- Vendor Assessment: How does the cloud provider administer its computing environment? Do the vendor's security controls adequately protect the organization's information? Leaders seek details on how the security officers evaluate the vendor's infrastructure on a regular basis and the type of access CISOs and their teams get to assess the service provider's risk and vulnerability controls. Executives seek examples of how vendors safeguard data, such as reports, showing results from real-time monitoring of IT systems and how data will be protected during a breach. "We need to show evidence to our executive team," Glenn says.
- Data Protection: Where is their data, who has access to it, where will the information physically reside, what format data is stored in, what back-up procedures exist, and who's managing the system? Providing answers to these questions, says Malcolm Harkins, ISACA member and CISO at chipmaker Intel, "helps in providing assurance to executives on the security posture of the cloud vendor." For example, if an Internet connection fails, or the organization decides to go with a different service provider, the CISO should explain how the organization would be able to retrieve and protect its data or continue to run its applications.
- Reputation: Executives express concern about the history of cloud providers and often want to know how long they have been around, their reputation and maturity of services within the industry. "We are not just looking for evidence that vendors are secure today; we are looking for evidence of IT security throughout the life of the services," Glenn says.
Leaders want to get assurances that the cloud providers have undergone a thorough background check, including those that relate to the trustworthiness of vendor employees who work, manage and operate systems and information. Executives prefer cloud providers that have previously been approved by other organizations, as these vendors in such cases have undergone the initial scrutiny and are familiar with the compliance regulations and requirement.
- Data Sensitivity: Senior leaders fret over the mixing of sensitive or secret information and non-sensitive data on the same virtual machines. But Harkins makes his executives understand that mixing the data will not expose confidential information if adequate security controls are implemented by the service providers. The discussion often turns to whether certain business information is appropriate for the cloud model. A CISO must make a clear business case, showcasing how vulnerabilities in the vendor infrastructure could lead to sensitive data being leaked and its impact on the organization as a whole. "In my discussions, I try to give them a sense to think and ask how likely this is to happen?" Harkins says.
- Cost: Conventional wisdom is that cloud services will cut costs, but that isn't necessarily so, at least not initially. "Security costs might offset a lot of those savings," Glenn says. CISOs must make senior leaders aware that when information moves to the cloud, all security controls have to be replicated in some form within the service provider's environment. CISOs also need to spend a lot of time with the providers, and as the axiom goes: Time is money. "When we find out that we will need nine months to do a full assessment, that's a lot of money being spent on just trying to ensure that the service is secure," Glenn says. So, essentially, the discussion with executives is to look at balancing the associated risk and savings.
CISOs aren't just the teachers, but students, too, drawing knowledge from these meetings with senior leaders about business initiatives that could be fostered by cloud computing.