How to Manage Cloud Risk


GRC—Building a robust governance, risk and compliance program are among the most important parts of creating a cloud security strategy. Here, Ben Tomhave, Principal Consultant at LockPath, a provider of innovative GRC applications, discusses how to effectively and safely manage your customers' data in the cloud.—Jennifer D. Bosavage, editor

Your customers' data is out there. It's in "the cloud." You don't own the hardware, you may not run the data center, and yet it's still, ultimately, the IT solution provider's responsibility. That's a lot of risk to be carrying without much ability to directly manage it. What do you do?

Get Expert Advice
The U.S. National Institute of Standards and Technology (NIST) and the Cloud Security Alliance (CSA) have a great deal of information on the topic. NIST recently released a draft of Special Publication 800-144 "Guidelines on Security and Privacy in Public Cloud Computing," in which they recommend steps in nine topic areas: Governance, Compliance, Trust, Architecture, Identity and Access Management, Software Isolation, Data Protection, Availability, and Incident Response. The draft specifically calls for a comprehensive risk management program and extending practices pertaining to policies, procedures, and standards into the cloud and to cloud services providers. In short, the Governance, Risk, and Compliance (GRC) program must be expanded to cover cloud services.

The Cloud Security Alliance makes similar recommendations in v2.1 of the CSA Guide , which arranged according to 13 domains, including "Governance and Enterprise RIsk Management" and "Compliance and Audit." The CSA Guide specifically says that "Effective governance and enterprise risk management in Cloud Computing environments follows from well-developed information security governance processes, as part of the organization’s overall corporate governance obligations of due care." It goes on to say that "The fundamental issues of governance and enterprise risk management in Cloud Computing concern the identification and implementation of the appropriate organizational structures, processes, and controls to maintain effective information security governance, risk management, and compliance." As with the NIST guidance, a robust GRC program is essential to effectively managing cloud risk.

Instilling GRC Discipline
A GRC program is more than just a platform—it's a management discipline. That truth becomes even more self-evident as data and applications escape into the cloud. When employees need only a credit card to circumvent the majority of IT policies, it becomes clear that it's time for a sea change in ground rules. That change comes by way of building a modern GRC program.

A robust GRC program will leverage five key areas:

1) Survivability Strategy & Legal Defensibility: First and foremost, traditional strategies will not apply to cloud-based services. True, in part IT solution providers are effectively transferring risk to the cloud services provider, but only if your contract specifically accounts for that. Overall, a move to cloud-based services should include a new legal analysis of the liability exposure, along with a new strategic outlook that puts a premium on networked systems survivability. Leveraging methods like containment, segregation, monitoring and response, and a strong “right to audit” clause will lend itself to more effective management of cloud risk.

2) Formalized Methods: No longer is it adequate to rely on ad hoc decisions that piece together random quantitative data. Rather, it’s becoming increasingly vital that decision methodology, including risk analysis, be clearly documented and understood. Similarly, security practices should be formally documented (e.g., defining and following an SDLC for application development). Lastly, with direct infrastructure management typically out-of-scope, it’s imperative that environment visibility be maintained and that key metrics be defined and actively tracked.

3) Policies 2.0: A traditional policy framework simply isn’t adequate today. The future of policies maps each policy requirement to a control requirement, which is in turn mapped to a regulatory or business objective. Beyond this, the policy framework should be structured to be as lightweight as possible so as to improve the ease of comprehension by those subject to it. Making policies process-oriented (or objective-oriented) can be helpful, as can providing risk context for policies and how they’re applied.

4) Enhanced Training & Awareness: Traditional security training and awareness programs oftentimes amount to sitting through an annual computer-based training (CBT) program. Those programs are not generally effective. Instead, it is necessary to re-evaluate the programs in light of their general objective: helping educate personnel on expected behavior and improving the connection between peoples’ actions and their resultant impact. If a training and awareness program doesn’t help connect people to the rationale and importance of a policy, giving it meaning for their daily responsibilities, then it’s not going to win buy-in, and subsequently won’t have the desired outcome of improving decisions that have an impact on security.

5) Audit & Quality, Beyond Checkboxes: The traditional audit routine of listing a bunch of yes/no questions does not help the organization effectively manage risk. Effectiveness is directly tied to the usefulness of the questions asked and the degree of useful data generated by the answers. Tying audit and quality management to specific requirements, assets and objectives will create opportunities for improved visibility into practices, which will improve the organization’s ability to more effectively manage risk. That advice is doubly important for IT solution providers working with cloud services providers to ensure that your organization can be effective in managing cloud risk.

Whether you know it or not, there's a very good chance that your organization is moving data or applications into the cloud, if they've not not already done so. It's imperative that you build-out your GRC program, and as soon as possible. If you neglect a robust GRC program, then you can expect unfortunate surprises along the way as GRC is perhaps one of the most important parts — if not the most important — of your cloud security strategy.