Advisory Insights – Cloud Creep Part II: Triaging cloud computing risks

By Richard Ray, Information Technology Advisory Services Consulting Executive

The hit TV show M.A.S.H. was about a military hospital in Korea, and in almost every episode a helicopter would fly in with wounded soldiers and the medical team would triage those most critically injured, helping them first. Managing the risks of cloud computing is a triage effort as well.  It is important to focus on those few things that will help to mitigate the most risk.

If you read Part I of “Cloud Creep: The hidden risks of the growing use of cloud computing” you may be wondering if the risks associated with cloud computing are worth the potential benefits. Cloud computing can be done successfully with reasonable security precautions and a governing framework. If an organization follows the 5 pillars of reducing risks of cloud creep described below, the dozen risks we discussed in Part I would be addressed in some way or another.

5 Pillars of Reducing the Risks of Cloud Creep:

  1. Perform an IT Security Assessment – or seek out a security therapist who will help your security program confess the truth!

We strongly recommend having an experienced external security team come in and perform an “IT Security Assessment” on your IT security procedures, policies, awareness training, and overall security program. Throw your security program on the security therapist’s couch and embrace the results whatever it may be! See the truth clearly regarding your entire scope of IT security. For example, find out if there are “shadow IT” activities going on, discover if you have major cloud creep occurring, find out if IT controls are in place to enforce appropriate access, confirm your systems are compliant with regulations, know whether your web pages are vulnerable to hackers, know the vulnerabilities of your data, and verify you have adequately evaluated your current cloud providers. Seek out the truth regarding your security program, embrace that revealed truth, and quickly implement the “IT Security Assessment” improvement recommendations.

  1. Develop a Cloud Services Agreement – or adopt the cloud computing provider as part of your organization’s family!

Treat cloud providers as if they were an extension of your organization by requiring the same level of security and procedural discipline from them as you do in your own organization. Cloud providers need to fall under your Vendor Management policies and procedures. If you have assessed your security program and corrected any major vulnerabilities, then simply expect the same level of excellence from your cloud providers. Define a “Cloud Services Agreement”, or similar contract arrangement with your cloud providers and clearly document your expectations for: managing security, establishing and maintaining audit controls, maintaining agreed service levels, logging and reporting requirements, accessing your data, and gracefully exiting the contract. This is especially important with cloud providers that run your critical systems or store confidential data. Include in the agreement any certifications the provider must hold to meet your certification requirements. If the cloud provider is not willing to work with you or their existing security methods do not meet your expectations, then walk away; do not adopt them into the family. You might consider requiring your cloud provider to have had a SOC II audit from an independent accounting firm and request to see the report, especially if they are storing your confidential data.

  1. Search for security vulnerabilities in your network environment – or trust but verify!

Do not just trust the cloud service provider is doing the right things; verify they are doing the right things. Run Network Penetration Testing on your own computing environment (this is a testing procedure that attempts to break into a computer system and simulates what hackers would do to steal your data) and ask for evidence that your cloud provider has done the same type of test. For all your critical systems in the cloud visit the cloud provider’s data center, take a tour, ask to see a copy of any certification documentation, and make sure they meet your checklist of requirements. Good relationships are based on trust, and trust starts with complete transparency – demand your cloud providers be transparent and forthcoming with information when requested. Verify the key elements in your cloud services agreement really exist.  For example, “Do they really have the physical security you require?” Ask to see their disaster recovery plan, look at their change management procedures, verify they have a written incident response plan, and so on – trust but verify.

  1. Understand and Document Roles and Responsibilities – or everyone has a chores list!

Define the cross organizational and cloud provider roles and responsibilities clearly in a matrix, usually called a “RACI” (Responsibility, Accountability, Counsel, Informed) matrix, where clarity of who owns what security function and assignment is spelled out. The cloud changes the way things have always been done; it creates complexities and new processes and procedures to follow. Make sure roles and responsibilities are clearly defined in the cloud service agreement.  Verify the provider has accountability for responding to incidents such as data breaches and system failures. Add these roles and responsibilities to the cloud service agreement contract. For example, integrate cloud providers running your most critical systems or managing sensitive data into your incident response plan. Confirm the provider clearly understands their responsibilities and is prepared to follow your incident response plan procedures.

  1. Develop a Cloud Computing Policy – or business objectives drive cloud strategy, not the other way around.

The cloud can enable a wide variety of business capabilities, but if the organization does not have a carefully crafted strategy to make decisions on when to use the cloud and when not to use it then “Cloud Creep” will expand along with risk. Evaluation of moving business processes or data to the cloud should include questions such as: What is moving to the cloud? What is the delivery method (Software-as-a-Service, Platform-as-a-Service, Infrastructure-as-a-Service, Business-Process-as-a-Service)?  How will it be deployed (Public cloud, Private cloud, Hybrid Cloud)? How can security controls be implemented successfully? What are the major risks for moving this application to the cloud? Developing a set of clear cloud computing standards, or a “cloud computing policy document”, that creates cloud computing disciplines and governance across the organization. Integrate this policy with the IT Security Program and Vendor Management policies to drive the decision-making process for how to successfully use the cloud. Business strategy should always drive decisions concerning cloud provider use.

Reducing risks with cloud computing starts with a reality check, a sort of triage approach, in the form of an effective “IT Security Assessment”, followed by the development of a “Cloud Service Agreement” aligned with the organizational security program requirements.  Next, testing and validating a cloud provider’s capabilities, certifications, and procedures is critical in making sure the provider will integrate well with the organization and its goals. Understanding clearly the roles and responsibilities between your organization and the cloud provider is cornerstone in building an effective cloud partner. Finally, developing an effective cloud computing policy will ensure that business strategy is driving cloud decisions and limiting “Cloud Creep”.

Richard RayIf you have any questions about this content, please contact the author, Information Technology Advisory Services Consulting Executive Richard Ray, at rray@hogantaylor.com.