Discover Performance

With cloud security practices still evolving, CIOs and CISOs should proactively assess and govern security risks.
 
The opportunities presented by cloud solutions continue to grow, as does adoption. Businesses are angling to better control costs and/or enable innovation. Yet at the same time, security remains a concern for many enterprises. How cloud vendors, and cloud customers, approach security is still developing, and best practices and policies are just emerging.
 
Security consistently ranks among the top three concerns that business leaders express when asked why they are reluctant to move critical data to the cloud. So as you lead IT toward the advantages of cloud apps and infrastructure, how should your team approach security when evaluating cloud alternatives?

1. Measure your vendors’ security compliance against standards and best practices.

It would be great to perform a direct audit of your IT vendors, examining every aspect of cloud security compliance against an industry standard. But direct auditing is rarely, if ever, allowed, and industry standards are still being drawn up. The next best thing is to rely on verified compliance, but against what standards? We have ISO 27001, the Cloud Security Alliance (CSA), and a range of best-practice-level guidelines such as SAS 70—but that’s about it for now.
 
Your best approach? Start by looking for a vendor who has proven compliance with ISO—that’s the big one. Drill down to discuss CSA recommendations, SAS 70 and other guidance that suits your specific use cases.

And most importantly, you or your chief security officer need to understand what is most important to you and your business when it comes to security and discuss it with the vendor’s CISO.

2. Weigh the criticality of your data versus potential security risks.

Certain types of sensitive data—HR files, healthcare records, payroll info, sensitive product plans—are at great risk if shared via solutions that are not sufficiently secure. The key is to risk-rank your data from highly critical to public, then think about where it should reside, how long it needs to be protected, and what protection schemes are appropriate. Consider the business value versus risk.

3. Create an internal team that’s responsible for continuous risk assessment.

Many businesses find that the best way to avoid “point in time” risk assessment is to create an internal team specifically tasked with this responsibility. Companies that already have external and internal audit functions to meet regulatory requirements may incorporate cloud risk assessment into those processes.
 
This doesn’t have to be a new layer of bureaucracy—it’s just a matter of making sure someone has the responsibility and expertise to keep an eye on the issue. This internal IT security layer can provide proactive risk assessment and recommendations across the organization. Aim to automate these practices where possible, eliminating manual steps and/or repetitive tasks to enhance efficiency and accuracy.

4. Educate your employees about how the cloud changes the role of IT security.

Security is everyone’s concern—and everyone’s responsibility. This has always been the case, but the cloud only emphasizes this fact. Companies of every size need to build an understanding of the potential business risks associated with unsecured applications and data. The challenge is to make sure every employee understands the implications of allowing critical business data to be inadequately secured in a cloud context. You can help by shifting the mindset from “controlling security” to “governing security and risk.” This means being proactive instead of reactive—putting governance processes in place to avoid problems before they ever arise.
 
We all know that in today’s typical enterprise, procuring cloud-based services is easy and pervasive. Workers need to think before they procure cloud services and store or share data in the cloud. By clearly defining the role of the CISO/security team in the cloud environment, and establishing risk-avoidance best practices, you take a big step in getting employee support.

The CISO’s role

The rise of cloud solutions is one of the factors reshaping the role of IT security teams. While security has often been approached as something bolted on at the end of the process, a “baked-in” approach is increasingly taking shape. The above steps all incorporate security leaders early in the process—initial assessment of cloud options, internal education, and continuous assessment of risk-management and compliance needs.
 
This more thorough integration of the CISO’s team into enterprise security underscores a collateral advantage of cloud: It drives the organization to take a more comprehensive, more effective approach to risk governance.

To find out more about how to evaluate security solutions for the cloud, go to hp.com/go/cloud, and look specifically at software as a service at hp.com/go/saas.