A risk management approach for cloud security

by CXOtoday News Desk    Jan 03, 2013

Cloud security
While Cloud services are expected to see wide adoption over the next year, the traction they are likely to gain will depend on how enterprises view their security lapses with weak SLAs being the primary concern.

With cloud gaining more popularity over the coming years, many executives are wondering if external providers can ensure their company’s data will be protected while keeping up with compliance and regulations of where data can be stored and who can access the data.
One of the concerns for CIOs and CROs is whether building a private cloud will create a single point of vulnerability by aggregating many different types of sensitive data onto a single platform.
Enterprises that have all kinds of sensitive information to protect and various cloud solutions to choose from must work towards balancing the cloud’s benefits and weigh it against its risks of breach of data, confidentiality, identity and access integrity, and system availability.

According to a Mckinsey Quarterly report, traditional platforms at most organizations have significant information risks that actually can be mitigated by moving to a more highly-scaled and automated environment.

The report stated that terms and conditions exist for allocating liability for security breaches, downtime, and non-compliance events between providers and enterprises. They may be unwieldy, but they are well understood by providers, law firms, and—in many cases—CIOs and CROs.

While contracting for the cloud varies with each enterprise, many sectors are still wary of compliance issues, like banking for example. “This is a problem for institutions dealing in personally identifiable information because often they must keep some customer data in certain jurisdictions and face regulatory action if they do not. At this point, CIOs and CROs that we have interviewed largely do not believe that most public-cloud providers can give them the guarantees they require to protect their institutions from this type of regulatory action…we are simply in the early days of contracting for enterprise-class services. How to draft the required terms and conditions will remain an open question until litigation has identified the critical issues and legal precedent has been established for resolving those issues,” the report notes.

Mckinsey also reported that cloud solutions improve transparency—for example, the centralized and virtualized nature of the cloud can simplify log and event management, allowing IT managers to see emerging security or resiliency problems earlier than might otherwise be possible. Likewise, in cloud environments, operators can solve problems once and apply the solutions universally by using robust automation tools. Perhaps more important, technology organizations can focus investments in security capabilities on a small number of highly scaled environments.

To manage the security concerns faced by enterprises, the report outlines a few combinations of control and opportunities to tap vendor capabilities. “One option is on-premises managed private-cloud services, in which third-party vendors provide a service that operates like an external cloud offering but is located in an enterprise’s own facility and is dedicated to the organization.
Some flavours of virtual private clouds can be used; these are similar to public clouds in that the solution is externally managed, but like private clouds, they offer dedicated capacity, such as resource pools, that are reserved for each client.

Community clouds feature infrastructure that is shared by several organizations and meets the needs of a specific community of users. Community clouds may, for example, provide industry-specific solutions that ensure compliance with relevant regulations.”