Cloud Security Governance — A way to keep your cloud secure
In my last post I went over the importance of having a cloud security roadmap for your organization to properly implement security in a phased manner. Whichever model you implement be it Infrastructure as a Service, (IaaS) , Platform as a Service (PaaS) or Software as a Service (SaaS) the importance of having a proper roadmap cannot be underestimated. But one key question remains is what next ? i.e. what happens after the roadmap is implemented. This brings us to the topic of this post which is having a proper cloud security governance model in place which puts in a framework for maintaining your cloud security posture.
Let us understand why it is so important :
What makes Cloud Security fail ?
In my own experience and as per the experts, some of the main reasons that Cloud Security implementations fail are below :
- Treating it like any other cyber-security project. The Cloud is a different animal and a completely new way of doing things to boot. Treating it like a project which you finish and then hand over is a sure fire way to have a data breach down the road. Treat the cloud as a separate environment as critical as your on-prem one with the same level of governance required
- Not formalizing who is responsible for what. Many companies fail to set down who will be responsible for implementing security controls , patching , monitoring etc. in the cloud leading to ambiguities which can be disastrous. Make sure a formal and approved org chart is setup which clearly establishes who is responsible for cloud security in your organization. If your organization is planning to out-source the majority of its cloud work then make sure your org chart reflects that too.
- Not having a roadmap / ont aligning your cloud security roadmap with the business strategy. Without a proper strategy in place you will just be buying / implementing controls with no idea of the larger picture of the problem you are trying to solve. Similarly the cloud does not exist in a bubble and has to be aligned with your overall business strategy. If the company is planning to use AWS in the next three years then maybe investing in Azure based tools is not the way to go in the long run.
- Not informing management about the status of controls and the return on investment. A long running challenge is cyber-security is not having proper metrics to report to management. Without metrics you will not have visibility and will not able to report the status of controls to management. Without visibility management will not see return on investment and not provide future approvals for tools you will need
The above challenges are just some of reasons for having a Cloud Security Governance framework to put in place.
What is Cloud Security Governance
Before we get into what Cloud Security Governance is .. let me be clear about what it is not . Cloud Security Governance is not :
- A tool or commercial product which you implement
- A Policy which you write and then forget about after passing an audit
- A checklist
- A standard ( although those help ! )
- A certification which you acquire
Rather Cloud Security Governance refers to a formal management model / framework you put into place to make sure all the cloud security processes remain working and functional. This is critical as you will be surprised to know that in many companies once the cloud security roadmap has been implemented, there is still confusion about who will handle cloud security , who will do patching , who will report security breaches etc. This is why having a Cloud Security Governance model is so important.
The level and detail of a Cloud Security Governance model may change from organization to organization but there are some things which remain the same. If your organization is regulated by standards like NIST, PCI etc. then you have a list of minimum controls to implement. The Cloud Security Alliance also offers some great guidance on how to go about implementing a framework also as does Amazon Web Services.
Regardless of the organization, some of the minimum components of a cloud security governance model are :
- A formal Cloud Security policy approved by management
- A cloud security roadmap or strategy to implement that policy AND align it with the larger business strategy of the company
- A proper organizational chart formalizing who is responsible for cloud security
- Reporting metrics for senior management visibility into cloud risks
The key questions which a cloud security governance model helps to answer is :
- What is handling cloud security in our organization ?
- How secure is our cloud ?
- Are our cloud security investments giving us value ?
- What are the key risks we should know about ?