According to industry experts, 2011 has been deemed the “Year of the Data Breach,” unfortunately giving cloud computing the reputation of being insecure. For this reason, it’s essential that organizations in the cloud, as well as organizations considering a move to the cloud, understand and implement an effect governance framework in the cloud.
What is Cloud Governance?
Cloud governance is a broad term, used to refer to the application of policies to the use of cloud services. The opposite of cloud governance would be a free-for-all, in which cloud services are used by organizations without any effective oversight. Cloud governance counteracts this chaotic environment by putting in place policies for the use and control of cloud services. These policies aim to limit the leakage of private information to the cloud and put restrictions on the excessive use of cloud services. The objective of cloud governance is to ensure that the cloud can be used in safety and confidence.
“Organizations need to develop strict governance frameworks to ensure cloud infrastructure and operations are as secure – if not more secure – than traditional on-premise approaches to protect corporate data and critical systems. As hybrid on-premise cloud environments become the norm in the coming years, organizations will need a comprehensive way to protect data across this environment. Data will need to be secure regardless of where it resides and governance frameworks are a key component to ensuring a comprehensive approach to information protection.”
Cloud service providers typically do not need to communicate service downtime information to their clients in advance. However, when a service outage takes place for unforeseen reasons, the service provider does not bear responsibility for communicating this to their users. Experts point out that for many service providers, client-side governance has a long way to go.
A Governance Framework in Five Steps
The Cloud Computing Journal outlines five steps for creating a governance framework to ensure cloud security. The steps are briefly described below:
- Understand the insider threat – The first step is to assess the insider threat and develop policies that address potentially dangerous insider behavior. This includes both malicious behavior, as well as inadvertent changes that may cause significant risk or damage to an organization’s IT infrastructure. In order to develop a powerful cloud security platform, organizations are required to develop and enforce strong policies that are relevant and actionable.
Leadership is required to instill awareness in employees regarding the meaning of security, its impact on the organization; and employees’ roles and responsibilities regarding security.
- Implement a horizontal audit compliance framework – An effective audit tool must show where organizations are vulnerable in horizontal, rather than vertical terms. In large organizations, it is extremely common for vertical business units to communicate with each other on an infrequent basis. In order to address this, leadership must create a horizontal audit compliance framework that provides a view across all business units and integrates various information streams in an intelligent manner.
- Manage identity and access – In order to address this challenge, IT departments must extend their existing identity management initiatives to include cloud environments, or establish a process for collectively managing identities across all systems in order to secure corporate data and systems. An effective governance framework must put a solution in place that looks beyond the operating system and incorporates all platforms, applications and databases. An access governance tool must be developed on top of this.
- Leverage security information and event management deployment – Certain organizations may consider increasing security controls as they move their IT systems to the cloud. An organization’s Security Information and Event Management (SIEM) solution must be able to integrate data from the cloud, in addition to data from the identity and access management (IAM) solution. This provides a complete view of the organization’s security posture.
- Consider a governance framework solution – Experts discourage organizations from building a governance framework from scratch; why reinvent the wheel? There are a number of IT service management solutions, or dashboards, that offer drill-down functionality to all IT governance, risk and compliance (GRC) and security elements.
Organizations which already of IT service management solutions in place may want to consider extending the solution to include security and compliance requirements in physical, virtual and cloud environments as well.
This article examines the necessity of developing a governance framework for cloud environments. Cloud governance refers to the application of policies to the use of cloud services and ensures that cloud computing can be used in safety and confidence. The article also takes a look at five steps for creating a governance framework, which include: insider abuse; horizontal audit compliance frameworks; identity and access management; using security information and event management deployment; and governance framework solutions.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Auditor requirements (Domain 4)
- Insider abuse (Domain 7)
- Key management standards (Domain 11)