Through our many risk assessments of cloud
services there a few practical tips which you may find useful in selecting the
right cloud services.
I.
Do the
risk assessment early. On a number of occasions a cloud service has
advanced to pilot stage prior to a risk assessment. The assessment identifies some
key risks which require remediation or mitigation. The result is either a
severe impact on the rollout plan or the project is abandoned.
II.
Data classification.
Make sure the business understands the need to classify the data and/or business
process to ensure the appropriate security controls are understood and
implemented by the cloud provider
III.
Service availability.
Ensure the cloud provider’s service recovery plan aligns with business
expectations. It might be nice that a cloud provider offers a fee credit for an
outage but this may be irrelevant compared to a focus on service restoration
within a time period.
IV.
Incident
management. The company’s information security policies and procedures
define the responsibilities, actions and reporting requirements in the event of
an incident. The shift to the Cloud
sees a blurring of responsibilities between the company and the cloud provider. The service level agreement needs to reflect
a clear understanding of who is responsible for taking actions in relation to a
security incident and the reporting protocols.
V.
IaaS preferred
providers. Perform a risk assessment
on a select group of IaaS providers. Initially this can be achieved by a
self-assessment questionnaire, security review, or confirming their compliance
to industry standards or a risk management framework. Once assessed, the
company then has a baseline rating for providers to recommend to business units
depending on the technical controls and mapping to data integrity, availability
and confidentiality needs.
VI.
Compliance
requirements. The business unit considering a cloud deployment must clearly
understand the company’s own security compliance requirements and risk appetite.
This needs to be conveyed to the cloud provider so it can comply with the
appropriate levels of risk assessments and audits. There can be considerable reluctance on the
part of the cloud provider after deployment for testing of the provider’s
applications and infrastructure if this has not been agreed upfront.
VII.
PaaS and SaaS
services. Make sure data integrity, availability and confidentiality
requirements are agreed. Where possible have these services deployed on one of the
IaaS preferred suppliers platforms.
VIII.
Impact of
an Outage. The increased interdependence of cloud and on premises data
should not be underestimated. The impact an incident or outage of a cloud
service would have on the company’s overall operation needs to be quantified
and reflected in the corporate risk register.
IX.
Cloud
assessment document. Develop a cloud computing security assessment document
based on the ASD document “Cloud Computing Security Considerations” and apply
appropriate risk ratings. This assessment document can be completed by
potential cloud providers early in a project lifecycle to avoid any unnecessary
waste of time or resources on a solution which is not going to match the
company’s risk profile.
Greg Starkey
Business Development Manager, Government & Commercial
www.cqr.com
No comments:
Post a Comment