The need for maintaining security compliance on cloud
It is clear that cloud computing is one of the corporate trends identified with the greatest development to date, being adopted by many organizations as a solution to their data processing problems, but are the implications involved? Are the risks assumed? Is enough done to minimize them? Next, the main aspects to be analyzed in the cloud step are highlighted, as well as what points to address in each of them, both from compliance in the field of personal data protection and from security: computing
Addressing cloud security risks and ensuring enterprise data security and compliance is one of the biggest challenges businesses face in today’s mixed infrastructures. Numerous studies have shown that by no means all business cloud applications meet the standards of many network security companies. On the other hand, the very security that cloud providers guarantee is also a reason for many user companies to choose these services.
Government and Risk Management in the Company: the organization’s capacity to control and measure the business risk introduced by the fact of migrating systems or services to cloud computing must be evaluated, based on aspects such as legal precedents for breach of agreements, ability of users to adequately assess the risk of a cloud provider, etc
Legal aspects (Contracts and Electronic Discovery): The requirements for the protection of information and data processing systems, laws on security breaches due to disclosure, regulatory and privacy requirements, international laws, etc. should be analyzed.
Legal Compliance and Audit: the level of legal compliance with internal security policies and also various cloud compliance requirements (regulatory, legislative and other) must be assessed to demonstrate legal compliance during an audit. In this regard, it is essential to take into account the transparency of the service.
Information and Data Security Management: the aspects surrounding the identification and control of data in the cloud should be analyzed, as well as what compensation controls can be used to address the loss of physical control when moving data to the cloud, who is responsible for confidentiality, integrity, and availability. Also, based on the data protection regulations, the cloud service provider must undertake to guarantee confidentiality using the data only for the contracted services and to instruct the staff that depends on it to maintain confidentiality.
Portability and Interoperability: the ability to move data/services from one provider to another or bring them back to the organization, as well as issues related to interoperability between providers, should be analyzed. This is an important aspect that must be taken into account when using cloud services, especially public ones, because the more closed to portability the provider is, the greater the difficulty, or even impossibility, of being able to make that transfer at a cost reasonable to make the customer, in fact, captive of the supplier.
Physical Security, Business Continuity and Disaster Recovery: cloud computing affects the operational processes and procedures that are currently used to implement these three aspects, therefore, business continuity, disaster recovery, and provider’s physical security environments Cloud services must be thoroughly evaluated, and according to industry standards.
The response, Notification, and resolution of incidents: the necessary elements must be identified, both at the provider and user level, to achieve efficient and effective management of security incidents involving cloud resources.
Application Security: application software that runs in the cloud or is being developed in the cloud must be secured. This includes aspects such as whether it is appropriate to migrate or design an application to run in the cloud and, if this is the case, what type of platform is most appropriate (SaaS, PaaS or IaaS).
Identity and Access Management: the access management, identity, authentication and authorization requirements for each cloud application must be identified. To do this, identity management and the use of directory services must be analyzed to provide access control, taking into account the problems encountered when extending the identity of a cloud organization and assessing the degree of organizational preparedness for carrying out Identity, Entitlement, and Access Management based on the cloud.
Virtualization: the risks associated with multi-tenancy, isolation, and co-residence of Virtual Machines, hypervisor vulnerabilities, etc. must be analyzed.
Addressing concrete and quality solutions requires analyzing each case individually, studying the business model and the information associated with the cloud service. However, below is a quick method to determine the feasibility of a movement of an asset to one of the Cloud models that can help make a preliminary risk assessment and make appropriate security decisions.
Identify the Assets that you want to deploy in Cloud: determine precisely what data and functionalities you are considering moving.
Value assets: determine the importance of operations and/or data for the organization (value assets in their needs for confidentiality, integrity, and availability, and how the risk varies if the asset is totally or partially taken to the cloud).
Assess the asset in the different Cloud deployment models: identify the deployment models that best fit. Before looking for possible service providers, it should be known if the risks of the different models are acceptable: public, private, community or hybrid cloud; and accommodation scenarios: internal, external or combined.
Assess potential service models (IaaS, SaaS and PaaS) and Cloud providers: this step focuses on the degree of control that will be available at each level of Cloud service, to implement risk control measures.
Describe the data flow: if a specific deployment is being evaluated, the data flows between the organization, the Cloud service, the clients and other actors involved must be described. Although much of this description should have already been done in previous phases, it is essential to understand if the data is moved to Cloud and how this movement is made before making a final decision.
When properly planned, implemented and governed, the cloud can be a great catalyst for process improvement and a great driver of business transformation. Cloud service providers work tirelessly to improve their security and resilience capabilities. In reality, on-site systems may not be safer than the cloud. The risk of security and reliability may not overcome the loss of the opportunity to transform an organization with the strategic use of the cloud. Cloud initiatives are built on business strategy, coupled with robust risk management processes, have the potential to accelerate innovation in business, transform the customer experience and improve competitive advantage.