Why Organisations Should Adopt a Cloud Security Framework
The cloud is the future of enterprise architecture. It’s economical (to a degree), it’s scalable, it’s flexible and – best of all – it’s someone else’s responsibility. Again, to a point. That’s because the cloud comes with its own set of security and governance challenges.
1. Controlling the sprawl
An average employee uses about 36 cloud-based services daily, while enterprises store about 60% of their data on the cloud. Controlling this sudden, often unintended explosion of cloud usage can pose a major challenge. Uncontrollable usage often translates to higher costs, decreased efficiencies, and increased security issues.
Whenever a third party is involved in processing data or maintaining infrastructure, it will always add an extra layer of risk. What’s more, as businesses grow and evolve, if they don’t invest enough in managing, monitoring and securing this sprawl, these risks tend to get amplified. Like a junk drawer where stuff is randomly thrown in, eventually things become unmanageable.
2. Maintaining control and ownership
As cloud adoption pervades, one of the bigger security and privacy challenges for cloud service customers is having to relinquish a significant amount of control and ownership of their data and infrastructure to cloud service providers (CSPs).
Every CSP will implement security differently and every cloud model (software-as-a-service, infrastructure-as-a-service, platform-as-a-service, etc.) will have varying degrees of security control ownership, which is why it might be difficult for them to meet all security requirements. CSPs may not have an in-depth understanding of all security use cases required by enterprises, which could present an additional hurdle.
3. Lack of clarity on security responsibility
Many organisations jump straight into SaaS without doing a thorough vetting of what security protocols are in place or establishing rules of engagement for their internal resources as well as the outsourced provider. When dealing with cloud, customers need to be aware of the shared responsibility model and must understand what’s underneath the cloud platform – what security controls exist and whether additional safeguards are required to be built.
In other words, organizations can no longer ignore, abdicate, or assume that all controls are being managed by the CSP. Organisations should be doing their own diligence, selecting the right controls after being clear on the security context, otherwise they may fail to address the risk profile in the right manner.
How does a cloud cyber security framework help?
A cloud cyber security control framework provides a systematic approach to identifying, assessing, and mitigating security risks. It provides step by step guidance on what security controls should be implemented by which parties across the entire cloud supply chain.
There are a number of different cloud cyber security control frameworks available, including the ISF Standard of Good Practice (SOGP), the Cloud Controls Matrix (CCM) proposed by the Cloud Security Alliance, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the ISO/IEC 27002. Let’s understand some of the most obvious advantages of adopting one of those.
1. It provides a robust view of control and capabilities
Frameworks help establish best practices for risk management in the cloud. They help organisations maintain a record of cloud services, their usage, security controls and capabilities across on-premises, off-premises, private and public cloud. This in turn provides a holistic view of security and helps the business keep up with their evolving security requirements. Frameworks not only help fine-tune security tactics in line with the business goals, but also help identify or clarify which goals the business needs to prioritise.
2. Streamlines compliance, reduces duplication and chaos
Most businesses must comply with multiple standards — this can be complex and chaotic for compliance teams. On some days you’ll have to run a NIST survey, some days PCI, other days ISO, and so on. In the end, you’ll end up duplicating workloads, putting the system through redundant paperwork. To overcome this redundancy, modern standards offer mapping and cross-referencing with other leading standards.
3. Establishes clear rules and expectations
Security goes beyond just technical controls. A lot of processes need to be engaged to limit the potential exposure of SaaS services. Where does the data reside? Does the CSP outsource to other suppliers? Are breach notifications being reported in a timely way? From a governance standpoint, there are many compliance requirements, and this is where a framework shines. Frameworks help clearly define the tools and processes, the baseline rules and expectations, the individuals responsible for maintaining these cloud services and security.
4. Helps better prioritise and justify security investments
Leadership teams have an important role to play in governance and policy making. They must have confidence in the security team, a clear idea of security priorities, and how they align with the business trajectory. Security teams that leverage frameworks can avoid overspending on security that’s inessential.
No framework is perfect, so choose your cloud security framework carefully.