Assess Security Risks with Cloud-Computing

Daniel Paula, CSSP (Certified Cloud Security Professional) and former SVP, Information Security Risk, Charles Schwab

What are the emerging trends that are going to shape the role of risk management in the future?

Cloud-computing solutions continue to evolve and get adopted by several organizations across the industry. Though there are plenty of security specific challenges, the benefits to organizations are huge, which includes high availability, scalability of the environment, with auto-scale capabilities, flexibility, choice of environments, and more. All the factors mentioned above benefit the proposition that eventually directs to cost-reduction. The industry has different deployment models such as private clouds, public clouds, a hybrid as well as community clouds and different service models such as Infrastructure as a Service model, (IaaS), Platform as a Service (PaaS) and more. This is a tremendous opportunity but there is security risk associated with the cloud, which is left unnoticed some times.

What are the technological challenges that cloud-computing technology has been facing with regards to security and data handling?

Data stored in cloud-environments need specific care due to the large requirement of regulatory and legal frameworks. It also depends on different risk scenarios, such as when and where the data is exposed or how data is consumed while in transit. This isa not a new reality that organizations did not have to deal with before cloud-computing came into the picture. So, when considering security controls of the systems or the data center, they offer similar control strategies such as encryption and access controls that work in the cloud environment.

Data stored in cloud-environments need specific care due to complex regulatory and legal requirements

There are some security control aspects that are unique to cloud computing such as the security controls for virtualized environments, which involves attacks against the host system files and the hypervisors. Virtualization security in general is crucial as well as unique to the cloud systems.

New unique risks such as the vendor contract lock-in and privacy requirements that are driven by -geolocation of the data are also important and need to be accounted for in a cloud migration strategy.

So, business leaders, in particular, should have a clear cloud strategy that is capable of articulating not only the business value, roles and responsibilities between the firm and its cloud providers, but which is also inclusive of key governance and strong controls that mitigate security risks to the organization to an acceptable level. The focus of such strategy should be making the organization resilient. This means focusing on the organization’s ability to withstand, anticipate, respond, and later evolve from an attack, and build a resilient control stack rather than spending time avoiding every cyber threat, which is not only technically extremely difficult but also very costly.

What is the piece of advice that you would want to give to your industry peers?

The cloud risk management landscape has ample opportunities for learners and innovators alike. The field of cloud computing has changed the way corporations purchase and utilize technology. For instance, one renowned bank has announced it has moved away from physical data centers, and all its information is now on the cloud. However, as much as cloud computing brings a lot of innovation, the foundational elements haven’t changed in areas such as security, privacy, and risk and controls. Keysecurity controls such as encryption, access management, privileged accounts, data loss prevention might not be new,but they are revised, and need to be accounted for when adopting new technologies like cloud computing.

Check Out: Top Cloud Solution Companies