Banking

Extend risk boundaries to the cloud

The question is not whether you will integrate cloud services, but how well you will manage the associated risk. Tom Olzak outlines a practical approach to risk management.

Cloud computing is a nebulous concept, defying the attempts of many to even define it.  However, use it we must.  Business value is enhanced by it and competitive edge is often lost by ignoring it.  So we need to understand how to safely integrate this emerging technology into our business processes.

Defining the cloud

For clarity, I define cloud computing as any infrastructure or service provided by and from a third party location that supports or delivers business processes. To maximize business value, it should also provide on-demand scalability and enhanced business continuity processes. Examples include:

  • Vendor developed and hosted Web services, integrated into systems developed in-house but accessed across the Web
  • Vendor managed servers hosting applications developed and managed by in-house staff
  • Moving complete systems (i.e. payroll, accounting) to a vendor hosted site

As the cloud matures, the services provided change and grow. However, the basic premise is that it provides flexibility to large organizations and opportunities to SMBs that might otherwise break the budget.

It’s all about risk

From my perspective as a security professional, assessing and managing risk associated with cloud services is simply an adjustment to my existing risk management processes.  Okay, so the answer is simple; actual implementation takes a little work.

If you don’t have have a risk management framework in place, creating one is your first step.  Protecting your organization’s data is all about balancing risk with business need.  Formal processes designed to identify, mitigate, and report risk are necessary when working with business managers—and auditors—to achieve the right balance.  If you have a documented framework in place, you just have to extend it.

Figure 1 is a simple model of the risk boundary of many organizations.  Security analysts perform risk assessments when IT designs and implements internal solutions.  However, the managed risk boundary stops at the perimeter firewall.  No formal processes exist to model threats created by connecting to cloud service providers.

Figure 1: Internal Risk Boundary

The path to safe cloud integration is extension of the risk boundary, as shown in Figure 2. The goal is not to see the cloud as something “out there.” Rather, it is just another value-added component attached to the enterprise.  Extending the risk management boundary to encompass all services results in an overall plan for enabling the business.

Figure 2: Expanded Risk Boundary

The gap

Extending the risk boundary isn’t just about asking the same questions. Integrating the cloud requires additional considerations unique to dealing with vendor-providers. The following is a list of challenges I consider when evaluating a cloud services provider:

  • Has an outside entity certified the provider as an organization that effectively manages security (SAS 70, ISO 27001, etc.)?  What internal controls exist?  How do they compare with my internal controls?  What are the gaps, and are the gaps reasonable?
  • What data is involved? Is my organization providing more data than is absolutely necessary? What are the minimum data elements required by the provider and why?
  • Does the provider understand my security expectations? Are these expectations included in the contract? What sanctions are identified if the vendor fails to adhere to security wording in the contract? Does the contract allow me to perform my own periodic audit of how well my data are protected?

This list asks the basic questions. I assume you already protect your data in transit and possess robust and flexible access controls. If not, you might have bigger problems to solve before you look at expanding to the cloud.

The final word

Don’t run from the cloud.  It is not your enemy, and you will be assimilated. The question is not whether you will integrate cloud services.  Rather, it is how well you will manage the associated risk. Is every vendor a good candidate? Absolutely not. But selecting a cloud vendor is similar to selecting any provider of internal software, hardware, or services. Understand your needs, communicate your expectations, and assess the vendor’s compliance. Report your findings to management and, if necessary, work with the vendor to improve controls.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

1 comments
Ron_007
Ron_007

In the gap analysis, on the third point you ask ? Does the provider understand my security expectations? ? Are these expectations included in the contract? I would add "Why Not?!" to the second question. I work under the assumption that "a verbal contract is only as good as the paper it is written on". In other words, if it isn't written down in the contract (with quantifiable measurements and requirements AND PENALTIES!), salesman promises won't be legally binding and can't be enforced (as I'm sure pretty well everyone has found out to their chagrin).

Editor's Picks