As cloud adoption increases concerns of traditional security issues are decreasing, putting a greater emphasis on risks that are results of senior management decisions than cloud service provider responsibilities. Enterprises are maturing their understanding and usage of cloud computing, making control plane weaknesses and meta-structure or appli-structure failures greater risks than service level vulnerabilities (CSA, 2020). These issues are exasperated when enterprises have limited cloud visibility.
There are two key challenges to establishing the ability to visualize and analyze whether cloud service use is safe or malicious. The Cloud Security Alliance details these as un-sanctioned app use and sanctioned app misuse. At a high level, the concern of these challenges is if the use of cloud resources is in line with corporate policies and how are they being used. Taking into consideration systems governance, user awareness of policies, and security controls (CSA, 2020). Microsoft’s Continuous Cloud Optimization dashboard (Links to an external site.) is a great example of this, providing a single pane of glass into implemented cloud infrastructure, security, and governance. Regulatory bodies are also working to standardize around these needs with specifications like ISO 27001, COBIT, and NIST 800-53 (ISACA, 2012). All which operate around four guiding principles:
- Vision—What is the business vision and who will own the initiative?
- Visibility—What needs to be done and what are the risks?
- Accountability—Who is accountable and to whom?
- Sustainability—How will it be monitored and measured?
By modeling enterprise cloud visibility systems around these four principles, leaders enable:
- Cloud oversight
- Risk ownership
- Knowledge needs
- Access control
- Maturity state
- Compliance
(ISACA, 2012)
Controlling cloud security starts from the top down. A responsible and inclusive culture is necessary to sustain the integrity of enterprise cloud solutions. People, process, and technology all need to be in sync to mitigate risks. Industry standards are helpful in setting guidelines for your enterprise, but standards are useless if decision makers cannot visualize and analyze the current state of their organization. Establish a framework for evaluating risk and progress through the Vision, Visibility, Accountability, and Sustainability principles to develop viewpoints of your enterprise’s needs.
References
Azure. (n.d.). Azure/ccodashboard. Retrieved from https://github.com/Azure/ccodashboard (Links to an external site.)
CSA. (2020) The egregious 11: Top threats to cloud computing. Cloud Security Alliance (CSA). Retrieved from https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-deep-dive/ (Links to an external site.)
ISACA. (2012, September). Cloud risk—10 principles and a framework for assessment. Information Systems Audit and Control Association (ISACA). Retrieved from https://www.isaca.org/resources/isacajournal/past-issues/2012/cloud-risk-10-principles-and-a-framework-for-assessment