Who's Responsible For Cloud Security?

It’s been seven years since the US Office of Management and Budget mandated that federal agencies adopt a cloud-first policy, yet it’s no surprise this major change is still a work in progress.  

While the cloud brings benefits, security remains a particular area of concern, because it’s not always clear who’s responsible for securing what. Before moving to the cloud, federal CIOs and CISOs should consider the following:

1.Responsibility and accountability: Some organisations may be inclined to think that security automatically becomes the responsibility of the cloud service provider, but it doesn’t. The owner of the data is the responsible party, and agencies that plan to move to the cloud must develop, understand and periodically revisit their service-level agreements and terms-of-service contracts with their CSP. Thomas Trappler, the associate director for IT strategic sourcing at the University of California, recommends that SLAs should:

  • Codify the specific parameters and minimum levels required for each element of the service as well as remedies for failure to meet those requirements.
  • Affirm an institution's ownership of its data stored on the service provider's system and specify the organisation's rights to get it back.
  • Detail the system infrastructure and security standards to be maintained by the service provider along with the organisation's rights to audit CSP compliance.
  • Specify the organisation's rights and costs to continue or discontinue using the service.

2.FedRAMP: Most UD federal organisations moving to the cloud know about the Federal Risk and Authorisation Management Program, which provides a standardised approach to security assessment, authorisation and continuous monitoring for cloud products and services. 

Using a FEDRAMP-certified provider, however, does not mean that the agencies’ data will automatically be secured in the cloud. While the cloud provider may have the infrastructure to support security, most CSPs don’t provide encryption, security or segregation/separation of duties by default. Those often are considered additional services at an additional cost.

3.Public cloud vs. private cloud: Federal agencies must determine whether to move to a public cloud, where a commercial service provider makes resources, such as applications and storage, available clients over the internet, or a hosted private cloud, which offers similar services to a public cloud but is dedicated to a single organisation. 

There are many factors that can influence a CIO’s decision -- budgetary limitations, staff and resource requirements, available physical space, capacity and workloads, to name a few. Two of most important considerations, however, should be data security and resiliency.

With a public cloud, most CSPs typically offer environment isolation in a multitenant hosting facility. Although an agency's data may be heavily firewalled from outside attack and isolated from other tenants' data, there’s still a possibility that it might become vulnerable. In fact, many IT professionals would argue that the risk of a breach goes up with public cloud. 

Major public cloud provider may have more tenured and technically trained cyber cloud experts, more monitoring and cyber defense tools and greater security guarantees, but they also are bigger targets than many smaller CSPs. The size of the cloud provider, how publicly known it is, the value of its hosted data and the likelihood of being targeted by cyber adversaries are all factors that agencies should consider when choosing between private and public cloud.

Private cloud can be a better choice for agencies that have the long-term funding to support it. Some may be able to afford the initial purchase of the hardware needed for a hosted private cloud, but the costs associated with hardware refreshes, physical security and hiring or retraining staff may limit agencies with smaller cloud budgets to a public cloud offering.

4.Security authorisation: One of the biggest challenges for agencies using cloud-based solutions is understanding what it means to conduct assessment and authorisation, formerly known as certification and accreditation, on a system whose boundaries and assets are in the cloud. Because of the complexities of a cloud environment, agencies should consider leveraging automation as a means of maintaining compliance. 

Automation can significantly reduce errors, but automating compliance takes significant investment. Agencies considering compliance automation should start with automating smaller components, such as security alert systems, then move on to other areas that will benefit from automation.

Authorisation is really about ensuring that legitimate users on an agency's network has access to the data, applications and systems that are relevant to their jobs and roles and making sure that those who aren’t authorized to be on the network stay off of it. 

Because cloud resources can be accessed from anywhere with an internet connection, there’s an increased opportunity for cyber adversaries to gain access to agency data. 

To combat those threats and improve security in the cloud, many cloud providers will offer compliance as a service, but it’s important to understand not only the required standards and regulatory requirements, but exactly what CaaS means.

It’s easy to get excited about the benefits of moving to the cloud, but agencies must really understand the cyber implications. It can be tempting for CIOs and CISOs to think that someone else is responsible for their organisation’s data once it’s in the cloud, but the truth is that the CIO and CISO are responsible for holding the CSP accountable for protecting that data.

GCN.com:

You Might Also Read:

Multicloud - The Next Step In Cloud Computing:

In The House Or In The Cloud: Which Is More Secure?:

 

 

« Cyber Monday 2017 UK Deals
The US National Security Agency Is On The Ropes »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

PhishLine

PhishLine

PhishLine helps Information Security Professionals meet and overcome the increasing challenges associated with social engineering and phishing.

CSIS Security Group

CSIS Security Group

CSIS provide actionable threat intelligence, prevention, incident response and 24/7 managed security services.

Yokogawa Electric

Yokogawa Electric

Yokogawa is an electrical engineering company providing measurement, control, and information technologies including industrial cyber security.

VisionWare

VisionWare

VisionWare provide consulting services and solutions in areas covering both physical and digital security.

Protergo Cyber Security

Protergo Cyber Security

Protergo Cyber Security is the first integrated provider of cybersecurity solutions in Indonesia. We proactively protect our clients from cyber threats.

ENAC

ENAC

ENAC is the national accreditation body for Spain. The directory of members provides details of organisations offering certification services for ISO 27001.

Dualog

Dualog

Dualog provides a maritime digital platform which ensures that services work reliably and securely onboard.

Sec-Ops

Sec-Ops

Sec-Ops is a forward thinking cyber security company, formed by a group of security enthusiasts with years of experience and backgrounds in the technology and the government industries.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.

Xoriant

Xoriant

Xoriant is a technology leader and execution partner throughout the Build, Run and Transform lifecycle for companies that create and use technology products.

Chestnut Hill Technologies (CHT)

Chestnut Hill Technologies (CHT)

CHT provide Best Practices IT Cybersecurity and Technology Solutions and Consulting Support to the Mid Cap through Fortune 1000 Nationwide.

MIS Solutions

MIS Solutions

MIS Solutions is a managed cloud and IT security partner making technology work for you.

Walacor

Walacor

Walacor’s secure data platform represents the next generation of secure data and blockchain storage with a trust-first approach that revolutionizes enterprise data, and database management systems.