IT has the ability to
deliver almost anything that you can think of, and here is the latest entrant -
The Clouds, which is now a phrase du jour in the IT coliseum already. Clouds are
on the rise and so are the organizations looking ahead to capture clouds for
their business practices.
Cloud Computing has
changed the approach such that a cloud – user now only requires a browser for
access to the company’s network. And this raises risks and compliance concerns.
Being a part of GRC,
we know what matters to organizations most and here, it is their corporate data
which they may put on off-premise servers. So are the clouds safe? What are the
risks involved? Will the data (kept off – shore) still sync with their company's
internal compliance mandates?
Being in the GRC
domain, I had serious question in front of myself – are clouds secured and safe
and what should they do to adhere with IT security norms. How can they be
well-equipped to address any IT security concern raised as any organization
would want clouds to be safe before putting their enterprise data on-board?
With the current
economic scenario, businesses, especially mid-size, may feel the need for cost
reduction and look forward to this technology to source some or all of their
computing services into the cloud; but what may hold them back are the security
concerns. To pass the risk and compliance test, they would need to address the
following concern that comes with clouds not only for IT auditors but also for
themselves. A lack of robust methodology of identifying risk areas and being
compliant may derail the complete concept of clouds.
First, we discuss the
various planks which can be of major concerns to the data owners:
· SaaS, PaaS and
IaaS: Cloud providers use
Software as a Service (SaaS) or Platform as a Service (PaaS i.e. providing a
platform to build software applications to cloud - users) or Infrastructure as a
Service (IaaS like servers) to deliver a single application through the browser
serving multiple clients.
· Use of web services:
Use of web services
like search engines, web portals, etc.
· Use of Utility
Computing in Clouds: Utility computing
i.e. utilization of services and computing resources, such as virtual Data
Centers.
Risks
Involved
· SaaS, PaaS and IaaS:
The risk of using
Saas, PaaS or IaaS is that all these platforms raise issues of identifying user
accounts (duplicate user accounts) and their roles and rights, misalignment of
data. In short, concerns of authorization and authentication.
Here, the onus of data security lies not only on the data owners, but also
majorly on the cloud providers (Cloud Service Providers), as the data is stored
on any third – party software, storage blocks or platform based clouds.
· Use of web –
services: Use of web services
in the clouds is crucial to IT security as traditional vulnerabilities like
virus, spywares are always of concern. Apart from the traditional villains
resting on the web, it is security of the enterprise data to be transmitted to
these web services is also under scanner.
· Use of Utility
Computing in Clouds: Utility computing
raises a high level of security concern as mission critical data of
organizations are under scrutiny. The access to crucial and critical IT
environments such Data Centers has always been of high concern to organizations.
The fear of clouds growing dark rises, as we are actually looking into the
prospects of a ‘virtual Data Center’.
Compliance
practices to tackle the risks
Addressing risk and
compliance aspects is fundamental for clouds to grow. This is important as no
GRC umbrella over an organization’s cloud cluster would mean a complete
degradation of their enterprise data and their business practice. The best practices to
tackle the mentioned risks are suggested below:
· SaaS, PaaS and IaaS:
Organizations need to
focus on data security which becomes highly important as the clouds reside on
storage blocks, software or platforms. User accounts and their roles and rights
are absolutely crucial as well as their authorization and validation must be of
primary focus to the organizations.Organizations / data
owners here would also require robust cloud-based third party policies, rather
than just the orthodox enterprise third party-based policies for the service
providers who own the clouds (as the data now no more rest in their environment
or facility).
· Use of web services:
Filtering (URL
filtering) on what is to be viewed on the basis of User roles is an effective
measure while using web services on the clouds. This ensures that each cloud
users access what is actually necessary for their role. This takes care of
access to attractive but distracting information / services, which gives an easy
en-route to traditional intruders. In case web security
is outsourced to a third - party, SLAs / KPIs and related policies must just not
only focus on web-security and filtering concerns, but must also focus on the
services to curb and prevent data loss. Here, the
responsibility of these measures lies primarily with the organizations, who own
the data, because it’s just not their data residing on the clouds, they actually
share a room out there! What is notably
important here is to realize the guidelines and policies that need to be built
around these risks and consistently keep a check on them.
· Use of Utility
Computing in Clouds: To overcome security
concerns related to the utilities like virtual Data Centers, it is highly
recommended to locate and highlight low, medium and high-level of security
concerns and risks in-depth. The policies,
authorization and access to Data Centers must not only highlight but also
address the risk areas and concerns that have been analyzed. The back-up and
restoration methodologies adopted are of high significance too, because the Data
Centers in the clouds are just not located off-shore, but are virtual as well.
So, if
organizations do not want the clouds to grow dark, it is important to primarily
focus on the below aspects:
· Policy management and
audit capabilities for themselves and cloud-providers
· IT security controls
and the ability to transport and archive enterprise data
· Addressing poor
visibility into risk exposure properly
· Avoiding lack of
alignment from not having risk and compliance processes embedded within the
business
Best practices ensure
that the organizations; their corporate and enterprise data remain on cloud
nine. Clouds are always pleasant to watch and GRC is all about ensuring they
don’t grow dark. We won’t.
No comments:
Post a Comment