Cloud Controls Matrix: How to Secure Your Journey to the Cloud
Published 08/25/2023
Originally published by Contino.
Written by Kevin Davies.
If you’re in a highly regulated industry, it can be hard to embrace all the possibilities that cloud computing can offer while still maintaining control of your data assets in the public cloud.
That’s why it’s vital to have security cornerstones in place before you start your cloud journey.
In the UK, commercial organisations have been relatively quick to embrace the rapid flexibility provided by cloud computing, but the public sector has seen slower progress, despite the government introducing the ‘Cloud First’ policy in 2013.
The policy has at least led to a number of departments dabbling in the public cloud, primarily utilising Infrastructure as a Service (IaaS) offerings—allowing them to move away from traditional on-premises or data centre hosting arrangements.
While we’ve already seen many well-reported benefits of this transition to cloud in the sector, including the rapid deployment of the Coronavirus Job Retention Scheme, some still have reservations about whether the public cloud is secure enough for sensitive government data assets.
Cloud computing gives organisations considerable benefits in agility, resilience and cost—especially when it comes to managing their data. Organisations can move quickly, avoiding the need to purchase and provision expensive hardware, but there remains a risk of losing control of where this data resides—you could be a couple of mouse clicks away from moving data halfway across the globe. The result is a greater need for governance, risk and compliance expertise rather than relying solely on IT operations teams for support and oversight.
Governance, compliance, risk management, data visibility, cybersecurity—these are all key to a successful and prosperous future with cloud computing, but how can you make sure you’ve got everything covered?
We recommend starting with our four cloud security best practices, and implementing an appropriate cloud control framework, such as the Cloud Controls Matrix from the Cloud Security Alliance (CSA), which can inform and provide visibility for staff at all levels across departments.
4 Cloud Security Best Practices
- Make sure your organisation fully understands the controls it is responsible for vs the cloud provider. This is typically defined in a shared responsibility model.
- Make use of testing approaches such as chaos engineering to build solutions that are fault tolerant, utilising architecture that copes with unplanned failures.
- Invest in cyber security to embed secure foundations for teams to be able to work smarter rather than harder—providing new challenges and development opportunities to staff, rather than focussing IT resources on mundane and repetitive tasks that can impact on staff retention.
- Follow a cloud controls framework to enable your organisation to understand its current posture and help drive focused improvements and develop capability.
Why Do You Need a Cloud Control Framework?
A cloud control framework enables you to build on the visibility of your cloud environment—giving you the ability to make more informed decisions on appropriate policy, procedures and guidance to support implementation of proportionate security controls. This allows the organisation to protect its assets in the cloud as well as its reputation.
It is a common mistake for organisations to rely on existing policies and procedures and make minor changes and assume they will be fit for purpose in cloud computing—it’s vital therefore to align to an appropriate set of security controls.
About the Author
Kevin Davies is an experienced cyber security professional with over 10 years experience working for a range of public and private sector clients, as well as in retail banking, utilities and law enforcement. He's worked in large public sector organisations where he has been instrumental in securing public cloud platforms that have been developed to host numerous cloud services consumed within the UK today.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024