Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Cloud Security: An Oxymoron?

Home
Industry Insights
Cloud Security: An Oxymoron?

Blog Article Published: 11/29/2011

Written by Torsten George, Vice President of Worldwide Marketing at Agiliance

Cloud computing represents today's big innovation trend in the information technology (IT) space. Because it allows organizations to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at organizations of all sizes.

However, the 2012 Global State of Information Security Survey, which was conducted by PwC US in conjunction with CIO and CSO magazines among more than 9,600 security executives from 138 countries, reveals that uncertainty about the ability of cloud service providers' security policies is still a major inhibitor to cloud computing. More than 30 percent of respondents identified their company’s uncertain ability to enforce their cloud providers’ security policies as the greatest security threat from cloud computing. With this in mind, is cloud security even achievable or just an oxymoron?

In their eagerness to adopt cloud platforms and applications, organizations are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud – a credit card and a few keystrokes is all that is required – combined with service level agreements provides a false sense of security.

However, shortcomings in the cloud providers’ security strategy can trickle down to the organizations that leverage their services. Damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss.

Cloud Computing Vs. Cloud Security

A naturally risk-adverse group, IT professionals are facing a strong executive push to harness the obvious advantages of the cloud (greater mobility, flexibility, and savings), while continuing to protect their organization against new threats that appear as a result.

For organizations planning to transition their IT environment to the cloud, it is imperative to be cognizant of often overlooked issues such as loss of control and lack of transparency. Cloud providers may have service level agreements in place, but security provisions, the physical location of data, and other vital details may not be well-defined. This leaves organizations in a bind, as they must also meet contractual agreements and regulatory requirements for securing data and comply with countless breach notification and data protection laws.

Whether organizations plan usage of public clouds, which promise an even higher return on investment, or private clouds, better security and compliance is needed. To address this challenge, organizations should institute policies and controls that match their pre-cloud requirements. At the end, why would you apply less stringent requirements to a third-party IT environment than your own – especially if it potentially impacts your performance and valuation?

Most recent cyber attacks and associated data breaches of Google and Epsilon (a leading marketing services firm) are prime examples of why organizations need to think about an advanced risk and compliance plan that includes their third-party managed cloud environment.

Enabling Cloud Security

With most organizations beyond debating whether or not to embrace the cloud model, IT professionals should now re-focus their resources on managing the move to the cloud so that the risks are mitigated appropriately.

When transitioning your IT infrastructure to a cloud environment you have to find ways to determine how to trust your cloud provider with your sensitive data. Practically speaking, you need the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.

As part of a Cloud Readiness Assessment, organizations should evaluate potential cloud service models and providers. Organizations should insist that the cloud service providers grant visibility into security processes and controls to ensure confidentiality, integrity, and availability of data. It is important not only to rely on certifications (e.g., SAS 70), but more importantly document security practices (e.g., assessment of threat and vulnerability management capabilities, continuous monitoring, business continuity plan), compliance posture, and ability to generate dynamic and detailed compliance reports that can be used by the provider, auditors, and an organization’s internal resources.

Considering that many organizations deal with a heterogeneous cloud eco-system, comprised of infrastructure service providers, cloud software providers (e.g., cloud management, data, compute, file storage, and virtualization), and platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option.

Following the guidelines developed by the Cloud Security Alliance, a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing, organizations should not stop with the initial Cloud Risk Assessment, but continuously monitor the cloud operations to evaluate the associated risks.

A portion of the cost savings obtained by moving to the cloud should be invested into increasing the scrutiny of the security qualifications of an organization’s cloud service provider, particularly as it relates to security controls, and ongoing detailed assessments and audits to ensure continuous compliance.

If at all possible and accepted by the cloud service provider, organizations should consider leveraging monitoring services or security risk management software that achieves

  • Continuous compliance monitoring.
  • Segregation and virtualization provisioning management.
  • Automation of CIS benchmarks and secure configuration management integrations with security tools such as VMware vShield, McAfee ePO, and NetIQ SCM.
  • Threat management with automated data feeds from zero-day vendors such as VeriSign and the National Vulnerability Database (NVD), as well as virtualized vulnerability integrations with companies such as eEye Retina and Tenable Nessus.

Automated technology, which allows a risk-based approach and continuous monitoring for compliance would be suitable for organizations seeking to protect and manage their data in the cloud.

Many cloud service providers might be opposed to such measures, but the increasing number of cyber security attacks and associated data breaches are offering great incentives to offer these capabilities to their clients not only as a sign of establishing trust, but also as a competitive advantage.

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.