Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Cloud Security Requires All Hands on Deck

Home
Industry Insights
Cloud Security Requires All Hands on Deck

Blog Article Published: 04/12/2012

Andrew Wild, CSO at Qualys, discusses how security postures and attitudes need to change as more and more IT functionality moves to the cloud

It’s clear there are many compelling reasons, both financial and productivity-related, for enterprises to move IT functionality into the cloud, so it’s not surprising that they’re moving quickly to adopt popular collaboration services like Box.net, Yammer, Jive, and the like. According to a recent study by business technology service provider Avanade, 74 percent of enterprises are using cloud computing, a 25 percent increase over results for the same survey in September 2009. Of those organizations yet to adopt cloud services, three-quarters say cloud is in their future plans. The migration of IT functionality into the cloud magnifies the importance of ensuring users understand how to use these services most productively and securely, especially since security for cloud services is typically implemented by the cloud service provider and the enterprise has limited control over that security while retaining legal responsibility for regulatory compliance.

Understanding Controls

The use of cloud services brings many advantages to the enterprise, but it’s vital that everyone involved understand how the differences between cloud and traditional enterprise IT services impact information security. Most organizations have defined security policies that provide administrative guidance for users about how to use IT services securely, as well as the responsibility of all users to safeguard privileged information. In addition to these administrative security controls, enterprises typically implement technical controls that detect, or in some cases prevent violations of those policies. Examples of these technical security controls include data loss prevention (DLP) technologies, firewalls, and email security appliances among others. These technical controls are often used to prevent disclosure (both malicious and unintentional) of sensitive information.

The effectiveness of these controls is generally acceptable for on-premise security, but for cloud-based IT, they bring little or no benefit, because they’re designed to function inside the enterprise IT infrastructure. Technical security controls for cloud IT services are designed, implemented and managed by the cloud provider. The specific technical security controls implemented by cloud vendors vary by provider, but in general, enterprise IT and Security staff have significantly less visibility into or control over them than a comparable in-house deployment.

Embracing Constant Change without Sacrificing Security

Cloud-based IT services typically provide a feature-rich, highly interactive experience for end users. Because of the deployment model, cloud service providers can introduce new functionality and service enhancements frequently and rapidly, usually with no involvement from the organization’s IT or security team. This dynamic and rapidly evolving environment is challenging for both end users and organizational IT and security staff. End users may find it difficult to keep up with all of the new functionality, and may not be able to make full use of the features, leading to less than optimal productivity, while IT and security staff will not usually have sufficient time to assess the possible impact of the new functionality on the security of the organization.

Security Awareness and End User Training: More Important than Ever

These factors combined require an altered approach to end-user education across the enterprise. Now more than ever, every person who accesses company information must play an active role in ensuring the security of an organization’s information. Enterprises must fully educate their employees about those responsibilities to ensure the security of organization’s information, as well as how to use the cloud IT services securely. This is particularly true now that many employees are accessing corporate networks from personal devices such as smartphones and tablet computers; a recent study by Cisco Systems found that a majority of individuals believe they are not responsible for protecting information accessed through devices[1]

Here are some ideas to begin implementing security awareness and IT training programs that ensure security in the face of the disruptive nature of cloud-based IT:

  1. Establish clear IT objectives for each cloud-based IT service that you select. Understanding how you expect the particular cloud based IT service to be used is essential in order to evaluate the possible risks the service may pose to your organization. You can’t always avoid the risk, but by educating your end users as to the security risks and appropriate use of the service will go a long way towards minimizing that risk.
  2. Ensure end users understand their responsibilities. Make sure that end users fully understand their role in securing the organization’s information. Far too often, employees believe that security is solely the purview of the IT security team, rather than a responsibility of every employee. Your organization’s culture should reflect that global responsibility, so all employees understand the critical role they play, and IT security staff are seen as shepherds and helpers rather than guards and enforcers.
  3. Ensure that your information security program encourages end user participation. In the rapidly changing world of cloud-based IT services, it is very likely that end users will learn of new features and capabilities before your IT and security staff does. You can take advantage of this - involved end users are more likely to provide feedback to the organization about how new features may introduce risk. This kind of feedback from end users is critical to the participatory process, enabling IT security staff to adapt awareness training and security controls as appropriate to minimize the risks.

A Plea to Cloud IT Service Providers

Enterprise IT security staff understands the differences between cloud and on-premise IT services. So it’s very clear to them that most cloud IT service providers do not provide the enterprise sufficient transparency in the implementation and ongoing management of security controls.

Cloud service providers must continue to work to improve the visibility they provide to their enterprise customers to ensure the proper implementation of technical security controls. While the responsibility for implementing the technical security controls shifts to the cloud provider in a cloud-based IT service model, the responsibility for securing the enterprise’s data still belongs to the enterprise security team. Cloud providers must enable the enterprise to integrate the security of cloud-based IT services with enterprise managed IT services. The ability to integrate with existing enterprise processes is critical for the enterprise to meet compliance requirements by leveraging existing security resources while adopting cloud-based IT services.

A few examples of the ways in which transparency can be improved include:

  1. Federated identity services, allowing the enterprise to own the management of its user identities. Giving the Enterprise the ability to manage its own identities allows the enterprise to leverage the existing user account provisioning and de-provisioning processes and controls.
  2. Access to event logging for the purpose of auditing user activity. Providing the enterprise with detailed event logging information, especially in regard to user activity, allows the enterprise to leverage existing event management processes and controls.
  3. Configurable options at the organization level to manage the sharing of information. Allowing the enterprise to configure how information is shared on the cloud based IT service enables the enterprise to ensure consistency with its enterprise information classification and handling processes.

Enterprise security professionals understand that cloud-based IT services are still maturing; cloud IT service providers should not forget that a lack of progress towards improved transparency will eventually impede the adoption of their services.


Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.