The Shared Burden of Cloud Data Security & Compliance
Blog Article Published: 10/01/2014
By Gerry Grealish, Chief Marketing Officer, Perspecsys Data security remains a top concern for enterprises deploying popular cloud applications. While most will instinctively think of cloud data security and compliance as being handled only by IT departments, many enterprises are realizing that all aspects of security – from selecting a cloud service provider (CSP) to monitoring cloud use over time – requires involvement across the organization. Cloud Data Security & Compliance Begins with Vetting Providers There are key areas of due diligence for an enterprise depending on its industry, but all share common security requirements when selecting a CSP. Perhaps, as TechTarget recently suggested, FedRamp Standards will regulate security outside the government as well, but for now enterprises must have their own standards for evaluating a CSP. An excellent existing resource is the Security, Trust and Assurance Registry (STAR) Program supported by the Cloud Security Alliance (CSA). This public registry provides a comprehensive set of offerings for CSP trust. The CSA’s Cloud Controls Matrix (CCM) includes a framework of cloud security standards and their Consensus Assessments Initiative Questionnaire (CAIQ) offers questions an enterprise should ask any CSP under consideration. CSPs should also be able to provide details on any third party security certifications they have obtained. I.e. the ISO/IEC 27001 standards for information security management systems (ISMS). Questions for the CSP frequently begin with specifics on strategies used - such as encryption for data protection and multifactor user authentication for cloud access. It is also important to know who will have access to data, how often audits are conducted and what if any security incident have occurred in the past and, if there has been a security incident, how cloud customers were notified and how quickly. Having representation from across the enterprise involved in the vetting of a CSP is critical – not only IT – but also Security, Data Privacy & Governance and End Users can help ensure all relevant questions are answered and that necessary security protocols are implemented. The standard language used in the FedRamp contract example is one place to start for any enterprise signing on with a new CSP. Internal Security Standards Security and compliance of sensitive corporate data going to the cloud falls primarily on the enterprise itself. Despite any guarantees in contracts with CSPs, when a security breach occurs it is the enterprise that experiences the consequences and many would say holds the most interest in minimizing damages for the enterprise and/or customers. If there is a security incident, clients and customers will certainly look at the enterprise itself to protect their data. Internal security standards begin with adherence to well-defined protocols and security strategies established and agreed to by – again - not just IT, but representatives from Legal, Security, Governance and End Users. Questions to be answered include what data will actually be allowed to leave the physical premises of the enterprise and in what form. Industry and regulatory penalties compel most industries to have clear security standards in place. In some cases, security incidents have brought on class-action lawsuits against the enterprise. Strict internal security standards are one way to further protect the enterprise and its customers from having to go that route. Employee Buy-In is Key With the proliferation of mobile computing and bring your own device (BYOD), it is essential that employees are brought in to participate, understand and agree to the security policies established for the enterprise. This includes employees throughout the organization – the time, resources, or money it takes to establish this buy-in through training, policy communication and proper monitoring or support is well worth it when compared to damages organizations experience from careless BYOD policies. Security Strategies - Encryption and tokenization Encryption and tokenization are two data security methods that many enterprises are utilizing strengthen the enterprise’s cloud security strategy while maintaining control of their cloud data. Both methods can be used to safeguard sensitive information in public networks, the Internet, and in mobile devices. These powerful and interoperable solutions are being used by leading organizations to also ensure compliance with sector specific requirements such as HIPAA, PCI DSS, GLBA, and CJIS. While hacking and data attacks continue to occur, an enterprise with proven security strategies in place minimizes the impact for itself and its customers. An enterprise with security responsibility held by not just IT, but other departments as well, including end-users, puts itself in the best possible situation to avoid major data breaches and be prepared to deal with one should it occur. See this infographic on how to respond to a cloud security breach, should one occur. About the Author Gerry Grealish is the Chief Marketing Officer at Perspecsys and is responsible for defining and executing the marketing and product vision. Previously, Gerry ran Product Marketing for the TNS Payments Division, helping create and execute the marketing and product strategy for its payment gateway and tokenization/encryption security solutions.