Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Save the date for CSA's 2024 Cyber Monday Sale: Get 50% off the exam token bundle!

The Lost Art of Visibility, in the World of Clouds

Published 11/20/2024

Home
Industry Insights
The Lost Art of Visibility, in the World of Clouds

Written by Vito Nozza, Softchoice.


“The power of visibility can never be underestimated” Margaret Cho

As many of you have read my past blogs, I like to quote individuals who have had experience in certain subjects. Although the above quote was meant for a different context, it bears true for this conversation. The value in the adoption of cloud-based services has skyrocketed over the last 10 years. The ability for companies to utilize the cloud’s flexible, scalable, and cost-effective computing while cutting down IT costs, consolidates data centers, accelerates growth and enable digital transformation, has an attraction that supersedes the private world.

As companies battle inflation and the rising costs of real estate, are prime reasons that the cloud has accelerated in the post-pandemic hybrid world

With all the cloud’s advantages for better, more agile business so too are the downfalls present in this venture. “My data is now in the cloud, it’s not my responsibility anymore.Security measures are part of my service”. This statement is heard more often than I would like to hear, and it shows that most companies do not have proper visibility into how their data is being collected, utilized, stored or protected.

The following guidelines can help you with some recommendations that should be investigated, to facilitate a cloud journey worthy of a strong security program.


Know where your data is located.

Cloud providers tend to move data around in physical locations to facilitate storage and computing requirements.Also, the ability to backup data in different regions of the US and the world appeals to local threats that could be realized by mother nature.With a very busy hurricane season upon us, it would be wise to have a view into where your data is being housed and the ability to quickly have access, should the need arise.

A second threat that could turn into a risk, are the regulatory and legislative laws that exists on the information that is being housed.If US laws do not allow for data to travel beyond our border, or data is being housed in a region of the world that would cause concern for retrieval; this is best known during contract negotiations prior to accepting your CSP’s services.


Data Privacy and Security, can be achieved in the cloud

Security and privacy are not limited to the data located on premise. It applies to all your data in the cloud, too.

IT leaders must keep cloud data confidential and protect its integrity, ensuring no one can change it. A Data governance and compliance program can help prevent your data from being altered and to keep your data from being compromised. Data should be properly stored, monitored, and encrypted, and your cloud service provider should provide you with the keys to the kingdom so to speak for encrypting.

Cloud providers can house your data, ensure that it remains available to you, but they should not have access to it. Ensure your data is being transferred to the cloud in a secure manner, and when it gets out to the cloud, be sure you’ve locked down who can access that data. Tools have been created specifically for cloud-based transactions and data protection.Consider, application, workload and cloud posture tools, elevating your security posture and integrity.


Assess your risk

Develop a risk management program to understand critical assets and the impact of losing those assets. Determine how much data can be lost before it must be backed up. Know which assets have critical operational requirements and what the controls are required to protect them.The executive leadership and board members approve that security posture. Smart leaders will ensure their cloud partner has the same security posture as they do—if not better.

Remember, the cloud is an extension of your network, so it’s important to prioritize your data and risks. Proper identification and classification of your assets will help build a strong security and privacy program, which you can extend out to both your cloud provider and third parties.


Know your rights with your cloud data.

Not many CSPs will allow you to audit their environment, however, most often provide you with their audit reports to ensure that they're certified by providing industry specific certification for example HIPAA (healthcare) or PCI-DSS (retail). Most likely a good cloud provider will have SOC2/Type2 and/or SSAE-18 attestation audits available for you to view. Some will allow you to audit your slice of the cloud, but never the entire infrastructure. A god recommended action is to prepare and follow a data compliance program that will adhere to regulatory requirements.This can facilitate an understanding between CSP and your company.


Create a program to maintain data integrity

Data is now in the cloud, and employees, contractors, customers, partners and third-party agents have access to it.The development of a Identity access management (IAM) practice is essential. The ability to understand the attack surface and who has access to the entry points into your environment, must be understood.Your goal is to ensure the protect surface and all its assets, are not compromised.These breaches most likely will come from internal sources therefore a proper file integrity management (FIM) system is key to data integrity. Even if your employee has access to the data, what actions are being performed? Are they altering the data? copying it? downloading the information? What were the requirements for such actions? It’s key to understand that all these integrity measures, which should be present with on-prem data practices continue with more scrutiny, when data has been relinquished to the cloud.


Understand relevant privacy regulations

Privacy regulations have been popping up around the world, and they’re all slightly different. You’ll need to ensure your cloud data adheres to the rules that affect your industry and the regional locations of your stored data.

Your cloud providers may have data storage sites all over the world, and they may move your data to secure sites that are in violation of privacy laws. In Europe, for instance, the General Data Protection Regulation (GDPR) requires European customer data to follow certain protocols, ensuring the individuals data privacy. The California Consumer Privacy Act (CCPA) has similar features and allows consumers to have full access to their data and notification of how it is being used. All this can be tricky if information is scattered across various repositories, that violate regulatory requirements “You need to ensure that you’re CSP is providing you the information of where your data is being stored? Which locale, region or country is the data being housed? What are the requirements for the locations that your conduct business?


Create a cloud incident response program

When it comes to an IRP, it’s important to be on the same page as your cloud service provider. When a breach occurs, have you prepared both with internal staff and your CSP on who has responsibility for various actions.Ensure that if data needs to be recovered, that your service level agreement (SLA) states the expected time and data retrieval options.These must all match your company’s internal processes and procedures.

When practicing your IRP over a Tabletop Exercise (TTX), involve all third parties that will be part of the program.Your CSP, should be your closest ally.

In the end, migrating to the cloud can save your organization both money and time. But those benefits disappear if your data isn’t secure, private, and available when you want it to ensure operational continuance of your business.

Ultimately, Confidentiality, Integrity and Availability (CIA) of your DAAS (critical Data, Assets, Applications and Services) should be top on the list when working with a cloud provider.Developing programs such as Zero Trust and Data Loss Prevention is what the Softchoice does.Our rich history of providing clients data and application resources to elevate their business needs, has enabled us to understand data flows and attack vectors that need to be mitigated.

We work with clients (of diverse industries) in developing business continuity, disaster recovery and incident response plans for both on-prem and cloud-based ecosystems

Remember, you should not have to worry if your data is safe, having the proper guidance and programs can lead to successful business outcomes.Now you know and knowing if half the battle.

Cloud Incident ResponseCloud Security Services ManagementData SecurityEnhancing cloud security strategy

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Register for the Virtual Zero Trust Summit!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Why Application-Specific Passwords are a Security Risk in Google Workspace

Published: 11/19/2024

Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources

Published: 11/18/2024

Group-Based Permissions and IGA Shortcomings in the Cloud

Published: 11/18/2024

9 Tips to Simplify and Improve Unstructured Data Security

Published: 11/18/2024