Adapting Security Policies to Fit the Cloud Computing Era

By Roger Hale

The Cloud Computing Era has been shaking things up since it began. And unlike Moore’s law, the pace has been fast and furious and more importantly, unpredictable. The advent of hybrid cloud computing, giving companies the ability to determine what they do in the cloud and what they keep on-premise, has helped accelerate the adoption of cloud computing.

Think about it: For decades, a company’s data was housed in a data center in a specific location. Companies wrote security policies that focused on protecting assets under their physical control, and policies laid out rules about how, when or if that data could be accessed. These policies stayed in place and may have been reviewed once a year.

Fast forward to 2017. Data is now more valuable – and more portable — than ever. Couple that with the fact that business today relies upon real-time data to make critical decisions at the speed of today’s business, and yet they have less direct control over where data travels and who handles it along the way. In addition, employees throughout organizations are accessing data and using tools to conduct self-service analytics. All of these things demonstrate why putting data into the cloud changes the way data must be protected.

How can companies respond to this new set of challenges? They can start by rewriting their security policies to embrace this new world where data is portable and worth its weight in gold. Companies need to spend less time building virtual walls around physical structures and more time implementing plans that incorporate a blend of risk management, data governance, and third-party oversight.

A risk management approach
If your company puts large chunks of its data in the cloud, you need to fully understand the risks you face and set up a plan to manage those risks. Criminals are anxious to get hold of your data, and they’re getting more and more creative with their tactics. As mentioned above, they’re not just trying to get into your own internal network; they’re exploiting the holes in your extended services network, which includes suppliers, customers, partners, and other assorted third parties.

For a good example of risk management and third-party risk management, look back at the Target breach of 2013. That breach exposed information from 41 million user accounts, costing the retailer $18.5 million in settlement costs. It was triggered when thieves hacked an HVAC contractor and stole their credentials to Target’s network.

This underscores the importance of creating a sound risk management plan. Companies need to look at where their data will reside and at whom, including third parties have access to it. They need to build their security policies to ensure that not only their own networks are reinforced but to hold third and fourth parties responsible for maintaining a level of security in their own networks.

Adopting a risk management approach for cloud security extends beyond just developing the additional polices. Once your company has implemented the additional policies and controls based on the business vertical, additional process is also needed to validate continued compliance. You need to be able to track, monitor and validate the security posture with disparate internal and external partners and vendors. Don’t fall back on the historical practice of trying to enforce your own security procedures, but look to how you can monitor and validate your third- and fourth-party service providers. Make sure they align their own security policies that you have assessed as meeting or exceeding your own standards. You need to be able to not only validate that your partners, vendors, customers, and other connections are compliant, but also be able to attest to the efficacy of that compliance to your customers; including the management of mitigation, remediation, incident response, and breach notification.

Here are six moves companies can make now to adapt their security policies to the growing use of data in the cloud.

• Do a risk assessment – This is the first step in developing a whole risk management approach to cloud. You need to understand how you’re using the cloud and what functions you’re still running in your data center. Make a detailed report about the third parties you do business with and make sure they’re meeting your standards for data protection.

• Implement third- and fourth-party risk management – This is no place to skimp. Make sure your sub-service vendors and service delivery partners also have mature cybersecurity programs that meet and exceed your own. And regularly review their current compliance to their own security programs.

• Strengthen your encryption controls – In the old world, you could allow unencrypted communication within your network. You relied on your own network security to keep the bad actors out. Now, with cloud computing, you need be sure you have encryption at rest and encryption in transit. What encryption methodology are you using to make sure they haven’t been broken? You have to assure that protection wherever that data resides.

• Broaden your incident response plans – One of the big changes driven by the cloud has to do with companies’ responses to security incidents. The common wisdom today is that CIOs don’t get fired for allowing a breach – they get fired for their responses to the breach. You need to have a plan in place and specific playbooks to follow. This goes for situations where a customer gets breached.

• Take another look at your cyber insurance – With data in the cloud, you’ll have new decisions to make based on the liability you hold and the cyber insurance you need to protect the company in the event of a breach. Do you have a set of controls that just covers the cost of the investigation? Do you understand the quantification of the impact of remediating the attack and getting back to business? And are you bracing for lost revenues?

• Find your data – Data classification and data handling policies are not effective if you don’t know where your critical data is, and who is handling that data. Data governance is now a core function of data protection.

Protecting data closer to the data itself
CIOs themselves can answer how many laptops, servers, petabytes of storage they have.

But the question they don’t often have a good answer to is where their critical data actually lies. If it’s in the cloud, it’s critical to know this. Creating a robust data governance function helps the CIO understand the entire lifecycle of that data – where it goes, how it moves through business processes, and where the data terminates.

In the cloud, it’s easy to link systems together to provide customers with richer user experience. Having control over the governance of the data that flows through those pipes is critical. Developing a sound governance plan allows companies to protect the data and issue reports to regulators regulatory about what they’re doing with that data.

Cloud computing has changed the paradigm for today’s businesses, giving them broad access to data that transform their operations. It also has exposed the data layer to new threats that companies need to protect against to achieve their goals. By taking a new approach to security, incorporating risk management principles and diligent protective techniques, companies can ensure that they’re getting the most out of their data assets.

About the Author
Roger Hale is Vice President of Information Security and CISO at Informatica