Where does corporate cloud security responsibility begin and service provider responsibility end?
Security has, is and will continue to be the cornerstone of advancement in the digital age. Conditions of trust, real or expected, are essential for digital economies to grow and prosper. As more organizations rely on cloud service providers, partner responsibilities for security must be well understood and comprehensive. If you are not sure who’s responsible for security, no one is. A bad answer for all concerned. Especially for the contracting organization who in the eyes of the public — and law — will be held accountable. So how can you and your cloud partners model threats, identify gaps and secure your corporate cloud?
Establishing ground rules
Cloud service partners enable the contracting organization to pursue business objectives while maintaining acceptable risk. Cost savings and economic efficiencies are the obvious objectives driving cloud adoption. Securing an evolving cloud environment should be of equal importance. The days when security could be viewed as an internal IT issue — a bolt-on practice or something that could be addressed after partner selection — are gone.
In the cloud, security is a shared responsibility. The business and its cloud service providers will share operational responsibility for the security posture of the organization. Cloud services must enable critical business functions to operate without interruption, recover within acceptable time frames and avoid compliance violations. To achieve these outcomes, the contracting organization must establish and communicate ground rules for all current and potential cloud service providers.
It’s never too early to establish security expectations within your organization. Like the examples below, ground rules should be simple and drive accountability:
- The corporation is responsible for the value of its brand and will act accordingly.
- The corporation is accountable for adequate oversite of cloud service provider compliance.
- The corporation will develop or acquire sufficient resources to understand and assess security risks before entering into a service agreement.
Remember, due diligence is the responsibility of the organization choosing to share its security responsibilities. The upside to this burden is achieved by a well-structured security sharing arrangement. Like high fences make good neighbors, well-defined boundaries make responsibility sharing possible.
The shared model of security
Well-defined boundaries in a shared cloud security model are essential. Company leadership and the security team should understand critical business functions, ownership and risk before selecting a cloud service partner. To be effective, the organization’s security team must be up to date and knowledgeable of cloud deployment models, cloud service models, business processes, data flow, compliance and privacy. The team must also be organizationally aware and familiar with leaderships’ appetite for risk. A cloud service provider cannot play this role.
Modeling of each business system will help the organization manage risk. The common characteristic of a modern system is that one or more of the subsystems will be outside of the direct control of the organization that owns the system. The nature of such systems will vary over time as cloud services that process, store and transmit information can evolve independently. The diagram below depicts a typical hybrid cloud deployment with a mix of cloud services, subsystems, deployment approaches, and boundaries to other critical business systems.
Versioning and visually managing business-critical systems can provide confidence that the risk from using external services is at an acceptable level. The level of trust should be based on the amount of oversight the contracting organization can exert on the external service providers’ security controls. Visual system models can be represented in a spreadsheet format. The spreadsheet format should be used to build common controls for oversight.
These methods are simple to use and support the evolving nature and complexity of modern business systems. The key to managing system complexity is management systems and systems by boundaries. Cloud deployment practices and cloud services provide guidance in the selection of subsystem boundaries. They also alert to changes in security posture. This method takes what many consider an increase in system complexity and uses it to simplify evolutionary risk.
The cloud service provider, or a third-party security consultancy, can bridge security practices between your on-premise IT and the cloud. This expectation should be reinforced as new or migrated cloud service and delivery models achieve equal or better results under audit — or if compromised. To achieve these goals, look for partnerships with organizations that:
- Have specific security practices and measures in place to protect subsystems and data and are sufficient to satisfy your security requirements.
- Are upfront about the use of third-party managed security services. These services may be more effective than available service provider solutions if your contract provides for some level of oversight.
Remember, statutory and regulatory requirements for the protection of data and systems are consistent, whether such information resides in the cloud or on-premise.
Acceptable risk levels
Each organization is ultimately accountable for the brand value. Combinations of cloud services and deployment models impact confidentiality, integrity and availability differently. Corporate security teams need methods and tools to manage dynamic security programs.
A dynamic security program recognizes that the organization’s appetite for risk can change quickly. Leadership changes, market conditions, and operational events, good or bad, can drive acceptable risk. Modern architectures, if managed well, support the recalibration of risk and responsibility. Management and control of cloud services and deployment models, aligned with well-bounded systems and subsystems, are positive steps toward managing evolving cloud operations.