Cloud

Cloud Security Governance - Optimizing the Business Benefits of Security in the Cloud

Michael Addo Yobo 70px png

Michael Addo-Yobo

Managing Principal, Cyber Risk Advisory, Coalfire

Why Cloud Security Governance Is Needed

Enterprises are increasingly pursuing the business advantages of migrating technology platforms and services into the cloud environment leveraging one or more of the three main cloud service areas – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These advantages include but are not limited to rapid information system deployment, significantly reduced operating costs, massive economies of scale, processing speed, and agility. However, subscription to these services often imply security and compliance challenges for enterprises who are often unprepared to resolve them.

Data breaches, system vulnerabilities, insufficient identity, and credential and access management are some of the typical security challenges in the cloud environment that subscriber enterprises must address. In some situations, an enterprise may lack adequate operationalization and enforcement of policies, procedures, a formal operating model, or even a properly constituted organizational function to effectively manage security in the cloud. In other situations, the enterprise may also not sufficiently exercise its responsibility to protect data in the cloud or may lack the means for senior management visibility into cloud security performance and risks. These issues may prevail even when an enterprise stands to gain significant business benefits from transforming its service delivery model via the use of cloud computing platforms.

The underlying business problem leading to these challenges is the lack of effective governance of cloud security. In this blog, I explore cloud security governance, common challenges, and review key targets that can help enterprises optimize the business benefits of cloud security programs.    

What Is Cloud Security Governance?

Cloud security governance refers to the management model that facilitates effective and efficient security management and operations in the cloud environment so that an enterprise’s business targets are achieved. This model incorporates a hierarchy of executive mandates, performance expectations, operational practices, structures, and metrics that, when implemented, result in the optimization of business value for an enterprise. Cloud security governance helps answer leadership questions such as:

  • Are our security investments yielding the desired returns?
  • Do we know our security risks and their business impact?
  • Are we progressively reducing security risks to acceptable levels?
  • Have we established a security-conscious culture within the enterprise?

Strategic alignment, value delivery, risk mitigation, effective use of resources, and performance measurement are key objectives of any IT-related governance model, security included. To successfully pursue and achieve these objectives, it is important to understand the operational culture and business and customer profiles of an enterprise, so that an effective security governance model can be customized for the enterprise.        

Cloud Security Governance Challenges

Whether developing a governance model from the start or having to retrofit one on existing investments in cloud, these are some of the common challenges:

Lack of senior management participation and buy-in
The lack of a senior management influenced and endorsed security policy is one of the common challenges facing cloud customers. An enterprise security policy is intended to set the executive tone, principles and expectations for security management and operations in the cloud. However, many enterprises tend to author security policies that are often laden with tactical content, and lack executive input or influence. The result of this situation is the ineffective definition and communication of executive tone and expectations for security in the cloud. To resolve this challenge, it is essential to engage enterprise executives in the discussion and definition of tone and expectations for security that will feed a formal enterprise security policy. It is also essential for the executives to take full accountability for the policy, communicating inherent provisions to the enterprise, and subsequently enforcing compliance  

Lack of embedded management operational controls
Another common cloud security governance challenge is lack of embedded management controls into cloud security operational processes and procedures. Controls are often interpreted as an auditor’s checklist or repackaged as procedures, and as a result, are not effectively embedded into security operational processes and procedures as they should be, for purposes of optimizing value and reducing day-to-day operational risks. This lack of embedded controls may result in operational risks that may not be apparent to the enterprise. For example, the security configuration of a device may be modified (change event) by a staffer without proper analysis of the business impact (control) of the modification. The net result could be the introduction of exploitable security weaknesses that may not have been apparent with this modification. The enterprise would now have to live with an inherent operational risk that could have been avoided if the control had been embedded in the change execution process.

Lack of operating model, roles, and responsibilities
Many enterprises moving into the cloud environment tend to lack a formal operating model for security, or do not have strategic and tactical roles and responsibilities properly defined and operationalized. This situation stifles the effectiveness of a security management and operational function/organization to support security in the cloud. Simply, establishing a hierarchy that includes designating an accountable official at the top, supported by a stakeholder committee, management team, operational staff, and third-party provider support (in that order) can help an enterprise to better manage and control security in the cloud, and protect associated investments in accordance with enterprise business goals. This hierarchy can be employed in an in-sourced, out-sourced, or co-sourced model depending on the culture, norms, and risk tolerance of the enterprise.

Lack of metrics for measuring performance and risk
Another major challenge for cloud customers is the lack of defined metrics to measure security performance and risks – a problem that also stifles executive visibility into the real security risks in the cloud. This challenge is directly attributable to the combination of other challenges discussed above. For example, a metric that quantitatively measures the number of exploitable security vulnerabilities on host devices in the cloud over time can be leveraged as an indicator of risk in the host device environment. Similarly, a metric that measures the number of user-reported security incidents over a given period can be leveraged as a performance indicator of staff awareness and training efforts. Metrics enable executive visibility into the extent to which security tone and expectations (per established policy) are being met within the enterprise and support prompt decision-making in reducing risks or rewarding performance as appropriate.

The challenges described above clearly highlight the need for cloud customers to establish a framework to effectively manage and support security in cloud management, so that the pursuit of business targets are not potentially compromised. Unless tone and expectations for cloud security are established (via an enterprise policy) to drive operational processes and procedures with embedded management controls, it is very difficult to determine or evaluate business value, performance, resource effectiveness, and risks regarding security operations in the cloud. Cloud security governance facilitates the institution of a model that helps enterprises explicitly address the challenges described above.  

Key Objectives for Cloud Security Governance

Building a cloud security governance model for an enterprise requires strategic-level security management competencies in combination with the use of appropriate security standards and frameworks (e.g., NIST, ISO, CSA) and the adoption of a governance framework (e.g., COBIT). The first step is to visualize the overall governance structure, inherent components, and to direct its effective design and implementation. The use of appropriate security standards and frameworks allow for a minimum standard of security controls to be implemented in the cloud, while also meeting customer and regulatory compliance obligations where applicable. A governance framework provides referential guidance and best practices for establishing the governance model for security in the cloud. The following represents key objectives to pursue in establishing a governance model for security in the cloud. These objectives assume that appropriate security standards and a governance framework have been chosen based on the enterprise’s business targets, customer profile, and obligations for protecting data and other information assets in the cloud environment.

  1. Strategic Alignment
    Enterprises should mandate that security investments, services, and projects in the cloud are executed to achieve established business goals (e.g., market competitiveness, financial, or operational performance).
     

  2. Value Delivery
    Enterprises should define, operationalize, and maintain an appropriate security function/organization with appropriate strategic and tactical representation, and charged with the responsibility to maximize the business value (Key Goal Indicators, ROI) from the pursuit of security initiatives in the cloud.  
     

  3. Risk Mitigation
    Security initiatives in the cloud should be subject to measurements that gauge effectiveness in mitigating risk to the enterprise (Key Risk Indicators). These initiatives should also yield results that progressively demonstrate a reduction in these risks over time.
     

  4. Effective Use of Resources
    It is important for enterprises to establish a practical operating model for managing and performing security operations in the cloud, including the proper definition and operationalization of due processes, the institution of appropriate roles and responsibilities, and use of relevant tools for overall efficiency and effectiveness.
     

  5. Sustained Performance
    Security initiatives in the cloud should be measurable in terms of performance, value and risk to the enterprise (Key Performance Indicators, Key Risk Indicators), and yield results that demonstrate attainment of desired targets (Key Goal Indicators) over time.

Coalfire has assisted many organizations in resolving their cloud security governance challenges. Our approach to cloud security governance aims at identifying the root cause of identified challenges within an enterprise and subsequently designing and operationalizing a customized governance framework to effectively manage security in the cloud to achieve desired outcomes. Regardless of the desired operating model (i.e., in-sourced, out-sourced or co-sourced), Coalfire has successfully employed a proven approach to establish and sustain cloud security programs for enterprises across multiple industry groups – regulated and non-regulated.

Whether the enterprise lacks, or has existing security governance structures, Coalfire can evaluate the current state of governance and seamlessly integrate mature elements of existing structures into a future framework that optimizes value and performance, reduces risks and assures the effective use of resources in managing cloud security programs.