Cloud computing has transformed every business across the globe, from basic tools to enterprise applications. The entire enterprise infrastructure is moving to the cloud. With accelerating adoption of cloud, organizations are increasing their attack surface and infrastructure security in cloud computing is an issue given the hyper-connected nature of the cloud.
(many of the points were discussed at CISO Platform 100 & Decision Summit @ Kochi).
10 Areas of Risks in Enterprise Cloud Security Controls across Infrastructure:
- Compliance to Security Policy, standards and security requirements
- Applicable security policies, standards and security requirements, if not identified, reviewed periodically and acted upon in time, could lead to failure to comply with security policy / requirements of the Organization resulting in compromise of information and information processing facilities
- Cloud Governance Model
- The organization must have mechanisms in place to identify all providers and brokers of cloud services with which it currently does business and all cloud deployments that exist across the enterprise.
- A contract team representing the customer’s legal, financial, information security and business units has identified and included required contractual issues in the contract from the customer’s perspective, and the service provider’s legal team has provided contractual assurance to the satisfaction of the customer.
- Legal issues relating to functional, jurisdictional and contractual requirements are addressed to protect both parties, and these issues are documented, approved and monitored.
- The deployment service models (SaaS, PaaS, IaaS) defines the data protection responsibilities between the customer and service provider, and these responsibilities should be clearly established contractually.
- Service provider security assurance is provided through ISO27001 Certification.
- Planning for the migration of data, such as formats and access, is essential to reducing operational and financial risks at the end of the contract. The transition of services should be considered at the beginning of contract negotiations.
- Cloud Infrastructure Operations
- Incident notifications, responses, and remediation are documented, timely, address the risk of the incident, escalated as necessary and are formally closed.
- Identity and Access Management
- Identity processes assure only authorized users have access to the data and resources, user activities can be audited and analyzed, and the customer has control over access management.
- Change Control & Configuration Management
- New Development / Acquisition
- Data Security & Information Lifecycle Management Classification
- Data security means must be in place for protecting data, such as a database, from destructive forces and from the unwanted actions of unauthorized users.
- Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
- Secure Disposal
- Datacenter Security
- Asset Management
- Controlled Access Points
- Location-aware technologies may be used to validate connection authentication integrity based on known equipment location.
- Off-Site Equipment
- Data Processing Facility
- Secure Area Authorization
- Network Security
- Appropriate network control technologies and policies must be designed to adhere to regulatory compliance rules and to protect information, data applications and infrastructure associated with cloud computing.
- Infrastructure & Virtualization Security
- Audit Logging / Intrusion Detection
- Change Detection
- Clock Synchronization
- Capacity projection measures must be in place to avoid the future overload
- Vulnerability Management
- OS Hardening and Base Controls
- Production / Non-Production Environments
- vMotion Data Protection
- VMM Security - Hypervisor Hardening
- Wireless Security
- Business Continuity Management
- Operational Resilience
- Datacenter Utilities / Environmental Conditions
- Environmental Risks
- Equipment Location
- Equipment Power Failures
- Retention Policy: Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness
Comments