The Microsoft approach to cloud transparency – Part IV – The benefits of standardized frameworks

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

As we mentioned last week, thank you for coming back for the exciting Part IV of The Microsoft approach to cloud transparency

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

 

Part IV – The benefits of standardized frameworks

  
Generally, core competencies of organizations that adopt cloud computing do not include the deployment and management of cloud computing technologies. Because of the potential common and cloud-specific risks, organizations frequently rely on outside consulting firms and cloud providers’ lengthy RFP responses to evaluate risk for their specific cloud deployment needs.

Those responses must be evaluated by experienced cloud professionals, in addition to internal risk experts, to ascertain the true risk to the organization. This risk assessment should include a determination of the risk that derives from adopting these technologies and how to best mitigate that risk.

The cloud deployment partner selection exercise frequently takes place in a climate of intense business pressure to reduce costs and to increase flexibility. In such a climate, a drawn-out risk management process may be seen as an inhibitor, rather than an enabler, of business goals.

Best practices

Some of the unease and complexity involved in selecting a cloud provider can be alleviated by using a common controls framework. Such a framework should consider not only best practices in information security, but also include a true understanding and evaluation of cloud-specific deployment considerations and risks. In addition, such a framework should address much of the cost involved in the evaluation of alternate solutions and help to significantly manage risk that must otherwise be considered.

In using a well thought-out controls framework, organizations can avoid most of the costs related to engaging outside expertise for selecting an appropriate cloud provider, and rely instead on combined efforts that represent years of expertise in the field.

 

Complexity

A cloud-specific controls framework such as the Cloud Controls Matrix (CCM) reduces the risk of an organization failing to consider important factors when selecting a cloud provider. The risk is further mitigated by relying on the cumulative knowledge of industry experts who created the framework, and taking advantage of the efforts of many organizations, groups, and experts in a thoughtfully laid-out form. In addition, an effective industry framework will be regularly updated to take account of changes in maturing technologies, based on the experiences of experts who have reviewed many different approaches.

Comparison

For organizations that do not have detailed knowledge about the different ways that cloud providers can develop or configure their offerings, reviewing a fully developed framework can provide insight into how to compare similar offerings and distinguish between providers. A framework can also help determine whether a specific service offering meets or exceeds compliance requirements and/or relevant standards.

Audit and knowledge base

Using an industry-accepted framework provides a means to review documentation about why and how decisions were made and to know which factors were given more weight and why. Understanding how a decision was made can provide a basis of knowledge for decision making in future efforts, especially when personnel changes cause the people who made the original decision to no longer be available.

 

Come back next week for Part V!

The Microsoft approach to cloud transparency – Part III

Thank you for joining us again for the continuation of the paper I authored for Microsoft about  its approach to security of Cloud offering, including using the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR).

Let me know what you think!

 

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

 

Part III – Privacy

As part of the security risk assessment, a privacy review needs to be considered to ascertain potential risks to the data and operations in the cloud. Today, the notion of privacy goes beyond the traditional description of customer data and extends into organizational privacy, which includes most intellectual property constraints; that is, the

know-how, know-why, and know-when of organizations. As more and more organizations become knowledge-based, the intellectual property values that they generate increase. In fact, intellectual property value is often a significant part of an organization‘s value.

Confidentiality and integrity

Similarly, concerns about confidentiality (who can see the data) and integrity (who can modify the data) are important to include in any evaluation. Generally, the more access points to the data, the more complicated the risk profile creation process. Although many regulatory frameworks focus on confidentiality, others such as Sarbanes-Oxley focus almost exclusively on the integrity of data that is used to produce report financial statements.

Reliability

In many cloud computing environments, the data flow that moves information into and out of the cloud must be considered. Sometimes multiple carriers are involved, and oftentimes access beyond the carrier must be evaluated. For example, a failure at a communications service provider can cause delay and affect the reliability of cloud-based data and services. Any additional service provider must be evaluated and assessed for risk.

Auditing, assurance, and attestation

Many organizations are experienced in traditional application and data deployment activities, such as auditing and assessments. In a cloud deployment, the need for some of these activities becomes even more acute at the same time that the activities themselves become more complex.

Embedded in the cloud concept, and especially in public cloud deployment, is a lack of physical control by the organization that owns the data. Physical controls must be considered to protect the disk drives, the systems, and even the data centers in which data resides. Such considerations also apply to software environments in which cloud services components are deployed.

In addition, obtaining permissions for the purpose of satisfying requirements for resiliency testing, penetration testing, and regular vulnerability scanning can be a challenge in cloud deployments.

It can also be a challenge to address and satisfy requirements for independent validation of controls. Cloud providers are typically reluctant to approve many types of testing in a shared infrastructure because of the impact that testing could have on other customers.

 Frequently, an organization intending to engage in cloud deployment does not

know how to evaluate risks or how to choose a cloud provider that mitigates risks.

 

For certain regulatory frameworks, auditing is a requirement.  Frequently, cloud customers are faced with challenges that threaten or appear to deny the many benefits of cloud adoption and deployment.

 

Join us again next week for Part IV of the Microsoft approach to cloud  transparency.