12. How are you going to handle the burden of proof? When auditors ask to see how your cloud service providers audit controls are working, will you have an answer? The reality is that you will not be able to prove anything if the cloud providers cannot explain where they stand.
Do what you can to get a seat at the table during management and legal discussions that impact how your business uses the cloud. It could very well be that your cloud strategy conflicts with the legal controls that your lawyer and management have devised. Most importantly, do not sit around and assume everything has been taken care of in the cloud — the odds are good that it hasn’t. Ask the tough questions before something happens.
Kevin Beaver is a consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including Hacking for Dummies, Implementation Strategies for Fulfilling and Maintaining IT Compliance, and the Security on Wheels audio books and blog (www.securityonwheels.com). Follow him on Twitter, @kevinbeaver or connect to him on LinkedIn.
Today’s Homework: Set Proper Expectations
When moving to the cloud, it’s critical to understand the difference between uptime and security. You must ensure all decision makers in your organization are on board with this: Management must understand what can happen; legal must understand their contracts are only part of the equation; internal audit and compliance must know who is responsible for what; and IT and information security staff must review cloud provider audit reports and security assessments or perform their own. Getting the right people on board and properly setting their expectations will not only help prevent risks in the cloud but it will also help minimize the impact to the business when mishaps do occur.