Question: From a risk management perspective, how is security in cloud computing different from security in outsourced services?
Outsourcing has matured to a level where contractual terms and conditions are relatively routine and mechanisms exist to verify security claims of an outsource provider. Cloud computing lacks these practices for efficient supplier and customer understanding.
Certifications based on industry best practices such as IS0 27001 and methods to verify whether specific security capabilities are in place and operating such as SAS 70 types I and II are a start.
The same types of capabilities to allow for a trusted transfer of risk for outsourced services need to be developed for the cloud computing environment.
The location of an enterpriseās assets may be unknowable; commingling of your data with other enterprises may be common; and isolating and extracting your data may be more difficult.
In general, the physical segregation of computer systems and dedicated outsourced employees managing/manipulating those systems is missing, and all security controls must be logical, which may not be well understood by the customer.
In addition, the business relationship itself between the cloud customer and the cloud service provider may be extremely dynamic, brokered by a third party with transient terms of service. This puts additional pressure on the customer to accurately quantify the risks and understand evolving threat vectors.
Whether the decision is to use outsourcing or cloud computing, your organization cannot relax its risk mitigation posture. If you are not assured that your provider is maintaining the security and privacy of your information, then you canāt afford to use them. Outsourcing is relatively more mature and as such its providers tend to readily acknowledge the specific security requirements of their customers.
Organizations must work to get these same assurances from their cloud computing providers. Security practitioners need to make senior management aware of the risks of moving to cloud computing, just as they did for outsourcing initiatives. Get ahead of the business on this. Having policies in place encourages your organization to include them as requirements when seeking a provider of cloud computing services.
Governance, risk compliance and controlling framework moving across virtual layers while provisioning resources ā these are complicated and require technical frameworks, third-party validation and transparency of operations for public cloud providers.
Outsourcing requires precise service-level agreements covering important process and security-related responsibilities. The customer company should maintain any organizational core competencies in the course of outsourcing and thoroughly understand virtualization/emerging cloud risks so that the organizationās interests are being managed and are not dependent on the cloud provider.
For more information about the Security Executive Council, please visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.
Ā