.png)
When we are looking into "doing business" with a public Cloud provider, to whichever purpose that may be, we must, at the same time, accept a great dependency on the providers, allowing trust to be part of this relationship. Comfort on security and integrity of data, is one of the major concerns that is in the mind of the various stakeholders including management, auditors and customers. Assurance can take a variety of forms, including security certifications, audit reports and terms and conditions of services, hence we must seek assurance through due diligence and contractual obligations, whilst ensuring compliance with applicable regulations. When we're seeking for that assurance, main things which we probably want to consider are: Is the cloud service secure enough for this type of information? Is it compliant - and will it remain compliant - with relevant legislation, contractual or regulatory requirements? Are the other risks that arise from using this service acceptable? The answers to these questions will come out of a risk assessment combined with assurance.
When it comes specifically to data assurance, the CSP may not have the same responsibilities and accountability as the data owners, but they nevertheless take on significant risks associated with managing and protecting the data in the Cloud.
The guiding Principle is:
Security assurance activities must be embedded into key aspects of the CSP solutions and also the hosted services, to provide the necessary evidence of an appropriate security posture
Here are few high-level key points to help us gain assurance and increase trust, in the spirit of the Principle:
Ensure sufficient controls in place to identify weaknesses in the hosting environment configurations, against an agreed build standard created at or before initial deployment. Ideally this will be automated to enable the ability of identifying & quantifying configuration drift while we keep up with introduction of new Cloud services.
Considering the dynamic nature and velocity with which services are deployed with public Cloud platforms, maintain at least two separate assurance checks to provide assurance that the prescribed controls have been implemented, with providing confidence that controls are functioning as expected, to maintain the business agreed risk level. First assurance check should be applied during Build phase with the second check applied during the Operate/Run phase.
Ensure using only non-CSP (Out-of-Band) assurance checks tools/technologies, to guarantee an independent oversight.
Utilise Privileged Access Monitoring (PAM) to identify privileged access activities, which potentially can alter the security posture of the account/environment, hence exposing the organisation's assets both within the Cloud platform and within the internal network to attack. Where technically possible, privileged access to data and products which we host on Cloud, must be monitored for CSP's access activities.
Adopt and implement as much as possible the Defense in Depth (DiD) approach, to be used it as the increasing-assurance strategy for systems and information
Follow the Security Trust Assurance and Risk (STAR) programme, to research on available security practices of the CSP. This should assist in building/improving our Cloud security strategy and controls, around the identified weaknesses and/or areas of concern, which are relevant to the use-case.
Comments