Anda di halaman 1dari 2

Cloud Computing – An boon for IT Infections due to malware can spread to multiple

customers rapidly. Impact from a successful attack can


Value optimization or a bane on
be devastating.
Enterprise risk management
The multi-tenant nature of Clouds means that a given
Well, it depends on the way a business looks at virtual environment or the underlying physical servers
Clouds. It depends on how sensitive and responsive its can host data from different customers having
programs are for IT value expansion and protection by different requirements for security, privacy and
managing risks to information and all that’s associated compliance. What will be the data classification based
in the wake of emerging technologies such as Clouds. security level for that virtual or physical machine?
While cloud computing has its own challenges for risk How can the Cloud provider offer a policy that will
management, many of the contemporary risks can still address the requirements of all of its customers? How
be applicable. A Cloud specific information security can Cloud provider ensure that its virtual computing
policy founded on sound IT governance and an resources are not misused by a malicious organization
enterprise risk management structure can be the key. disguised as a legitimate consumer of the Cloud?

It’s not as gloomy as Clouds are often While the answers will emerge, Security as early as
made out to be during the adoption of a Cloud model can go a long
way. A Cloud adoption approach such as the one that
The benefits and risks of migration to the Clouds will follows based on traditional but very critical measures
largely depend on the type of Cloud model to be can go a long way.
chosen and the provider’s security offerings.
1. Prepare a strategy for IT and also
Clouds can pave the way for data centric, granular Information Architecture. Build
security measures to protect data throughout its life- Security, Privacy and Compliance into
cycle, as they are driven by the pay-for-only-what- the architecture. Have a carefully evaluated
you-use model. This data centric approach may usher strategy for IT before moving to Clouds.
in IP(Internet Protocol) packet level self-defense Clouds are in a way, an outsourcing model.
mechanisms and technologies as computing power Clearly, it’s your Cloud based IT strategy
and bandwidth become cheaper and cheaper and more that is going to drive your business strategy,
data will be moved outside an enterprise to take innovation and operational excellence.
advantage of economies of scale.
2. Adopt a risk management approach
Before you make the first step
and integrate it with your firm-wide
Clouds do not take away all the responsibilities and risk management program. With the
liabilities on the part of a Cloud customer. An adoption of Cloud, liabilities do not just
enterprise still needs to retain an appropriate disappear though IT overhead can reduce
structure, programs for managing the risks, security significantly and clouds have the potential in
and compliance through the Cloud provider. A major getting the best of everything in data
part of tactical and operational responsibilities may protection and compliance, even if it comes
get shifted to the Cloud provider. Whatever be the at a cost. Revisit your current risk
Cloud model, traditional techniques for managing management program and include a plan for
information security and technology risks can still be addressing Cloud related concerns into the
applied. program.

Threats to Cloud security: Are they real? 3. Select a cloud service model that best
aligns with your IT strategy. Moving a
The ever growing list of threats that have been business handling sensitive and privacy data
plaguing the industry for decades is applicable to the regulated by PCI, HIPAA, GLBA, etc.,
Cloud too. Threats such as malware infection, mis- demands clear understanding of the risks
configurations, errors & omissions, espionage, social involved in & protections offered by cloud.
engineering, poorly communicated and implemented Chances are your IT and security strategies
policies, cyber warfare, etc., are going to be largely influenced by the
Forensics requires freezing of all compute resources as safeguards to be offered by the Cloud.
soon as a security breach is discovered. On a Cloud,
how will one achieve this? Similarly, eDiscovery 4. Choose a cloud provider that best
requires ferreting out all data needed by prosecution. meets your IT & Compliance
Unless Clouds offer a way to keep track customers’ requirements. Verification of Cloud
data, things can get worse. provider’s policies & procedures related to
information & IT operational security would
be necessary. Apart from that, verify Cloud
providers’ track record, financial stability, 12. Implement, Review, Assess & Audit.
future direction, security and compliance Have an independent audit and security
assurances offered such as ISO 27001 and assessment firms audit Cloud providers’
SysTrust apart from SAS 70. policies, procedures, controls, tests, audits,
etc., Review your contractual framework in
5. Draft a well defined legal and line with emerging trends in Cloud security.
contractual agreement that addresses
your business requirements for While safeguards related to physical &
security, privacy and compliance. environmental security may be a given
Adoption of Cloud can mean a big shift in including basic disaster recovery
what remains in your strategic a well as arrangements, Cloud adopters have to pay
tactical control. A strong contractual closer attention to risks related to data,
framework can help make a case for application and users.
“outsourcing control of your controls”. This Cloud has certainly a silver lining,
probably many.
6. Align your security policies &
procedures. This can be really challenging
as a mutual alignment is a must to avoid
exposure of your data. Alignment should not
be at the cost of compromising your security
& compliance requirements.

7. Know your data. Have a well defined


data classification policy that can be
implemented by the Cloud provider.
Your classification policy should clearly set
forth user access and authorization rules,
data protection such as encryption, etc.

8. Have a clearly articulated data


security policy and procedures.
Understand how idle data are stored,
isolated and protected. Find out what
happens to your data when your subscription
is over or when you need to scale down or if
you are a Cloud storage customer.

9. Understand and evaluate controls in


Cloud’s control. Ensure that Cloud
providers’ has effective measures for
personnel, physical & environmental
security, user access controls, data security
are rest and in motion, isolation from other
customers, etc. Pay attention to granular
issues such as if encryption is offered, find
out how key management is implemented.

10. Have a data retention and disposal


policy that suits your Cloud strategy.
Define your back-up and recovery
requirements. Back-up data deserves
protection in accordance with its
classification if store in the clouds. Better
store data in an offsite location controlled by
you.

11. Have a regular program for creating


and monitoring security awareness.

Anda mungkin juga menyukai