Cloud security, and in particular cloud security governance, is becoming an increasingly important area for security professionals to pay attention to. Cloud security has been on our radar since the inception of the whole cloud concept, but with the increase in the number of different cloud environments available, some special and some general, and the move to cloud-first deployments for companies around the world, having governance in place for the security of these clouds is becoming a business-critical issue.
Cybersecurity Magazine has previously covered hybrid cloud security, but security governance in relation to clouds is much more than just dealing with multi-cloud scenarios. All the big cloud vendors, Google Amazon, Azure, and so on, are in data centers distributed around the world in multiple different legislative and regulative environments. This distribution opens new challenges for the data that is stored with cloud vendors around the world. For those that are using cloud data centers in the EU only, there is a single set of regulations to deal with, but in cases where our cloud infrastructures are distributed across the globe, multiple different sets of legislation need to be considered as part of the cloud journey.
Add to that the high frequency of change that many clouds are experiencing from the vendor side. Azure, for instance, is seeing changes every 2-3 weeks. The same goes for Microsoft 365. I am sure that the same goes for plenty of other public cloud providers. All of this, the distributed nature of the cloud and high rate of change, adds up to a significant challenge for many companies and organizations. Governance can help with this challenge. As I see it, governance, good governance, is the only way to solve, or mitigate the risks just mentioned.
Governance, in this case IT governance, can be a challenge to implement depending on how mature an organization is. If you are part of a start-up, then governance is not very high on the agenda and the IT maturity will not be all that high, even if it is an IT start-up, whereas an organization that has decades behind it will be more likely to possess the maturity to implement and maintain a good IT governance program. Choosing a governance framework to go about implementing is the next challenge, especially since there are so many to choose from. Which one that is chosen is less important than not mixing and matching between several different frameworks. Doing so will, at the very least, confuse the people responsible for the IT governance and at worst will serve to limit the effectiveness of the whole governance program.
What are some of the options for a cloud security governance framework?
- ISO 27017 – a set of controls that can be added to ISO 27001 to extend this to the cloud
- Cloud Controls Matrix – This framework is developed by the Cloud Security Alliance and is aimed strictly at the cloud.
- NIST 800-53 – This is the American framework. This one consolidates a set of controls for information security and privacy. It is not aimed specifically at the cloud but many of the controls are applicable to cloud deployments
- ENISA IAF – ENISA is the EU cyber security agency, which released the Information Assurance Framework back in 2009. The benefit of IAF, is that it highlights the questions that any organization should ask before moving to the cloud.
- PCI SSC – If you are in a company that needs to be PCI compliant, then SSC should be considered as a cloud security framework. SSC provides guidance on how to become/remain PCI compliant in a cloud environment.
- COBIT 2019 – COBIT was originally designed for on-premises environment, but in the later versions cloud is mentioned specifically within some of the individual controls within COBIT. As an aside, COBIT can serve as the overarching framework for several of the frameworks mentioned in this list.
As mentioned previously, the high rate of change and jurisdiction of data distributed around the world can bring significant challenges. Good IT governance means considering the regulations for data, as well as changes happening within the clouds.
For most of the workloads we move to the cloud, we must deal with the changes that the vendor is making to the cloud environment on a continuing basis. This is not necessarily a bad thing, but it introduces some challenges that many companies and organizations are not prepared for. In the on-prem environments changes are introduced under our complete control, the same is not the case in cloud environments. Cloud customers must implement a process whereby they keep track of the changes introduced by cloud vendor(s) and decide on their impact on the cloud workload or in cases where the vendor is introducing a new feature, decide whether to implement this feature.
Without having good processes in place, to keep track of changes and their impact/applicability to cloud workloads, there is a very real risk of us suddenly breaking our cloud workloads or missing out on a great new feature.
With regards to the legislative challenges, by distributing our cloud workloads across the world we often face conflicting legislation. Some laws are similar, such as the EU GDPR implementations that California and Japan have adapted to their own legislative systems. Some countries, like my own, Denmark, have rules in place that stipulate that some kinds of information must be stored and processed within national borders. If there is a cloud datacenter from your chosen vendor within the national borders then this might be enough to comply with this regulation, but there is no guarantee.
As cybersecurity professionals, we likely have no interest in becoming part time legal advisors, but we must be able to understand some of the challenges with having a cloud infrastructure distributed around the world. My own experience tells me that keeping track of the legal issues with a distributed cloud infrastructure is a major challenge for most companies and organizations. One way of avoiding this is to limit deployments to geographical areas where the legal issues are known and managed already, but that might bring conflict with governments that require access to data and have different legal systems.
As of yet very little precedents have been developed for the legal issues surrounding the cloud, but the Schrems 2 is the beginning of a firmer foundation for companies and organizations to deal with the legal challenges of data storage and processing. I predict that we will see additional cases like the Schrems one in the coming years as the cloud becomes more widespread and ubiquitous.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.