Your organization (as many other organizations around the world) are certainly looking for transforming your business by leveraging cloud services.
You (as a CEO, CIO, CISO, Security Manager, Solutions/Services Owner, Cloud Subject Matter Expert, etc.) are probably faced the following challenges:
- Do we have a clear Cloud Strategy for our organization?
- Do we know the real Cloud Usage within our organization?
- How different is our real Cloud Usage compared to our target Cloud Usage?
- Does our Cloud Usage compliant with the industry standards & best practices?
- Does our Cloud Usage compliant with the relevant laws & regulations?
- Does our Cloud Usage put our organization at risk?
Learn in this article, how you can define & maintain an Agile & Effective Strategy to address the above challenges.
Diverse and increasing usage of Cloud Services
Thanks to the promised benefits of cloud computing (e.g. flexibility, pay as you go model, reduced time to market, less capital costs, improved business continuity & disaster recovery, collaboration, etc.), organizations are currently using various types of cloud services (e.g. for content/file sharing, application development, hosting, business intelligence, etc.).
According to the last cloud usage trends published in the Skyhigh’s Cloud Adoption & Risk Report, the number of total cloud services can exceed 1400 for the average organization, which represents an increase of roughly 24% in 1 year.
Then, developing and maintaining an agile & effective Cloud Security Strategy to address the security risks inherent to these diverse cloud usages become more and more challenging.
Key components of a Cloud Security Strategy
A Cloud Security Strategy within an organization (acting as Cloud Customer) consists of a set of policies, processes, people and technologies required for ensuring the proper processing/storage of the organization’s information with cloud services, in accordance with the organization’s risk appetite (generally stated in the corporate security policies).
The definition of an effective Cloud Security Strategy within an organization requires a better understanding of all the elements which can significantly impact the cloud security posture of that organization.
Such elements can be identified by analyzing what I called the “Cloud Usage Profile” of the organization.
Core dimensions of an organization’s Cloud Usage Profile
The 10 dimensions depicted in the above figure (data classification, user profile or pattern, device profile or pattern, user network connectivity, service model, hosting model, tenancy model, operation model, use cases and relevant compliances) should drive the definition of the corporate cloud security policies & baselines, the selection of cloud solutions, the selection of security controls for cloud services, the implementation of cloud solutions and all the rest of Cloud Security Strategy related activities within an organization, whatever its size, from small to large organizations.
The Cloud Usage Profile of an organization itself, should be governed by the organization’s overall strategy, the business requirements, the industry’s standards & trends and the laws & regulations.
The Cloud Usage Profile should be captured & regularly maintained by a multi-disciplinary team (e.g. Cloud Governance Steering Team, Cloud Competence Center, etc.) including the main impacted stakeholders (e.g. Business, IT, Cyber/Information Security, Legal & Compliance, Procurement, etc.) of the organization.
Not a unique Cloud Usage Profile within an organization
Obviously, there are two types of Cloud Usage Profile within an organization: the target and the real Cloud Usage Profiles.
The target Cloud Usage Profile is the one that the organization would like to have while the real Cloud Usage Profile is the one reflecting the exact cloud usages and practices within the organization, including the Shadow IT practices.
Ideally, the real Cloud Usage Profile should be as close as possible to the target Cloud Usage Profile, but it’s not easy to be aware of all the Shadow IT practices within an organization (e.g. employees can easily subscribe to cloud services for legitimate/illegitimate purposes using their credit card, their corporate ID, their corporate/personal devices, processing/storing corporate data). Solutions such as CASB (Cloud Access Security Broker) can help an organization to have a better visibility of its cloud usages, including some shadow IT practices and to adapt its Cloud Strategy (e.g. definition of corporate cloud security policies & baselines aligned to its risk appetite, employees’ training & awareness, etc.), resulting in a gap reduction between the target and real Cloud Usage Profiles.
Target Cloud Usage Profile as key enabler for an agile & effective Cloud Security Strategy
In addition to drive the definition of an organization’s Cloud Security Strategy, the Cloud Usage Profile is also a key support for the assessment of the completeness and effectiveness of that Cloud Security Strategy, as well as its continuous improvement.
Whenever, the organization’s Cloud Usage Profile changes (e.g. adoption of new cloud service and/or hosting models, new cloud operations model, processing/storage of more sensitive data in public clouds, authorization of new device pattern, introduction of new standard or regulation, etc.), it’s easy to figure out what needs to be changed or adapted in the Cloud Security Strategy.
With this Cloud Usage Profile based approach, consisting in 7 steps structured following the PDCA:Plan-Do-Check-Act model, an organization can seamlessly address all the continuous changes in the cloud area, whatever the nature and source of the changes (from the Business, the Industry and/or the Regulations), by relying on a flexible Security Strategy adapted to cloud services. In short, this approach enables a Cloud Security Strategy which can better support the organization’s business transformation in an agile mode.
Although I only described in this article how the approach can be applied to an entire organization, it can obviously be applied to a business group within an organization, a subsidiary of an organization, a specific functional domain (e.g. Human Resources, Finance) within an organization, etc.