Chief information security officers (CISOs) have an important role in moving their organisations, whether they are public or private, to a cloud computing environment, according to professional certification body (ISC)2.
The move is inevitable because of the lower costs and greater efficiencies cloud computing offers, but the CISO’s role is to ensure that it is done securely, said Marc Noble, director of government affairs for (ISC)2.
“It is far easier to say no to something, but economic realities are driving organisations to the cloud, and CISOs have to find a way for their businesses to operate securely in that environment,” he said.
CISOs should be part of the business, and this is a prime example of how they can be business enablers, according to Noble, who is also co-chair of the (ISC)2 US government advisory board for cyber security.
With proper due diligence, he said CISOs can ensure that by moving to the cloud, their organisations will benefit from a much higher level of security than before.
“Organisations have had a long-held false sense of security, believing that all their data was safe behind a firewall, whereas in reality, cyber criminals have been penetrating such defences for years,” he said.
Building up cloud confidentiality
Noble said a step-by-step approach is the best, particularly where there is a need for high confidentiality around data, especially for some central government departments.
Organisations should start with systems such as email that deal with the least confidential data held by a company to get comfortable with cloud computing and familiar with how it all works before moving on.
Economic realities are driving organisation to the cloud, and CISOs have to find a way for their businesses to operate securely in that environment
Marc Noble, director of government affairs, (ISC)2
This approach is being adopted by cloud computing service providers pitching for federal government business in the US, he said. They want to get a single government-approved service up and running so they can build on the lessons learned to move forward.
Noble said the tipping point for deriving maximum benefit from the cloud would come once organisations are comfortable enough to put their financial systems in the cloud.
For government, he said it may be useful to set up internal private clouds that all government agencies can use.
This will help them learn that cloud computing can be done securely enough for them and see first-hand the efficiencies to be gained from sharing a single data repository rather than sending copies of data from one to another when required, said Noble.
Encryption adds to cloud security
However, Noble added encryption should go hand-in-hand with cloud computing, especially when confidential or sensitive data is involved.
Although cloud computing will enable most organisations to achieve a higher level of security than they were capable of on their own, he said no-one could pretend it would be fool-proof.
“It is only a matter of time before cyber criminals find a weakness they can exploit, but by encrypting all sensitive data in the cloud, organisations can give themselves extra protection and comfort,” he said.
Even if data is somehow breached, strong encryption means it will take too long to decrypt to make it worthwhile and attackers will simply move on.
At the same time, not all data requires encryption, therefore it is important for organisations to know the value of all their data and allocated defences accordingly, said Noble.
In-depth cloud computing downloads from Computer Weekly Computer Weekly buyer's guide to private cloud Five reasons why workforce management is better in the cloud The cloud risk framework Guidebook: Oracle Cloud Services Cloud: Scaling to succeed in new business models Conveying cloud risks to management
Again, there is an important role for the CISO to work with management and systems owners to ensure they understand the risks involved, he said, because it is the management that has to have the final say on how much security is enough.
“As a partner of the business, the CISO has to explain the risks and get management to say if defences are adequate; it is a vital part of IT governance,” said Noble.
The CISO might also have to ensure that management understands its role in making the risk decisions, and must not allow management to push that decision on to the CISO.
Cloud computing means that management will now be forced to make these decisions about what controls must be put around the data, he said. They can no longer avoid the issue by simply putting everything behind a firewall and hoping for the best.
The move to cloud will also help to define roles within organisations more clearly. By knowing exactly how everyone in an organisation interacts with data will help improve access controls and ensure everyone is cleared to the appropriate security level.
Organisations should also get the same assurances from their cloud service providers by requiring all technicians to be security cleared, and writing that requirement into the contract.
Noble said that as organisations grow in experience and confidence, they will be able to expand their use of cloud and benefit not only from improved efficiency and lower cost, but also better security and access controls with the guidance of their CISOs.