Cloud Governance is how your organization takes the appropriate and adequate steps to ensure all enterprise stakeholder requirements are documented and evaluated to ensure stakeholder objectives are understood and met in a consistent and repeatable way.
Your cloud governance program should be based on your defined set of policies, standards, and procedures to ensure enterprise-wide accountability.
Security governance bridges business priorities with technical implementations like architecture, standards, and policies. Governance teams provide oversight and monitoring to sustain and improve security posture over time. These teams also report compliance as required by regulating bodies.
Inventory your current governance program and make sure your schedule includes risk management and mitigation, compliance monitoring and remediation; cost controls; budget allocation; and strategic guidance.
In simple terms, your cloud governance program should ensure your cloud-based information technologies enable your organization’s strategies and business requirements.
It is impossible to improve a business process if you don’t measure it, so I strongly encourage you to ensure you have a process to measure your program results against business objectives, so you can facilitate continuous improvement as a key part of your program.
IT/CLOUD GOVERNANCE STANDARDS
I have listed a few governance standards below that will help you evaluate and measure your current maturity level.
- ISO/IEC 27014:2020 Information Security, Cybersecurity And Privacy Protection – Governance of Information Security (Background, More info, Cyber & Privacy Protection Package)
- ISO/IEC 38500:2016 Governance of IT For The Organization (buy individual std, buy package, background, and Wiki)
- Open Group Cloud Computing Governance Framework
ISO/IEC 27014:2020 Information Security, Cybersecurity And Privacy Protection – Governance Of Information Security provide guidance on concepts, objectives, and processes for the governance of information security, by which organizations can evaluate, direct, monitor, and communicate the information security-related processes within the organization.
The intended audience for this document is:
- governing body and top management;
- those who are responsible for evaluating, directing, and monitoring an information security management system (ISMS) based on ISO/IEC 27001;
- those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance.
This document is applicable to all types and sizes of organizations.
ISO/IEC 38500 – Governance of Information Technology Collection promotes effective, efficient, and acceptable use of IT in all organizations by guiding directors in governing the use of IT in their organization. It also provides methods to assist directors in conforming with obligations (regulatory, legislation, common law, contractual) concerning the acceptable use of IT.
- ISO/IEC 38500 – Governance of Information Technology Collection includes:
- ISO/IEC 38500:2015
- ISO/IEC TS 38501:2015
- ISO/IEC TR 38502:2017
- ISO/IEC TR 38504:2016
- ISO/IEC 38506:2020
LAWS & REGULATIONS THAT AFFECT IT GOVERNANCE
- Gramm-Leach-Bliley Act (GLBA)
- Sarbanes-Oxley Act
- The Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
WHY DO YOU NEED GOVERNANCE IN THE CLOUD?
A formal governance program ensures accountability across the enterprise and establishes oversight for the overall security posture. The program also provides a defined approach to security so it can be applied consistently across your IT service delivery models, including cloud computing.
In reality, large organizations are messy and have a mix of IT services that include emerging cloud computing models, legacy IT data centers, and third-party providers.
Governance provides a way for your organization to ensure business leaders can measure, direct, compare, and enforce IT security and compliance consistently across all delivery models, which now include public, private, and hybrid cloud environments.
Enterprise governance (GRC) programs help you identify and measure many types of risk (e.g., financial, credit, regulatory, legal, repetitional), however, enterprise governance has a special relationship the confidentiality, integrity, and availability of your organization’s most precious asset (data/information).
Cloud computing deeply affects governance because the new cloud-based world is a fast-paced and emerging business model and technologies that require new types of controls and processes.
No matter the size of your organization, cloud computing is forcing governance changes that must be understood and addressed. You are either actively trying to understand, evaluate and adapt, or you are left behind and holding a bag of emerging risks with your blindfold on.
Cloud computing heavily affects governance because the cloud introduces a new business model, new technologies that require unfamiliar types of controls and processes, and new third parties into the IT ecosystem. Any of those factors might, by themselves, introduce governance changes. Still, the combination of all three requires organizations and their IT functions to realign their model to reflect the new reality.
In the next article in this series, I plan on discussing a detailed list of cloud computing complexities that you should be considering for your governance program.
Key Objectives For Cloud Security Governance
Building a cloud security governance model requires strategic-level security management competencies in combination with the use of relevant security standards and frameworks like ISO 27000 or NIST, and the adoption of a governance framework such as COBIT.
Many organizations fall short of documenting a formal governance structure and its relative components before moving to the cloud. This is a big mistake and you will end up with risks that your organization is bling to.
Security controls in traditional IT environments are not a simple transfer to new cloud-based workloads. Using appropriate security standards and frameworks like the Cloud Security Alliance Cloud Controls Matrix is a good first step to making sure you are on the right track.
Meeting all customer and regulatory compliance requirements must be closely and carefully reviewed before moving workloads to a cloud-based environment.
A well-defined governance framework provides referential guidance and best practice across the organization for establishing a governance model for security in the cloud.
I have included key objectives that you should consider pursuing when establishing a governance model for security in the cloud.
Ensure security investments, services, and projects in the cloud are executed to achieve established business goals (e.g., market competitiveness, financial or operational performance).
Define, operationalize, and maintain an appropriate security function/organization with appropriate strategic and tactical representation, and charged with the responsibility to maximize the business value (Key Goal Indicators, ROI) from the pursuit of security initiatives in the cloud.
Cloud security initiatives should be subject to measurements that gauge effectiveness in mitigating risk to the enterprise (Key Risk Indicators). These initiatives should also yield results that progressively demonstrate reducing these risks over time.
Effective Use of Resources
Establish a practical operating model for managing and performing security operations in the cloud, including the proper definition and operationalization of due processes, the institution of appropriate roles and responsibilities, and the use of relevant tools for overall efficiency and effectiveness.
Security initiatives in the cloud should be measurable in terms of performance, value and risk to the enterprise (Key Performance Indicators, Key Risk Indicators), and yield results that demonstrate attainment of desired targets (Key Goal Indicators) over time.
KEY CLOUD SECURITY GOVERNANCE CHALLENGES
Cloud computing is a big departure from traditional IT, and that also includes virtualized data centers as well. As workloads are moved to the cloud, it is inevitable that we are forced to work and operate in a new paradigm. Fully understanding the “Shared Responsibilities Matrix” sounds easy, but in reality, it is a source of misunderstanding.
Cloud customers must implement a process to keep track of changes introduced into their environment/workload by the cloud service provider and determine if the change impacts their system/application/workload. This is a foreign concept that is new to the cloud computing world and is often overlooked in the beginning.
There can be a number of legislative challenges that can be related to data, its storage, and processing beyond specific borders. Fully understanding how your cloud service provider replicates your data is often thought to be remedied by selecting regions in your local area. At times, it is not that simple. Keeping track of the legal issues with a distributed cloud infrastructure is a major challenge for almost every organization.
Microsoft published an exceptional article that includes some valuable information and insights that is worth your time to review.
Cyber Security Magazine published an article that does a good job outlining the importance of cloud security governance.
In this video, Risk Insights, Sarah Armstrong-Smith, Chief Security Advisor, and Mark Simos, Lead Cybersecurity Architect, share some insightful information about the Microsoft Cloud Adoption Framework for Azure that I think you may find helpful in regards to cloud security governance.
Tim Layton specializes in demystifying the complexities and technical jargon associated with cloud computing security and risk management for business stakeholders across the enterprise. Tim is a cloud security thought leader defining actionable and defensible strategies to help enterprise stakeholders make risk-based decisions and prioritize investments in the new digital frontier.
Stay Connected With Tim Layton
Get My Free Cloud Security Risk Management Journal
COMMON CYBERSECURITY RISK TERMS DEFINED
Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. (NIST 800–30)
Threat: potential cause of an unwanted incident, which can result in harm to a system or organization. (ISO 27001)
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. (NIST 800–30)
Vulnerability: weakness of an asset or control that can be exploited by one or more threats. (ISO 27001)
Likelihood: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. (NIST 800–30)
Likelihood: chance of something happening. (ISO 27001)
Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. (NIST 800–30)
Risk: effect of uncertainty on objectives. (ISO 27001)
Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. (NIST 800–30)
Compensating Security Control: A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. (NIST 800–30)
Impact Level: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. (NIST 800–30)
Residual Risk: Portion of risk remaining after security measures have been applied. (NIST 800–30)
Security Posture: The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST 800–30)
Get My Free Cloud Security Risk Management Journal