“Get Off My Cloud” was the third session in a six-part webinar series offered by Shared Assessments in partnership with OneTrust covering best practices in regard to Cloud Security Providers. The series, “Optimizing Your TPRM Program,” runs through July 2020 and covers a broad range of topics. The webinars are scheduled to occur once a month on Thursdays at 2:00 PM GMT, 9:00 AM ET – full listing for the series can be found here.
In “Get Off My Cloud” Kara Shirdon (Azure Application Development Specialist, Microsoft) and Fiona O’Brien (Head of Outsourcing Oversight & Governance, Bank of Ireland Group) discussed current threats, vulnerabilities and risks along with the right questions to ask Cloud Security Providers regarding maintenance, security and resilience in order to keep the cloud and risk management in check.
Shirdon started off the presentation by talking about a model called the CIA Triad, which guides policies for information security within an organization. It stands for confidentiality, integrity, and availability which should be the key principles guaranteed with any security system. She went on to explain that when it comes to security in an organization it is a shared responsibility between the organization and cloud provider.
In a security partnerships, there are different responsibilities that each party holds. When it comes to on-premise software, that is the organization’s responsibility to manage administration, applications, data, runtime, middleware, operating system, physical host, physical network, and data center. Along with on-premise software, there are three different types of cloud applications that split up the responsibility between organizations and cloud providers; infrastructure as a service, platform as a service and software as a service.
The next item discussed was the structure of cloud offerings. Every cloud system needs a strong and secure foundation that controls data centers, infrastructures and operations. Next in the structure are controls that can be enabled depending on what solution one is looking for. Finally, there is an element of unique intelligence that surrounds the whole platform. Having a secure foundation in cloud systems protects customer data, secures hardware and runs continuous testing throughout the system. From an infrastructure perspective, an organization needs to understand what a cloud provider is doing for protection at the edge (for example encrypting data in transit or screening unwanted traffic). It is also important to have IP and isolation controls in place, which manage traffic isolation and traffic between regions encrypted by default.
Next Shirdon talked about built-in controls regarding identity, data protection, network security, threat protection, and security management. All of these are important processes that the cloud service provider should be managing for an organization. The larger cloud service providers offer marketplaces, which are additional built-on applications and services that integrate with the cloud provider’s offerings. It is a way for organizations to leverage the technologies they are already using from the cloud service.
To conclude the webinar, Shirdon went over a few final recommendations to keep in mind. The first was to provide security recommendations in the context of a specific workload – meaning find something in the cloud and look at each component (in context) to see what it can provide for you. The second was to leverage online documentation by looking at documentation issued from a specific cloud provider. She wrapped up the presentation by emphasizing the importance of confidentiality, integrity and availability.
A recording of this session is available in our webinar archive.