Security management and enterprise risk control in cloud computing

Source: Internet
Author: User
Keywords Security provider information security enterprise risk

In cloud computing, effective security management and enterprise risk control are obtained from the process of well developed information security and safety management, and it is an overall enterprise safety management to pay attention to. This paper gives advice and suggestions on security management, enterprise risk control and information risk management in cloud computing. In cloud computing, effective security management and enterprise risk control are obtained from the process of well developed information security and safety management, and it is an overall enterprise safety management to pay attention to. This paper gives advice and suggestions on security management, enterprise risk control and information risk management in cloud computing.

In cloud computing, effective security management and enterprise risk control are obtained from the process of well developed information security and safety management, and it is an overall enterprise safety management to pay attention to. A well developed information security and safety management process enables information security management processes to be scalable, repeatable, measurable, sustainable, defensible, sustainable, and cost-effective in the organization.

The basic issues of security management and enterprise risk control in cloud computing are related to identifying and implementing appropriate organizational structures, processes, and controls to maintain effective information security and safety management, risk management, and compliance. Organizations should also ensure that in any cloud deployment model, there is appropriate information security throughout the information supply chain, including the vendors and users of cloud computing services, and its supporting third-party vendors.

Safety Management Recommendations

Part of the cost savings from cloud computing services must be invested in improving the security capabilities of the provider, applied security controls, and ongoing detailed assessments and audit checks to ensure that the requirements are continuously met.

Regardless of the service or deployment model, the users and providers of cloud computing services should develop robust information security and security management. Information security and security management should be coordinated by users and providers to achieve the consistent goal of supporting business mission and information security procedures. The service model can adjust the roles and responsibilities defined in the collaborative information security and risk management (based on their respective control of users and providers), and the deployment model may define responsibilities and expectations (based on risk assessment).

User organizations should include a review of specific information security and safety management frameworks and processes, and specific information security controls as part of the future provider organization (due diligence). The adequacy, maturity and continuity of the provider's security and safety management processes and capabilities should be evaluated. The provider's information security controls should be based on risk determination and clearly support these management processes.

A collaborative security management architecture and process between users and providers is necessary, both for the design and development of partial service delivery (services IBuySpy), for risk assessment and risk management agreements, and then as part of the service agreement.

The security Department should be included in the establishment of service level agreements (SLAs) and contractual obligations to ensure that security requirements are enforceable at the contractual level.

Before migrating into the cloud, measurement performance and the effectiveness of information security management indicators system and standards should be established. At the very least, organizations should understand and document their current metrics and how they will change as they move into the cloud, as cloud providers may use different (potentially incompatible) metrics.

Wherever possible, all service level agreements (SLAs) and contracts should contain security metrics and standards (especially those related to legal and compliance requirements). These standards and indicators should be documented and provable (auditable).

The suggestion of enterprise risk control

As with any new business process, it is important to follow the best practices of risk management. Practices should match the specific uses of cloud services, which may be from unintentional and ad hoc data processing to critical business processes that handle highly sensitive data. A comprehensive discussion of enterprise risk control and information risk management is beyond the scope of this guide, and the following are some cloud-specific recommendations that can be integrated into existing risk management and processes.

Because of the lack of physical control of infrastructure in many cloud computing deployments, service level agreements, contract requirements, and provider documentation play a more important role in risk management than traditional enterprise-owned infrastructures.

Traditional forms of auditing and evaluation may not be applicable or need to be changed due to the availability and multi-tenant characteristics of cloud computing. For example, some providers limit vulnerability assessment and penetration testing, while others limit the availability of audit logs and real-time monitoring data. If these are required within the internal strategy, it is necessary to look for alternative assessment methods, specific contract disclaimers, or to find alternative providers that are more consistent with risk management requirements.

As for the key functions of the organization using cloud services, risk management methodologies should include identification and evaluation of assets, identification and analysis of threats and vulnerabilities and their potential impact on assets (risk and event scenarios), probability of analysis of events/scenarios, risk acceptance levels and standards approved by management, and multiple risk handling (control, avoidance, shift, Acceptance) plan development. The outcome of the risk management plan shall be part of the service contract.

The provider and user risk assessment methodologies should be consistent, and the impact analysis criteria and probability definitions are consistent. Users and providers should jointly develop risk scenarios for cloud services, which should be solidified in the design of the provider's service to the user and in the user's cloud services risk assessment.

The asset inventory should take stock of assets that support cloud services and are under the control of the provider. The asset classification and evaluation scheme for users and providers (evaluation scheme) should be consistent.

Providers and their services should be the subject of risk assessment. The use, use, and deployment models of cloud services should be consistent with the organization's risk management objectives and business objectives.

If a provider cannot demonstrate a comprehensive and effective risk management process that proves its service, the user should evaluate the vendor in detail and whether the user's own capabilities can be used to compensate for potential risk management gaps.

Users of cloud services should ask the management whether the risk tolerance and acceptable residual risk of cloud services have been defined.

(Responsible editor: The good of the Legacy)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.