The basic problems of security management and enterprise risk control in cloud computing

Source: Internet
Author: User
Keywords Cloud

In cloud computing, effective security management and enterprise risk control are obtained from the process of good development of information security and safety management, which is the attention of the Organization's overall enterprise security management responsibility. A well developed information security and safety management process enables information security management processes to be scalable, repeatable, measurable, sustainable, defensible, sustainable, and cost-effective in the organization.

The basic issues of security management and enterprise risk control in cloud computing are related to identifying and implementing appropriate organizational structures, processes, and controls to maintain effective information security and safety management, risk management, and compliance. Organizations should also ensure that in any cloud deployment model, there is appropriate information security throughout the information supply chain, including the vendors and users of cloud computing services, and its supporting third-party vendors.

Safety Management Recommendations

Part of the cost savings from cloud computing services must be invested in improving the security capabilities of the provider, applied security controls, and ongoing detailed assessments and audit checks to ensure that the requirements are continuously met.

Regardless of the service or deployment model, the users and providers of cloud computing services should develop robust information security and security management. Information security and security management should be coordinated by users and providers to achieve the consistent goal of supporting business mission and information security procedures. The service model can adjust the roles and responsibilities defined in the collaborative information security and risk management (based on their respective control of users and providers), and the deployment model may define responsibilities and expectations (based on risk assessment).

User organizations should include a review of specific information security and safety management frameworks and processes, and specific information security controls as part of the future provider organization (due diligence). The adequacy, maturity and continuity of the provider's security and safety management processes and capabilities should be evaluated. The provider's information security controls should be based on risk determination and clearly support these management processes.

A collaborative security management architecture and process between users and providers is necessary, both for the design and development of partial service delivery (services IBuySpy), for risk assessment and risk management agreements, and then as part of the service agreement.

The security Department should be included in the establishment of service level agreements (SLAs) and contractual obligations to ensure that security requirements are enforceable at the contractual level.

Before migrating into the cloud, measurement performance and the effectiveness of information security management indicators system and standards should be established. At the very least, organizations should understand and document their current metrics and how they will change as they move into the cloud, as cloud providers may use different (potentially incompatible) metrics.

Wherever possible, all service level agreements (SLAs) and contracts should contain security metrics and standards (especially those related to legal and compliance requirements). These standards and indicators should be documented and provable (auditable).

The suggestion of enterprise risk control

As with any new business process, it is important to follow the best practices of risk management. Practices should match the specific uses of cloud services, which may be from unintentional and ad hoc data processing to critical business processes that handle highly sensitive data. A comprehensive discussion of enterprise risk control and information risk management is beyond the scope of this guide, and the following are some cloud-specific recommendations that can be integrated into existing risk management and processes.

Because of the lack of physical control of infrastructure in many cloud computing deployments, service level agreements (SLAs), contract requirements, and provider documentation play a more important role in risk management than traditional enterprise-owned infrastructures.

Traditional forms of auditing and evaluation may not be applicable or need to be changed due to the availability and multi-tenant characteristics of cloud computing. For example, some providers limit vulnerability assessment and penetration testing, while others limit the availability of audit logs and real-time monitoring data. If these are required within the internal strategy, it is necessary to look for alternative assessment methods, specific contract disclaimers, or to find alternative providers that are more consistent with risk management requirements.

As for the key functions of the organization using cloud services, risk management methodologies should include identification and evaluation of assets, identification and analysis of threats and vulnerabilities and their potential impact on assets (risk and event scenarios), probability of analysis of events/scenarios, risk acceptance levels and standards approved by management, and multiple risk handling (control, avoidance, transfer, acceptance ) Planned development. The outcome of the risk management plan shall be part of the service contract.

The provider and user risk assessment methodologies should be consistent, and the impact analysis criteria and probability definitions are consistent. Users and providers should jointly develop risk scenarios for cloud services, which should be solidified in the design of the provider's service to the user and in the user's cloud services risk assessment.

The asset inventory should take stock of assets that support cloud services and are under the control of the provider. The asset classification and evaluation scheme for users and providers (evaluation scheme) should be consistent.

Providers and their services should be the subject of risk assessment. The use, use, and deployment models of cloud services should be consistent with the organization's risk management objectives and business objectives.

If a provider cannot demonstrate a comprehensive and effective risk management process that proves its service, the user should evaluate the vendor in detail and whether the user's own capabilities can be used to compensate for potential risk management gaps.

Users of cloud services should ask the management whether the risk tolerance and acceptable residual risk of cloud services have been defined.

Information Risk Management Recommendations

Information risk Management (IRM) is the law that exposes (exposure) to risk, and is the ability to manage it through the risk tolerance of the data owner. Thus, information risk management is the most preferred decision support method for information technology resources designed to protect the confidentiality, integrity, and availability of information assets (CIA).

The risk management framework model is used to evaluate IRM, and the maturity model is used to evaluate the effectiveness of the IRM model.

Establish appropriate contract requirements and technical controls to gather the data needed for information risk decisions (e.g., information usage, access control, security control, location, etc.).

Use the process to identify risk exposures before developing cloud project requirements. Although the categories of information needed to understand exposure and management capabilities are more generic, the actual metrics collected are specific to the cloud computing SPI model and can be collected by service.

When using SaaS, the vast majority of information is provided by service providers. The Organization shall develop a collection process for the analysis of information in the SaaS Service contract responsibility.

When PAAs is used, information acquisition capabilities similar to the above SaaS services are established. Where possible, including the ability to deploy and gather information from control, establish contract terms to test the effectiveness of these controls.

When using the IaaS service provider, the risk analysis requirement Information "implanted" information transparency in the contract.

Cloud service providers should include metrics and controls to help users implement their information risk management needs. Third Party management recommendations

Users should view cloud services and security as a supply chain security issue. This means examining and assessing the provider's supply chain (the service provider's associations and dependencies) to the extent possible. This also means checking with the provider's own Third-party management.

The assessment of Third-party service providers should point specifically to providers ' policies, processes, and procedures in terms of incident management, business continuity, and disaster recovery, and should include a review of shared sites and backup facilities. This should include a review of the provider's internal assessment of compliance with its own policies and procedures, and an assessment of the provider's indicator system for providing information on the performance and effectiveness of its controls in these areas.

The user's business continuity and disaster recovery plan should include scenarios where the provider's services fail, and a failure scenario for the provider's Third-party services and Third-party service dependencies. The test for this part of the plan should be coordinated with the cloud provider.

A comprehensive assessment of the provider's information security and safety management, risk management and compliance structures and processes should include:

Documents are required to document clearly how to assess the risks of facilities and services, audit control weaknesses, assessment frequencies, and how to mitigate control weaknesses in a timely manner.

Requirements define key service and information security success factors that the provider deems, key performance KPI KPIs, and how to measure these content related to IT services and information security management.

Review supplier's laws, regulations, industry and contract requirements to obtain, evaluate and communicate the overall adequacy of the process.

Conduct due diligence on the entire contract or terms of service to determine roles, responsibilities, and accountability. Ensure legal review, including assessment of whether local contract terms and laws may be enforceable in areas outside the jurisdiction of foreign or state jurisdictions.

Define whether the required responsibility requirements include significant aspects of all cloud provider relationships, such as the financial position of the provider, reputation (such as reference checks), control, key personnel, disaster recovery planning and testing, insurance, communication capabilities, and the use of subcontractors.

Summary

As cloud computing becomes a viable and cost-effective overall system, and even the overall business process outsourcing approach, cloud computing application security management and enterprise risk control need to mention the corresponding agenda, in the cloud, Effective safety management and enterprise risk control are obtained from the process of good development of information security and safety management, which is the attention of the Organization's overall enterprise safety management responsibility. A well developed information security and safety management process enables information security management processes to be scalable, repeatable, measurable, sustainable, defensible, sustainable, and cost-effective in the organization.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.