Note: This blog post orginally appeared on the SecureState blog.
Through regular discussions with a client in the utilities industry, the director of security at a large utilities provider approached SecureState with a problem. The CIO had decided to move a number of the company’s core applications to the cloud and needed their security requirements for this project within two weeks. The utility already had security requirements in place for traditional third-party vendors; however, these requirements were not a good fit for the cloud services the company was looking to adopt.
Unlike traditional third-party solutions where the vendor is responsible for all or most of the security controls in the cloud, there are often cases where the client is responsible for managing and maintaining key security controls. For example, if a company was hosting a home grown application at a PaaS (Platform as a Service) provider, the client would generally be responsible for the security of the application itself. The cloud provider of the PaaS would be responsible for the securing the platform and infrastructure supporting the application. It is critical to clearly outline who is responsible for which component and have requirements which provide the desired level of security while being flexible enough fit these different service models.
Building a Framework:
To assist with this, SecureState created a program to review, approve and manage these cloud providers. The program was built around a SecureState developed Cloud Security Framework (CSF). To develop this framework SecureState met with stakeholders to gather business, technical and security requirements. SecureState also looked at the regulatory requirements related to the data that would be stored and processed by cloud providers. The framework leveraged the utilities company’s existing security policies, procedures and standards while adding additional requirements specific to cloud computing environments. To ensure the requirements were flexible enough to apply to the various cloud models and use cases the requirements were broken down by the type of cloud service used and the classification of the data processed and/or stored by the provider.
Once the framework was completed SecureState met with executives at the organization to review the CSF. During this meeting we conveyed the importance of the framework to the business and outlined how the company should align to the new framework. Once we received executive management buy-in, the framework was adopted for use by all lines of business moving services to the cloud, not just IT. This provided the company with a unified approach to managing the security of cloud services, thus ensuring all corporate data moved to the cloud was appropriately secured.
Managing the Security of Cloud Services:
The director of security also needed to develop processes to prioritize, review and track which cloud services where approved for use.
The utilities company also needed a program to manage and track what data was being stored and/or processed by these cloud services. Without a robust program in place the security department would quickly lose control of where their sensitive data was stored and which vendor had been approved or denied. So, SecureState used our vendor management solution methodology to develop a program to review, approve and manage the cloud service providers. This solution allowed the client to enter requests to have potential cloud service providers reviewed. Once a provider is entered for review, a questionnaire is generated based on the type of cloud service used and the data stored and/or processed by that provider. This questionnaire is then sent to the point of contact at the cloud service provider to gather information on what security controls are present in their environment. Once the questionnaire is complete, SecureState works with the cloud service provider and client to snap the cloud service into the CSF. To ensure the lines of responsibility were clearly defined, each requirement in the CSF was assigned to either the cloud security provider or client. During this review process SecureState would enumerate risks posed by the proposed solution and outline where the solution did not meet the CSF. Using this information, the utility’s security group could determine if the new solution posed an acceptable level of risk, if the solution would be rejected or if require additional controls needed to be added to the design.
Leveraging our diverse knowledge and existing technology, SecureState was able to quickly eliminate the client’s problem. This enabled the client to quickly respond to the needs of the business while minimizing the risks of moving core applications to a cloud environment. The solution provided by SecureState not only allowed for cloud vendors to be quickly and easily reviewed, but also provided a program to manage cloud services used by the client to ensure corporate information stored in house or in the cloud is protected equally.