How Can FIs Craft an Effective Framework for Cloud Security?
Hamit notes that in many cases, cloud solutions may outpace traditional security solutions. “More often than not,” he says, “cloud providers offer security controls that may even surpass what is feasible or practical in a traditional on-premises environment.”
This provides a solid starting point for FIs making the move, and Hamit offers some advice on how to best apply cloud security solutions to existing frameworks. “There’s no need to re-create the wheel when it comes to crafting a framework for cloud security,” he says. “There is a wealth of authoritative resources available online that can readily assist an organization that might be looking for a place to start. For example, the Cloud Security Alliance has a number of guides and frameworks crowdsourced by experts that can help to assess cloud security, assist with appropriate selection of controls, and aid an organization in delineating responsibilities between the customer and cloud providers.”
He also points to the need for trained and experienced staff. “Organizations should strongly consider investing in training for staff,” he says. “Trying to figure things out on the fly is never a good idea, especially when there are potentially serious security ramifications. Many cloud providers offer training programs and on-demand courses that are excellent for cloud specific platforms. For a more holistic view of foundational cloud computing principles that have broader application, ISACA offers a Cloud Fundamentals certificate program that teaches and validates a learner’s comprehension of essential skills.”
What Tools Can Be Included in This Cloud Security Framework?
First up are solutions that help eliminate manual processes. “Automating repeatable tasks can improve cloud security posture by eliminating manual touchpoints that lead to human error,” says Hamit. “Using tools like Azure Automation will ensure that infrastructure in the cloud conforms to defined standards and simplifies ongoing management, enabling IT staff to spend time on more impactful tasks.”
He also highlights the role of built-in cloud tools offered by providers. “Even in SaaS environments, cloud providers often provide integrated tools that IT and information security can leverage to take some of the guesswork out,” he says. “For example, Microsoft Secure Score provides a score, as the name suggests, that gives the organization a view into its security posture in Microsoft 365, along with specific recommendations across a multitude of risk vectors. Another popular SaaS platform, ServiceNow, offers a similar capability in its Instance Security Center, where an organization can view important security events and monitor its Daily Compliance Score relative to instance hardening guidelines and best practices.”
When it comes to making the cloud move and securing key resources, Hamit puts it simply: “Going all-in when it comes to cloud shouldn’t be the time when organizations are evaluating cloud security. It should be treated like any other risk when evaluating vendors and understanding the implications to security architecture and data flows.”