Like many organizations, Sabre Corp. has seen expanding internal use of cloud services. Starting with its SAP-based employee system a few years ago, Sabre, which provides technology services to the travel industry, has gradually migrated key applications to the cloud, including project management and enterprise software.
The biggest challenges CISOs face in these environments have to do with a loss of visibility, a lack of standards for evaluating cloud GRC (governance, risk management and compliance) and a failure by employees to perform due diligence when migrating critical enterprise applications and data to the cloud.
Sabre's philosophy through the transition has been to allow the departments that need cloud functionality to make their own choices, according to Bob Prevenslik, director of software development for the company's security systems. All departments signing up for cloud services still have to use Sabre's centralized employee ID management system for provisioning, however, thereby ensuring strong authentication and access control.
"When we started going to the cloud primarily, in the first iteration, you had to be on network to go to [services]," Prevenslik said.
Over the years, the company has added VPN access and, more recently, token-based multifactor authentication to ensure proper authentication to cloud assets for travelling and remote workers.
"All our employee identity stores are centralized in one point. So even if a department were to select a cloud provider on its own, to use the service, they are required to use the master employee identity store," Prevenslik added.
This kind of a centralized approach has helped Sabre mitigate a lot of the risk associated with the growth of unsanctioned cloud use in the enterprise. But Sabre is the exception.
Most cloud procurement that has taken place over the past few years has been highly decentralized in nature and involved little to no IT or policy oversight, Jim Reavis, co-founder and CEO of the Cloud Security Alliance, maintained. As a result, many organizations are struggling to gain an understanding of the extent of cloud services in their environments and the cloud data governance structure to implement around that use. With little in the way of enterprise frameworks for integrating cloud assets, the CSA provides a suite of free resources -- including a Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire -- in its cloud GRC Stack, which can help enterprises navigate controls and regulations.
"The IT function within these organizations, whether they want to or not, is being pushed to accelerate cloud adoption," Reavis said. "You have to go cloud first and rule out whether cloud is suitable before you can go further."
Ensuring that cloud GRC goals are met in such an environment "is sort of like building the runway while the plane is taking off," Reavis said.
A lot of the cloud adoption in organizations has happened in an organic fashion with little to no IT involvement and even less policy oversight. So in many cases, the security, policy and governance measures you implement will be somewhat retroactive in nature, notes Chris Pogue, CISO at Nuix, a company that develops software for extracting business value from unstructured data.
The key is to tread lightly.
"You just have to show people that you honor the past," Pogue maintained. "Say that you understand how the organization got here organically and tell them, 'Here's how you can start to move to a place where we can enable you to do your job better and offer you the best protection.'"
Jim Reavisco-founder and CEO, Cloud Security Alliance
This is a situation where the ability to quantify risk can be a huge help in getting decision makers to adopt needed controls.
"If the value liability analysis shows [a cloud vendor] really matters to the business but the control assessment shows there isn't enough due diligence, being able to quantify that exposure in dollars and cents can be very effective," Jack Jones, founder and chairman of the FAIR Institute, said. The non-profit organization is focused on helping enterprises measure and manage information risk using the Factor Analysis Information Risk framework, which Jones -- the executive vice president of research and development at cyber risk management software company RiskLens -- created.
Generally, most people are amicable when it comes to security, privacy and compliance obligations and are willing to implement change if they can continue using something they really require.
"You don't want to come down with a hammer on day one because that doesn't give you an escalation," Jones said.
Enable more visibility
One of the first steps that organizations can take toward achieving cloud GRC goals is getting a handle on the scope and the nature of services that are being used across their environments. Enterprises on average use 841 cloud applications, about 20 times more services than estimated by the average IT organization, according to the "First Half 2016 Shadow Data Threat Report," published by research company Blue Coat Elastica Cloud Threat Labs in July.
"Closing the gap between perception and reality is really important," Reavis said.
It is simply not possible to perform due diligence or to prioritize cloud data governance activity without first discovering all of the sanctioned and unsanctioned cloud applications and services running in your environment, Reavis added.
Be realistic about what you can negotiate
The contracts you negotiate with your vendor can be a useful vehicle for ensuring compliance with your cloud GRC (governance, risk management and compliance) goals. But be realistic about just how much customization you can get in your service-level agreements.
When he was the CISO of one services organization, FAIR Institute chairman Jack Jones negotiated a deal under which the institution had an individual placed at the cloud vendor's location to ensure the vendor was following proper security processes.
"That was an exceptional case and a dream," he recalled. But there are many other reasonable steps you can take to ensure proper cloud data governance.
If you can't get the service availability and redundancy assurances that you require from one cloud service provider, consider switching or using multiple vendors, Jim Reavis, co-founder and CEO of the Cloud Security Alliance, said. "We find that a lot of customization in contracts either ends up being really expensive or the cloud cannot provide it."
IT organizations must shed rigid, appliance-oriented architectural concepts when it comes to dealing with cloud vendors, Reavis maintained.
"They need to start thinking about the world in a more virtual sense -- and think about supporting a more flexible governance model -- and about cloud providers being interchangeable."
Numerous tools are available to do this sort of discovery, including egress-filtering technology, secure web gateways and cloud access security brokers. Vendors offering tools include Bitglass, Blue Coat Systems, CipherCloud, Imperva Skyfence and Microsoft Cloud App Discovery.
It isn't enough to merely discover all the cloud applications and services that are used across your organization. It's equally important to sift through the portfolio and identify the services security needs to care about the most.
One approach is to evaluate the value and potential liabilities of the cloud service provider to your organization. How reliant is the enterprise on that one vendor?
"If the provider goes down, is that a doomsday scenario or just mildly painful?" Jones asked.
What kind of access does the third party have to your networks?
"Maybe they are a vertical provider and maybe they are holding a bunch of sensitive information, but are they directly connected to your core?" Jones, who spent 10 years in the trenches as CISO at Huntington Bank, CBC Companies and Nationwide Insurance, asked. It's only by doing this sort of value and risk analysis, he added, that an organization can begin to prioritize its cloud GRC objectives.
Evaluate the data risks
Understand the risks to your business from all the data that is being stored, accessed and shared in the cloud, Joe Pindar, director of product strategy and chief technology officer of data protection at security vendor Gemalto, stressed.
In July, the Ponemon Institute published The 2016 Global Cloud Data Security Study, an independent survey -- commissioned by Gemalto -- of 3,400 technology and security professionals. More than half of the respondents did not have measures for complying with privacy and security requirements in the cloud.
To figure out which security controls to implement, CISOs first need to know what types of data employees are putting in the cloud -- sensitive information, which requires greater protection, or critical assets, which necessitate availability.
"Different parts of the business will have different opinions on what is business-critical data," Pindar said. For instance, to a sales organization, customer data is of critical importance; for the accounting department, it is the financial data. For an HR department, though, it could be employee information.
"Someone from IT can't make that decision for the business," Pindar added.
Once senior management and line of business managers reach those data classification decisions, the CISO, in conjunction with the IT organization, needs to understand the data that is required for different business functions. Then they implement the appropriate data protection and access controls.
Assess your cloud vendor's risk management
Information asymmetry is another issue when dealing with cloud vendors, according to the FAIR Institute's Jones. Despite your best vetting efforts, there always will be a certain degree of uncertainty associated with a cloud provider's actual security controls and their ability to detect, respond to, manage and mitigate security incidents.
It's essential to know the right questions to ask. Instead of inundating the cloud vendor with hundreds of yes-or-no questions like many organizations do, it is far better to focus on inquiries that can give you a thorough understanding of how a cloud provider is positioned from a risk-management perspective. For instance, how much risk is a vendor willing to legally accept?
"You really have to understand what your cloud vendor's commitment to risk management is and how that is articulated in their contract," Pogue said. "What is a security incident in their mind? How are they addressing data breaches and disclosure of breaches?"
Organizations need to get this information upfront -- and in writing -- to avoid gray areas.
"Are they saying if something happens, they will tell you right away?" Pogue asked. "What is their tipping point? Do they have appropriate control mechanisms to defend, detect, respond and recover?"
Make sure that the vendor's risk management and how that is articulated in the contract doesn't negate compliance or other agreements.
Choose the right technology controls
Cloud computing is a new way of buying IT infrastructure. In most cases, the computers running your applications and data are not your own. Traditional perimeter-focused enterprise security models just don't work in these environments. The focus therefore has to be on data-level protections.
At a technology level, that means ensuring that your essential business data in the cloud is encrypted at all times regardless of whether it is at rest, in use or in transit, according to CSA's Reavis. It's important to verify what level of encryption the cloud service provider supports and the processes they have for managing your data through its lifecycle, from creation to deletion and destruction of the data. That includes ensuring proper data segregation in the cloud, restricting access to the data based on role, and tracking and monitoring all access.
Mature identity management and user authentication capabilities are critical to ensuring that only authorized people have access to business data in the cloud.
"Sometimes the cloud is too easily implemented, so you need to make sure not to drop the ball," Sabre's Prevenslik said. "That is why we keep our centralized identity management."
From a strategic perspective, the issue boils down to who can access your data, how you control that access and how you protect that data while it is being used, stored, transmitted and shared.
"It is important that the cloud provider shows they have an adequate governance program themselves and they have been through recognizable standards like PCI and ISO," Reavis said. Audits may be necessary in the case of smaller providers that may not have such certifications.
While the cloud GRC obligations for enterprises that must comply with Payment Card Industry rules are likely different from cloud data governance structures associated with the Health Insurance Portability and Accountability Act, the Federal Information Security Management Act or the Financial Industry Regulatory Authority, according to Pogue: "At the end of the day, the cloud just means you are using someone else's infrastructure."
The key thing to remember is that, when something bad is happening, you should not be left asking questions of your cloud vendor. You should be getting answers from them.
Adding cloud data to governance policies
Strategies to incorporate best practices for GRC analytics
Blockchain technology raises GRC questions