These six domains contain the various controls and procedures required to support a STAR environment. This model can be flexible and should accommodate the different cloud deployment models so that IT can provide clear guidance to the organization to promote responsible adoption of the cloud.
Organization. Cloud services impact the organizational behaviors. Organizations need to document roles and responsibilities associated with the use of cloud services and train employees regularly on these protocols.
Technology. IT functions should design applications according to industry security standards, encrypt the data, and implement role-based access and identity management solutions.
Data. IT functions need to classify and inventory data, assign data owners and securely purge data that is no longer required.
Operations. Business continuity management (BCM) and resiliency program policies and procedures should include periodic review and testing. Additionally, policies and procedures for BCM, change management and data center security should be documented to formalize roles and responsibilities.
Audit and compliance. Organizations should plan and execute audits in a way that minimizes business interruption. For maximum assurance, organizations should engage a third party to perform the audit and certify the environment.
Governance. There are many cloud options from which organizations may choose, from public cloud services, to building a private cloud, to a hybrid approach. Regardless of the deployment path organizations pursue, governance processes should be scalable, repeatable, measurable, defensible and constantly improving.
Using the model as a foundation, IT functions can then create a framework to:
Assess and monitor by evaluating the organization's current risk profile and then developing a plan to address key areas of exposure.
Improve and enhance by executing remediation activities that support the plan.
Certify and comply by obtaining third-party assurance that the organization's cloud environment is secure, trusted and audit-ready.
Not that long ago, cloud computing was little more than a speck on the horizon. We heard reports of it rapidly becoming a mainstream technology, but it had yet to make a meaningful impact on our technology landscape. According to EY's Global Information Security Survey, in 2010, 30 percent of respondents indicated that their organization used or was planning to use cloud computing-based services. In 2011, the percentage had risen to 44 percent. By 2012, cloud computing had reached a technological tipping point: Almost 60 percent of survey respondents said their organization was using or planned to use cloud computing services. And yet, 38 percent of respondents said that they had not taken any measures to mitigate the risks of using cloud computing services. This disruptive technology was advancing faster than many could secure it.
A more recent Forrester Research report suggests that for 73 percent of surveyed businesses in Europe and North America, security remains a major concern when considering cloud computing.
One of the first principles of improving information security is taking control of your environment. It would therefore feel counterintuitive for an organization to surrender control of its IT infrastructure and data to a third party. And yet this approach may offer the best opportunity to address increasingly complex security and privacy challenges. Rather than becoming an organization's worst security nightmare, cloud computing platforms may offer its best hope to create a more secure IT environment by strengthening controls and improving information and security capabilities.