One of the key benefits of the Software-as-a-Service (SaaS) delivery model, which many vendors are defaulting to, is its agility. That means being able to bypass typical procurement channels – fire up a browser, put in your credit card details, and hey presto! No more IT bottlenecks. Instant access to applications and data from anywhere, on any device with an internet connection. And more worryingly from the perspective of information security officers (especially those focused on cloud security), the ability to upload data directly to those cloud services.
Stay current on your favourite topics
According to a couple of recent surveys, the average organisation has between 7301 and 8972 different cloud services in use by its employees. The sheer number should concern anyone with an interest in cloud security, but particularly financial institutions. Although banks tend to have stricter Internet access rules than most other industries, they also have more at stake when it comes to protecting their information. Even so, we regularly hear anecdotes of internal groups signing contracts with SaaS providers without the involvement of IT risk.
Blanket-blocking of cloud services from the corporate network in an attempt to control access is difficult to manage given the sheer number of SaaS providers (estimates range from 3,000-10,000 globally). It can also encourage individuals to move off-the-grid, which includes using personal devices to access cloud services when in the office or using company devices to access cloud services while connected to public networks – increasing the number of blind spots for IT risk.
Within the financial industry, global regulators are also showing increasing levels of interest in cloud controls. Recent examples include the Hong Kong Monetary Authority (HKMA), who recently circulated a public cloud compliance checklist to all of its regulated entities, and the Monetary Authority of Singapore (MAS), who issued consultation papers for updating its guidelines on outsourcing with references to multi-tenancy and cloud service models.
Controlling the IT risks posed by cloud services is a complex challenge. But as cloud delivery models become more prevalent it is of paramount importance. Below are 10 key areas you should be focused on to keep your enterprise’s use of cloud services under control:
- Demand Management & Governance – How does IT manage demand and retain a secure IT environment whilst allowing the firm to take advantage of cloud applications? Who is monitoring service providers for rapid changes in security posture? How can you control access to SaaS applications outside your corporate network? Rather than blanket-blocking of SaaS applications, are you better off permitting and monitoring access to ensure appropriate usage?
- Data Security and Compliance – What data is being (or could be) transferred, processed and stored in the cloud and are there internal policy or legal obligations that the firm must comply with? What layers of security does the organisation need to add on top of the service provider’s offering in order to comply?
- Service Transparency – How transparent are the practices of the provider – hiring policy, development practices, supply chain, locations, charge reconciliation, identity and access management, service levels and service management? What audit rights does the contract allow?
- Co-Mingling – How does the provider segregate and isolate data and systems belonging to co-located customers to prevent data and operational security breaches? How does my organisation ensure internal segregation of duties and systems is retained in the cloud?
- Access Control – What authentication mechanisms are being used to access cloud based applications and management portals to avert credential compromise? Can the service be accessed off the corporate network and, if so, is access limited? Who in the organization is responsible for managing user access, such as revoking access when an employee leaves the organization or periodically reviewing user entitlements? How is elevated access managed?
- Service Integration – How do internal and provider service desks dovetail? How dedicated is the provider’s service offerings? Are the service provider’s employees trained to escalate security incidents to their clients? How are we notified of changes to the service, who gets to sign them off and decide when they are implemented?
- Provider Loss – If the contract is cancelled or the service provider goes out of business, how does the organisation gain access to its data? How can the service be restored, either in-house or with another provider? What if the organisation loses the ability to control the application, yet it is still available to clients?
- Logging, Auditing and Monitoring – Does your SaaS provider keep audit trails of who has accessed the service, from where and from which devices? Do they log regular and elevated user activity, such as configuration changes? Will they provide this information to you and, if so, in what form? Can you actively monitor for and set alerts for unusual activity, such as authenticated users accessing the service from different geographic locations within an impossibly short space of time?
- Legal – Do the terms and conditions of the service expose the firm to any risks? Who owns the data once it is uploaded to the cloud and who has the right to reveal it to government agencies? Who is monitoring and reviewing changes in terms and conditions, which may arrive with little notice?
- Concentration Risk – Most SaaS providers sit on a small set of common IaaS providers. Who has a company-wide view on the risks to the firm if one of those IaaS providers goes down and, if your firm is also moving other applications to the same cloud, how does that fit into the bank’s wider risk profile?Through Citihub’s Governance, Risk and Security competency we have been helping our clients answer these questions and more by developing a comprehensive set of IT controls, appropriate to the use of cloud services, along with governance frameworks for assessing and enforcing those controls across the organisation. Additionally, we have developed a set of 125 general cloud control objectives against which cloud service providers, global regulations & internal IT control catalogues can be mapped, allowing for different views on compliance coverage depending on the requirement.We plan to shortly publish a whitepaper covering these aspects in more detail, but in the meantime we recommend reading our recent whitepaper, “MAS and AWS. How to Approach Regulatory Compliance with Public Cloud Services”.
1 Netskope Cloud Report April 2015
2 Skyhigh Networks Cloud Adoption & Risk Report Q4 2014