Cloud Risk Management
The InfoSec Consulting Series #1
By Jay Pope
Cyber security is increasingly important in every industry but, in recent years, significant improvements in technology and services coupled with the change programmes designed to integrate new products mean that finance organisations have become a popular and attractive target for cybercriminals. The volume of classified data that needs to be controlled is constantly on the increase. Electronic transactions including payments, receipts and transfers are part of everyday life. The data that is used must be processed and then stored in a format that can be protected. There are strict regulations around secure transactions, the capture and storage of payment data, and, especially since the introduction of the GDPR, the use and storage of the personal information that accompanies payment data needs to be protected. In this article, I’m going to discuss a few key security aspects that may help you to initiate your Cloud risk management programme with a better chance of success.
Cloud First or Cloud Only?
The underlying philosophy of cloud-first is that organisations must initially evaluate the stability of cloud computing to address emergent business requirements before considering other alternatives. The primary benefits stem from the ability to leverage a wide range of services without having to make a major investment in physical infrastructure. This can strengthen business agility, lower costs, reduce complexity, accelerate speed to market, and streamline business operations. It will also create a next-generation IT infrastructure that is much more service-oriented than before, which can position the organisation to be more innovative and responsive to future customer and workplace needs. In many Organisations, a “cloud-first” approach has morphed into a “cloud-only” approach. In other words, by focusing solely on the cloud, many IT decision makers are ignoring the alternatives, such as on-premises deployments. Sometimes though, an on-premises deployment would be the better choice.
What’s Your Strategy?
Using architectural framework governance alongside a well-defined Cloud Risk Management Strategy will not only define the risk management approach needed for the programme, but when it’s well defined, the flow down of appropriate security requirements needed to underpin the decision support on candidate options will be much more accurate, empowering technical delivery stakeholders to execute their change plans with confidence.
One common reason for the absence of a new cloud risk management strategy is that the old security policies that supported the legacy operating model are carried forward into the new operating model. Unfortunately, the risk position has changed significantly and with new ways of working, changes in assets, techniques, technology, risk owners, and data regulations mean that the risk management strategy should be refreshed as well. If it isn’t refreshed then eventually it will lead to a situation where the technical delivery begins to stagnate or slow down as risk-based decision support dries up, and then the security stakeholders are viewed as blockers. To avoid this flow of events, some upfront rigour is needed with a good detailed Cloud Risk Management Strategy that relates organisational risk appetite to departmental risk tolerance, and security requirements.
Some Critical Elements
As with Security Culture in general, a Cloud Risk Management Strategy is of course nothing without executive sponsorship, so it is critical that it has an Executive mandate. The contents will vary depending on the Organisation, but as a minimum it should include some of the following elements:
- Business Impact Statements – These define the level of impacts that can be used in quantitative Risk Assessments;
- Classification Policy – Often assumed but there are still Organisations out there that do not even have a documented Classification Policy;
- Security Grading Guide & Security Clearance Guide – These ‘Security Aspects’ for the Transformation Programme need to be broken down into individual ‘aspects’ and communicated to all suppliers and service providers;
- Reportable Security Conditions – Usually included with the Security Aspects, this document categorises programme related security incidents, and how they should be reported to the Client Organisation;
- Risk Management Strategy – The Risk Management Strategy sets out the Governance and provides guidance on how to Risk Manage the Transformation Programme, it may include:
- The Risk Assessment method to be used;
- The Executive Board’s Security Risk Appetite Statement (1 for each domain or phase of development), and how the risk appetite translates into risk tolerance boundaries;
- Risk Assessment Parameters and the organisation’s specific threat vectors;
- Governance processes, risk escalation routes, and ToRs for the forum in which risk decisions will be made;
- Definition of appropriate control frameworks to be used;
- Strategy for Defence in Depth controls application;
- Managing Supplier Risks
- DevSecOps Policy – Should include the development pipeline anticipated to support the change and development of the cloud services, along with associated processes for essential manual and automated security hooks and checks, although this may also be somewhat guided by tooling choices;
- Cyber Defence Policy – Should describe the tooling and the method of how the Organisation will monitor and sustain cyber defence during the transformation.
- Incident Management Policy – Describes the named roles and responsibilities and clear procedures for Incident Management of varying categorisations of Incident.
- Security Schedules to Contracts – Often overlooked, but probably one of the most important artefacts is a standardised set of Security Contract Schedules that set out the Organisations requirements according to the ‘shared responsibility model’. It may be useful to have one for each service use case; E.g. A common set of requirements for Delivery Partners, one for SaaS contracts, another for IaaS, PaaS, XaaS, and one for miscellaneous service providers.
Repeatable & Consistent Technical Risk Assessment
It is probable that a Cloud First Transformation will involve a high number of ‘Assurance Targets’ or technical changes that will need to be risk assessed. It therefore follows that an appropriate Technical Risk Assessment method must be used. It should enable the assessment of technical risks set against a realistic context, it should be consistent and repeatable. Technical Risk Assessments will also help develop the DevSecOps pipeline and be useful when identifying and assigning controls with an appropriate level of rigour for each line of development, or team.
DevOps / DevSecOps
As the old legacy infrastructure with multiple toll gates is drifting away, information persistence and the faster, more responsive API(s) spawn and scale vast instances of software and hardware. This brings with it the mantra of making everyone accountable for security with the objective of implementing security, hooks, decisions and actions at the same scale and speed as development and operations decisions and actions.
Another key driving factor for DevSecOps is the fact that perimeter security is failing to adjust with increasing integration points and the blurring of the trust boundaries. As Technology is moving the ‘intelligence’ functions further up the stack in our systems, it’s getting less opaque where the perimeter is in the Cloud / Cyber ecosystems. It is eminent that software must be inherently secure itself without relying on the border security controls. Rapid development and releases lead to shortening the supply chain timeline to implement custom controls like filters, policies and firewalls.
Sustaining Cyber Security During Exit, Transition, & Migration
In the context of Legacy to Cloud Service Transformation, Exit, Transition, and Migration (E, T, & M) is defined by the following activities:
- Exit. The activity required by the incumbent service provider (Legacy Services) to exit from their contractual responsibilities and pass responsibility for service delivery to the new supplier at the Operational Service Commencement Date;
- Transition. The activity undertaken by a new service provider to mobilise the contract and assume responsibility for the delivery of services at the Operational Service Commencement Date;
- Migration. The activity undertaken by the new service provider to modify or replace the way services inherited at the Operational Service Commencement Date are delivered.
Organisations’ Cyber security needs to be embedded in all stages of the transformation programme, which means that the Cyber Defence Policy needs to include a plan that helps to sustain the effectiveness of Cyber Defence during Exit, Transition, and Migration of Services. Identification & Access Management including Single Sign On (SSO), data loss prevention, system integrity and fraud detection are major elements that are sensitive to change in the technology estate. Also, Application Programming Interfaces (APIs) are a vital part in facilitating changes. Protection against API threats requires an organisational-wide approach. This includes:
- Multiple verifications for partner systems identity
- Detailed vetting of partners prior to granting access to any of the systems
- Ensuring your service providers are not using hard coded credentials
- Ensuring your service providers are not sharing accounts
- Monitoring of all API usage by partners
- Tokenisation i.e. replacing sensitive data with a token/placeholder that then enables the customer to be matched with their data without exposing that data.
Conclusion
Financial institutions can use the systems designed by technology companies to improve efficiency, reduce operating costs, and offer new and improved products. Partnerships between the two may result in greater convenience for, and cost savings to, customers. For that reason, Cloud First is a good thing, but it’s important to ensure that before your Cloud First programme is initiated, that you have your ducks in a row – make sure your Strategies are coherent and complement one another and that you have a good Cloud Risk Management Culture. It will help your security team to be an enabler.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.