Blog

Apply the ISF Approach for using cloud services securely

Published 11 - December - 2019

The latest ISF research Using Cloud Services Securely: Harnessing core controls has been completed and it has benefited from an extensive level of input from ISF Members throughout a number of workshops, subject matter expert interviews and a Member survey.

In this blog, we give an overview of the key features of the research and the feedback received.

The research highlights the complexities of the multi-cloud environment that most organisations face these days. Multiple cloud security challenges can be summarised as follows:

  1. Identifying and maintaining the appropriate level of cloud security controls
  2. Balancing the shared responsibility for security between the cloud service provider (CSP) and the cloud customer
  3. Meeting regulatory requirements to protect sensitive data in the cloud environment

All the challenges have been analysed, reviewed and subsequently addressed in the ISF approach to using cloud services securely, divided into three parts.

Part 1 of the ISF Approach – Cloud security governance

Practical and actionable guidance for governing cloud services securely is de-facto required. There are several key elements of cloud security governance which can be embedded into the overarching security governance structure, such as the cloud security policy, the register of cloud services and the information risk assessments. There are also important security clauses to be included in cloud contracts and a list of all the important certifications that organisations should seek from their CSPs.

Part 2 – Core cloud security controls

The ISF Approach provides a list of core cloud security controls whilst focusing primarily on the cloud customer, offering practical guidance on how an organisation – as the cloud customer – can improve its security posture in the cloud environment.

Organisations cannot rely solely on the security posture of their CSP, they have a lot of work to do in-house by deploying the relevant controls to secure their usage of cloud services.

The controls are grouped into five areas which will be familiar to information security experts and practitioners, revolving around: network security, identity and access management, data protection, secure configuration and security monitoring.

The core cloud security controls have been analysed in-depth whilst focusing on the detailed cloud-specificities, all added in the description of the implementation guidance.

Part 3 – Cloud security products and services

There are a myriad of cloud security products and services that can be grouped into three broad categories, all required to enhance organisations’ security posture when using cloud services.

For example, cloud access security brokers (CASBs) can add benefits in leveraging well-configured cloud environment. However, CASBs do not cover the full spectrum of the core cloud security controls and their high costs can be seen as an inhibitor.

Maximise potential

Organisations want to move further towards using cloud services and they aspire to do so in a secure manner. By adopting a robust strategy for securing the use of cloud services such as the one depicted in the ISF Approach, organisations will gain confidence that they can fully embrace the cloud to maximise potential.

“A well-configured cloud can be better secured than an on-premises Datacentre” – ISF Member

Please take some time to read through the executive summary and/or the full report and apply it to your organisation.

Benoit Heynderickx is a principal analyst at the Information Security Forum. Benoit is a subject matter expert on supply chain information risk and updated the ISF offering in 2018. More recently, Benoit was the project lead for the research project, Using Cloud Services Securely, whilst delivering several workshops and overseeing the ISF team effort in producing a successful report.