Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, January 30, 2013

Governance Must Drive All Security Initiatives… Even Cloud

You need to know who IS accessing resources, and if they don’t have the proper credentials, you need to be notified immediately to take further preventive action.  You need to know your rights, liabilities (SLA) for any application or service acquired and that they conform to your risk management practices.  Effective governance is the ability to have a centralized map of all these information roads and create certain controlled access points, road blocks (encryption), privileged private lanes/public highways…in short, governance is about accountability.

It is up to the CIO or CSO’s due diligence to understand all the implications on how the deployment will affect the holistic enterprise.

“When cloud computing is treated as a governance initiative, with broad stakeholder engagement and well-planned risk management activities, it can bring tremendous value to an enterprise,” said Emil D’Angelo, CISA, CISM, international president of ISACA and founding member of the Cloud Security Alliance.

When due diligence is done, a CIO will have a clear idea of an initiative’s risk versus return and whether a cloud security deployment meets the individual requirements of the company.

For example, seeing who has accessed a certain application gives you historical perspective, but, what if it is a retired account or tries using a decommissioned password? ...  Or if a partner accesses certain parts of your database to which they are entitled, but quadruples their order in the dead of night to be shipped to Phnom Penh? ...  There are literally thousands of scenarios by which leveraging the cooperative functionality of IDM, AM, SIEM and Log Management creates not only the holistic visibility to drive governance policies, but offers significant barriers to keep the IT enterprise safer.

The challenge facing most security teams, therefore, is to provide line-of-business users with the access they need while ensuring that the access is appropriate and does not expose the enterprise to unnecessary business risk.  But first you must ensure visibility—and when you know where all your data is and all the multiple ways that it is available, then you can best manage the policies, roles, and security functions that best connects your requirements.

Link: http://cloudcomputing.sys-con.com/node/2527026

Posted on 01/30
AdvicePermalink