At the beginning of July 2018, I read a LinkedIn post by Debbie Christofferson (Contract consultant at the Cloud Security Alliance), about an article published on June 28, 2018 in SearchCloudSecurity (TechTarget) by Madelyn Bacon.
The article "Microsoft: Enterprises need to stop fighting cloud services adoption", refers to the exhibition created by Laura Hunter, Principal Program Manager at Microsoft.
In the article, security professionals offer their concerns around security terms; for example, the risks that organizations will have to face when adopting Cloud Computing. However, it is the managerial levels of the business that will make the final decision. And the positive or negative impact will be assimilated by the business.
In fact, many times I have taken the same position as Laura when she refers to ... "security professionals work in a zero-trust mindset, especially when it comes to cloud services adoption. As a result, when another unit in the organization proposes using a cloud application or service, security professionals have an automatic answer: "no", because it would be bad for security.
In my opinion, there is the “oficer of Insecurity”, which perhaps, does not provide sufficient evidence to make an accurate assessment of the risk when adopting Cloud Computing. IT departments are concerned about obtaining a certificate under an international standard and fear the threat of the auditors. whom they see as the enemy. In fact, the role of the auditor should be seen as verification and control related to Compliance; they support keeping the processes of security management in the organization alive.
“When it comes down to business need versus security, business need is always going to win, she said, and then you end up with shadow cloud IT that the security team has no control over”
According to Laura "When it comes down to business need versus security, business need is always going to win, and then, you end up with shadow cloud IT that the security team has no control over".
In this regard, I can suggest that business needs are not always going to win. This is because, by adopting Cloud Computing, the information assets and Business data could be exposed. This all depends on the "attitude" against the risk from the people who make the decisions.
An example could be business sector regulations (Banking, or Insurance for instance) are being violated and so affect their legal compliance.
Finally, "Total agree with you" is true. There is no "fully secure" Cloud Computing scenario, which can be provided by the Cloud Services Provider (CSP) or any organization in general. Therefore a Shared Responsibility Model, such as that designed by AWS, is highly recommended. It is also true, however, that cloud services could be used to improve the security of companies.
Taking this article into account along with the risks we face when adopting Cloud Computing, we talked with Víctor Villar (Director of Master in Administration and Project Management) EPG Peruvian University of Applied Sciences - UPC.
After reviewing the Shared Responsibility Model designed and provided by AWS, we agree with Víctor that "The responsibility is clearly defined in the Model proposed by AWS".
In Victor’s opinion... "We must have an attitude towards risk (which is a natural personal reaction). In order to avoid an employee avoiding any Risk or taking too many risks - because of their own personal attitude to risk, a policy of risk tolerance and risk thresholds must be defined corporately. This has to do with governance."
As Rómulo Lomparte would said... "Once again we come to the importance of risk and corporate policy on the risks that allow us to Govern providing the necessary guarantees to the business".
In conversations with Rómulo, we have discussed the behavior pattern of the Insecurity Officer and how certain factors of human behavior can impede the adoption of Cloud Computing. Often this is due to "the fear of specialists surrendering part of their responsibilities to third parties and thus losing power".
I had a conversation with Carlos Ferreyros (Université de Montpellier, France)... "In Peru, the laws that regulate the digital domain have an analogical conception, based on the regulation of aspects of the physical environment. An attempt is made to adapt the rules of the physical environment to digital, immaterial; without taking into account the specificity of the latter, for example in relation to the Cloud. At the same time, there is an asymmetry between information security and the shared responsibility of business bodies and external suppliers".
According to Carlos, these contents must be approached from the triple angle of the security of the organization, the computer technology and legal-legal aspects, in addition to involving external service providers such as Cloud Services Providers (CSP).
On behalf of the Cloud Security Alliance, Peru Chapter, and as Cloud Evangelist at Telefónica; I want to thank Rómulo Lomparte, Víctor Villar and Carlos Ferreyros Soto, for their time facilitated. The volunteering work we are doing ispromoting the safe adoption of Cloud Computing in Peru.
We invite you to be part of these meetings, as well as these discussions that all go twards contributing to our community. You can also follow us through LinkedIn in the group of Cloud Security Alliance, Peru Chapter, where I am a volunteer, promoting the use of best practices in security for Cloud Computing.
In collaboration with:
- Victor Villar - Director at the Peruvian University of Applied Sciences (UPC)
- Carlos Ferreyros - Professor at the Universite de Montpellier, France
- Rómulo Lomparte - ISACA, Lima Chapter
- Jorge Rojas - Cloud Security Alliance, Peru Chapter
- Fernando Carrillo - Consultant at AirOn Group