Almost all organizations use some form of cloud storage or computing for their day-to-day operations. Yet, as convenient as they are, cloud environments come with risks for all assets, systems, and users that come into contact with them. This is why thoroughly understanding security governance in cloud computing is essential for stakeholders at all organizations.
Security Governance in Cloud Computing 101
As with general cybersecurity, effective cloud security begins with sound governance. To protect assets processed or stored on the cloud, you’ll need to strategize, implement, and maintain a framework of controls. Cloud security governance is the top-down oversight of those processes.
The two most critical components of cloud security governance to understand are:
- What security governance in cloud computing is and how it works
- How to implement an effective cloud security governance program
Beyond these, organizations should also be aware of the ways cloud security governance interacts with regulatory compliance requirements from industry, legal, or other mandates.
What is Security Governance in Cloud Computing?
Cloud security governance is a blanket term that refers to the management and oversight of your cloud’s security. Depending on your organization’s relationship to the cloud (owner, user, etc.) and the kinds of assets or processes that it houses, governance can mean different things.
For example, if your business uses a cloud that’s hosted by another organization, cloud security governance is likely split between both parties in a shared responsibility model (see below). If your organization hosts its own cloud, you’ll have a greater share of governing responsibilities.
In all cases, governance is what’s ultimately responsible for ensuring cloud security. In other words, cloud security governance is an assurance of security; successful attacks on cloud infrastructure are often attributable to a failure or loss of governance in cloud computing.
Shared Responsibility and Cloud Security Governance
Many organizations’ use of the cloud is mediated through providers. For example, three of the most popular cloud servers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). In these cloud environments, responsibility for security governance is shared between the provider and the customer.
Each provider’s shared responsibility model differs slightly, but most break down cloud governance responsibilities into two categories:
- Security “in” the cloud – Customers are typically responsible for restricting access to assets hosted on cloud infrastructure through filters, encryption, and other controls.
- Security “of” the cloud – Providers are typically responsible for ensuring seamless and secure access to the cloud by protecting the software and hardware required to host it.
These distinctions are loose, and there’s often overlap. Your organization’s share of cloud governance responsibilities may include elements of security both in and of the cloud. And other entities may share in the responsibility as well, as both providers and customers may entrust third parties with elements of their cloud security governance.
The upshot is that cloud security governance, regardless of how it is divided or shared, ensures security both in and of the cloud.
Request a Free Consultation
How Governance Ensures Data Security on the Cloud
Security governance comprises responsibility for and control over the systems that protect a given IT environment. Governance, in the cloud or elsewhere, ensures data security by writing the rules and setting them in motion.
Cloud security governance informs the strategy, deployment, and ongoing maintenance of cloud security systems, perpetually monitoring for and responding to threats. It determines protocols for staff awareness training and ensures that all stakeholders know how to use cloud resources securely and report on threats when they appear. And it designs and deploys incident response protocols to minimize the damage of a cloud attack if it does happen.
Governance is the guarantor of security in any IT environment, including the cloud.
How to Implement a Cloud Security Governance Framework
Implementing security governance in cloud computing looks a lot like implementing governance in any other IT environment. Your organization needs to determine what kinds of protections are needed, develop a framework of controls to cover them, deploy the framework, and maintain its efficacy through regular assessment and adjustment.
In practice, cloud security governance typically means controlling security systems in the cloud.
In the most effective implementations, however, your governance scheme may also monitor for and respond to things that are outside its direct responsibility (this is security of the cloud). Having a built-in failsafe or fallback will help if your provider’s security precautions falter.
Ultimately, cloud security governance requires scoping, control deployment, and maintenance.
Determine the Scope of Your Cloud Security Needs
Sound governance begins with scoping. Your organization needs to determine the extent of responsibility its cloud security governance will assume, what needs to be protected, and how.
This means documenting the specifics of your cloud infrastructure, such as:
- The amount and kinds of data or processes housed on the cloud
- Your average or expected monthly cloud server bandwidth use
- Devices that are used to access the cloud or assets within it
- Users that have access to the cloud and information about them
- The history of attacks or attempted breaches of your cloud environment
These factors, along with your shared responsibility agreement, will dictate the depth and breadth of the cloud security framework you’ll need to develop, deploy, and maintain.
Compliance requirements applicable to your cloud infrastructure will also inform the scope of governance required. The kinds of controls that need to be implemented and types of reports or audits that are required for certification will dictate direct responsibilities for governance.
Develop and Deploy a Cloud Security Control Framework
Once you determine what kinds of cloud protections you need, you can develop and implement a system that accounts for all of them. Governance comprises some combination of strategizing, installing, and maintaining your cloud security framework.
Most organizations’ governance frameworks will include some version of the following:
- Configuration and patch management – Installing specific controls on systems and assets within the cloud—or to the cloud itself—and ensuring they remain up to date
- Threat and vulnerability management – Monitoring for, identifying, analyzing, and mitigating risks to your cloud environment (vulnerabilities and threats to exploit them)
- Identity and access management – Restricting individuals’ ability to access the cloud through authentication, then monitoring and controlling their access and behaviors
- Training and awareness programs – Educating staff, clients, and other stakeholders on best practices for cloud security and how they can prevent and mitigate incidents
- Incident response protocols – Deploying action plans to quarantine and eradicate threats when they materialize into attacks, breaches, or other cybersecurity events
The category of controls your organization needs to implement will vary widely, depending on your shared responsibility agreement and the cloud environment itself. Other factors include the kinds of data within the environment and risks most likely to impact your organization.
Regulatory compliance may also determine what your framework entails (see below).
Assess The Efficacy of Your Cloud Security Governance
Cloud security governance doesn’t end with strategizing and implementing a cloud security framework. You also need to assess the system at regular intervals to ensure its functionality.
Assessments may take the form of formal audits, testing each control. Or, you may conduct deeper investigations such as internal or external penetration testing to gauge your cloud infrastructure’s ability to survive an attack. These tests provide insight into the strategy, execution, and overall governance of cloud security.
There’s also a need for ongoing security monitoring in cloud computing.
In between formal audits and assessments, organizations should track day-to-day performance of their cloud security protections. Ongoing, ideally automated monitoring ensures that controls are functioning as expected and preventing or mitigating threats to their full potential.
Assessments are also critical to achieving and maintaining compliance.
Compliance Considerations for Cloud Security Governance
The last major consideration for security governance in cloud computing is the fact that your cloud infrastructure may be subject to cybersecurity regulations. Depending on factors like your industry, location, clientele, and the kinds of data you process, you may need to ensure your cloud environment complies with applicable laws and frameworks.
For example, organizations that operate within or adjacent to healthcare need to ensure the privacy and confidentiality of protected health information (PHI). And organizations that work with the US Military need to secure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
In both cases, these protections extend to the cloud. And they might apply to your organization even if you’re not directly involved in the industry in question; all it takes is the presence of a protected data category on your cloud.
The last thing you want is the convenience of cloud computing to come at the expense of noncompliance penalties, which can include monetary, criminal, and other consequences.
CMMC and NIST Requirements for Cloud Security Governance
Cloud security governance for Defense Industrial Base (DIB) organizations depends on the specific Level of Cybersecurity Maturity Model Certification (CMMC) you need to achieve.
Organizations that process FCI will likely need to achieve at least Level 1 certification, whereas those that process CUI will likely need Level 2 or Level 3 certification. With respect to cloud security governance, that means ensuring your cloud complies with controls from NIST SP 800-171.
The projected requirements for CMMC at each level are derived from NIST compliance:
- Level 1 – Foundational security comprises 15 practices from NIST SP 800-171; cloud-relevant practices focus on limiting external connections (AC.LI-3.1.20), authenticating users for access to systems (IA.L1-3.5.2), establishing secure boundaries (SC.l1-3.13.1), and implementing subnetworks for system separation (SC.l1-3/13/5).
- Level 2 – Advanced security comprises 100 practices, reflecting all 110 Requirements from NIST SP 800-171; cloud-relevant practices focus on ensuring remote access confidentiality (AC.L2-3.1.13), auditing (AU.L2-3.3.1, AU.L2-3.3.8), establishing Multifactor Authentication (IA.L2-3.5.3), and protecting backups (MP.L2-3.8.9).
- Level 3 – Expert security requirements are as yet undetermined. They will be derived from NIST SP 800-172 and build on protections from Levels 1 and 2.
Cloud security is most closely related to NIST’s Access Control, Audit and Accountability, and System and Communications Protection Requirements (and their corresponding practices in CMMC). However, controls from all 14 Families (and CMMC Domains) may be applicable to cloud infrastructure and behaviors.
HIPAA and HITRUST Requirements for Cloud Security Governance
Cloud security governance under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) means ensuring that assets on the cloud comply with the Privacy, Security, and Breach Notification Rules. In a nutshell, that means preventing any unauthorized access to Protected Health Information (PHI) and reporting any such instances to impacted parties.
If your organization operates within or adjacent to the healthcare industry, you’ll need to comply with HIPAA. HIPAA may also apply to you if you are a Business Associate of a Covered Entity to whom it applies. HIPAA cloud security responsibilities may also be shared with your provider.
The HHS does not prescribe particular cloud security controls, but it does publish guidance on HIPAA compliance and cloud computing to inform your shared responsibility governance.
Another framework organizations in and adjacent to healthcare may need to comply with is the HITRUST CSF. HITRUST is not a legally mandated regulation. However, it is a widely recognized solution that unifies controls for several other regulations (HIPAA, CMMC, etc.). HITRUST certification may be expected or required by your business partners or clients.
There are many HITRUST controls related to cloud security, dispersed across various Levels of the hundreds of sub-Objectives within the framework. Specific governance responsibilities for you or your provider will depend on the level of certification you need to obtain.
Optimize Your Cloud Security Governance Today
Ultimately, cloud security governance is similar to governance in other areas of cyberdefense.
If you utilize cloud infrastructure for your business operations, you are at least partially responsible for ensuring assets and processes on your cloud are secure. Governance achieves security both of and in the cloud by planning, implementing, and maintaining a cloud security framework. It also ensures your cloud meets any applicable regulatory requirements.
RSI Security offers a suite of cloud security services, including robust governance packages tailored to any specific cloud platform you use—GCP, AWS, Azure, and others.
To learn more about effective security governance in cloud computing, or how RSI Security will help you rethink and optimize your cloud security governance program, contact us today!