Security is cited as a concern by enterprises that use cloud-based services, but judging by the rapid growth of cloud, companies are finding ways to address it. That is certainly the case at Nexteer Automotive, a $3.4 billion maker of advanced steering and driveline systems for the automotive industry. For about five years, the company has been using a range of cloud-based applications, including email, collaboration tools, enterprise resource planning, product lifecycle management and customer relationship management services.
As chief information security and privacy officer for the firm, Arun DeSouza is responsible for ensuring those cloud-based applications stay secure. I talked with him about what security concerns he has with cloud services, how to assess the risks, and what’s missing regarding security for the cloud.
The Enterprisers Project (TEP): To what extent do security concerns play into your cloud strategy?
DeSouza: The issue comes down to two main points. First, we need to ensure that cloud providers have appropriate administrative, technical and physical safeguards in place. Second, it’s imperative that new cloud solutions integrate with your existing corporate identity management framework, so you have appropriate access controls, provisioning, and de-provisioning. The biggest problem today with cloud services is the possible loss of intellectual property. When people leave the company, you need a single point from which you can shut off access, to address the risk of data loss or leakage.
TEP: To what extent do your existing security policies and procedures carry over to cloud-based services and applications? Can you just extend existing policies to the cloud?
DeSouza: Yes, to a degree. However, when you throw privacy concerns in the mix such as EU Privacy Shield, the demarcation is not so clear cut, so you’ve got to be careful. For example, storing data for EU residents in data centers within other regions gets tricky because of the stringent EU privacy rules. Privacy is the real wild card now. Some companies are more concerned with confidentiality. Confidentiality is about data, and privacy is about people. But when the data is about people, that’s when confidentiality and privacy become inextricably intertwined.
TEP: What’s different about the cloud from a security perspective? How do you have to change your existing policies?
DeSouza: Verification of security policies becomes necessary. You need to have a view into the provider’s implementation and compliance with governance policy mandates, which can be challenging. You can design robust security system procedures and controls but without detailed on-site auditing, it’s not possible to confirm adequacy. You don’t want to rely on the goodwill of the provider. Your right to conduct on-site audits should be in the contract as part of governance oversight. You should be able to go in and inspect the facility and talk to the administrators who are running it.
TEP: How do you assess the risks that a cloud-based service presents?
DeSouza: As a starting point it is always good practice to request and review SOC 1 [Service Organization Controls] and SOC 2 type reports from reputed, independent third parties. Also, we provide a standard screening checklist to the providers before we sign a contract and review it with them. We also include appropriate security constructs in the contracts, including such things as our right to audit.
TEP: Most companies today have some hybrid cloud setup, with a mix of premises-based and public cloud resources. Does that present any additional security challenges beyond pure private or public cloud?
DeSouza: The need for well-defined governance centered on a robust identity management framework is even more critical, meaning role-based access controls, onboarding, and off-boarding processes. The use of layered perimeter controls is also imperative, such as multi-factor authentication when accessing services from off campus.
TEP: What’s missing regarding security for the cloud?
DeSouza: We need a paradigm shift because the traditional layered perimeter is not sufficient. Access control and identity management at the individual enterprise application are essential. You can build all the border controls you want, but if you don’t have proper access control and identity management, then you’re setting up for failure. It’s an educational process because anyone can buy cloud services. They need to understand that due diligence and compliance are required to ensure that security and privacy practices are followed.