[Translated from Spanish]
The use of tools in the cloud and hybrid cloud have reduced business costs and stimulated unprecedented growth in adoption rates worldwide. Several studies show that the cloud is here to stay; which makes it important to analyze the most efficient ways to control and reduce risks, such as threats of invasion, attacks, leakage of sensitive information and unavailability of services.
Cloud security is one of the main concerns of IT managers. In addition, the Cloud Security Alliance (CSA) reveals that only 16 percent of organizations have fully implemented policies and controls around using the cloud. The CSA states that 80 percent of companies with more than five thousand employees fail to know how many cloud applications are used within their organizations.
The cloud model adopted within an organization also interferes with the control of the infrastructure, applications and database. According to the Insider Threat Spotlight Report by Crowd Research Partners, 62 percent of people consider it more difficult to detect and protect internal threats than external attacks. The situation is even more complex, as major failures may often be the responsibility of users themselves, being that only 38 percent of organizations have a security policy with rules and clear responsibilities for data protection.
Risk situations occur very frequently, as many companies believe that the security of data in the cloud is the responsibility of the supplier. Control measures include limiting user access, encryption keys and cryptography transmission data (used to protect data stored or processed on servers) in the cloud. Frequently, due to lack of investments or the lack of trained professionals, safety is relegated to a lower priority. Also, those responsible believe that the occasional log analysis or cases reported by users are sufficient containment measures against loss or incidents.
Effective implementation of policies for protection and access controls includes the following: mapping services by independent users; offering privileged access; control implementation authenticated session expiration for time and inactivity; integrated management processes by Human Resources and third parties; identification of the type of access, location, time and profile to avoid harmful behaviors and possible gaps in controls; and protection of stored and transmitted data via cryptography to prevent exposure of the data transmission.
According to Insider Threat Spotlight Report, 47 percent of companies are not able to detect internal attacks or fail to measure the detection time, and 43 percent say that the response time to incidents is up to a week. For success in the detection and protection of information against unidentified threats, there must be active monitoring through solutions such as Data Loss Prevention (DLP - Preventing Data Loss), Security Information and Event Management (SIEM - Information Security and Management Events) and Secure Enterprise Content Management (SECM - Secure Content Management Companies), among others. If the solution is integrated with infrastructure monitoring and data movement applications, consider the context and the typical behavior of all users involved.
Considerations of this text do not claim to exhaust the subject of cloud security. There are many other important points to consider, from infrastructure to the criteria for cloud application development; which have different traditional IT model features.
For this reason, (ISC)² along with the CSA (Cloud Security Alliance) developed the Certified Cloud Security Professional (CCSPSM) certification for professionals who want and need to deepen their knowledge related to cloud security. The CCSP certification is a clear indication of the potential of this market, and I am sure that those who seek to improve their knowledge will be at the forefront in an increasingly competitive market. -- Kleber Melo, Chair of the (ISC)² Latin America Advisory Council