How do we meet the compliance and security requirements for a Cloud?
Here are some cloud provider readiness checks:
Does the cloud have the ability to encrypt data at rest and in transit?
Does the cloud have the ability to pull audit information via logs?
Does the cloud include role-based access control?
Does the cloud have the ability to map roles according to enterprise hierarchy, or to a facsimile of the enterprise organizational structure?
Can the cloud authenticate against a central system of record based on user roles and assignments?
Can the cloud integrate with existing command-and control systems?
Can the cloud back up data off the cloud?
Does the cloud have built-in disaster recovery capabilities?
courtesy : Shriram Natarajan
In addition, the organization supporting cloud services will need to honor audit requirements and Health Insurance Portability and Accountability Act. Payment Card Industry customers will need to re-certify yearly to ensure they are still complying with regulations, and the cloud provider should be able to meet these requirements. We can guarantee the cloud compliance once we have fully understood and documented the data flow. That includes not only data ownership and auditability, but cloud and storage configuration as well. If anything is not included or not documented in the contract, it doesn't exist and the organizations that want to maintain governance, regulation and compliance can't use a contract template. A customized contract is a must to ensure their needs are met.
Another approach is to use Plan, Do, Check and Act cycle also known as Deming cycle for cloud security and compliance management. In this case, the Plan phase
determines the scope of security and compliance
requirements including regulatory and business requirement evaluations, and designs deployment accordingly.
The Do phase defines the security controls and risk management framework. This includes choosing encryption, secu-
rity token, identity and access management, identity management options and
controls to detect and prevent intrusion,. The last category includes security incident and event management and data leakage protection products. In the Check phase, organizations define auditing objectives. These involve not just SOX but also fine grained historical action logging. In the Act phase they mitigate vulnerabilities. This not only includes audits, but also continuous monitoring and security improvements.
Courtesy: Kanwarjeet Panesar
Here are some cloud provider readiness checks:
Does the cloud have the ability to encrypt data at rest and in transit?
Does the cloud have the ability to pull audit information via logs?
Does the cloud include role-based access control?
Does the cloud have the ability to map roles according to enterprise hierarchy, or to a facsimile of the enterprise organizational structure?
Can the cloud authenticate against a central system of record based on user roles and assignments?
Can the cloud integrate with existing command-and control systems?
Can the cloud back up data off the cloud?
Does the cloud have built-in disaster recovery capabilities?
courtesy : Shriram Natarajan
In addition, the organization supporting cloud services will need to honor audit requirements and Health Insurance Portability and Accountability Act. Payment Card Industry customers will need to re-certify yearly to ensure they are still complying with regulations, and the cloud provider should be able to meet these requirements. We can guarantee the cloud compliance once we have fully understood and documented the data flow. That includes not only data ownership and auditability, but cloud and storage configuration as well. If anything is not included or not documented in the contract, it doesn't exist and the organizations that want to maintain governance, regulation and compliance can't use a contract template. A customized contract is a must to ensure their needs are met.
Another approach is to use Plan, Do, Check and Act cycle also known as Deming cycle for cloud security and compliance management. In this case, the Plan phase
determines the scope of security and compliance
requirements including regulatory and business requirement evaluations, and designs deployment accordingly.
The Do phase defines the security controls and risk management framework. This includes choosing encryption, secu-
rity token, identity and access management, identity management options and
controls to detect and prevent intrusion,. The last category includes security incident and event management and data leakage protection products. In the Check phase, organizations define auditing objectives. These involve not just SOX but also fine grained historical action logging. In the Act phase they mitigate vulnerabilities. This not only includes audits, but also continuous monitoring and security improvements.
Courtesy: Kanwarjeet Panesar
No comments:
Post a Comment