Governance, Regulations and Compliance:

Cloud computing has proliferated VMs while security standards have been trying to catch up from the resource centric IT environments earlier to more datacenter oriented environments now. Fortunately, this has evolved based on the clouds are offered – public, community, private and hybrid. A public cloud has the highest risk due to lack of security control, multi-tenancy, data management, limited SLA and lack of common regulatory controls. A community cloud has moderate risk due to multi-tenancy, however it has less risk than public cloud due to shared legal/regulatory compliance issues. A private cloud has the least risk due to single ownership and strong shared mission goals along with legal/regulatory requirements. A Hybrid cloud has risk that depends upon combined models. A combination of private/community is lowest risk while a combination of public/community poses greatest risk.  The scope also matters. A public cloud serves several hundreds of organizations. A community cloud works with the private network of two or more organizations. A private cloud is entirely internal to the organization’s private network. A hybrid cloud can have a private/community cloud entirely within the organization’s private network with spillover capacity to a public/community cloud.

The Information security governance framework is primarily Plan, Do, Check, Act cycle of continuous improvement and is comprised of seven management processes. These are strategy & planning, policy portfolio management, Risk management, management overview, Communication & outreach, compliance and performance management, awareness & training.  The management processes govern the implementation and operation of the functional processes, which vary based on the cloud environment.

Central to the implementation of the functional processes, is the scheduled sweep of resources for GRC purposes. These sweeps involve tightening the configurations of Virtual Machines in all forms and flavors. These cover such things as the network connectivity configurations and System Security Services.  When a user logs into the VM, whether his password has expired or not, whether he is still an active employee or not, whether a login can be granted or not etc. are all part of the server hardening requirements. Yet the boiler plate configurations at each Virtual machine often escape the scrutiny that otherwise falls on the public cloud. When a public cloud is set up to run an Active Directory, it is usually done as a managed service. The connectivity from the virtual machines depends on their configurations. The access provider, the id provider and the change password provider specified in the sssd configuration determine how the virtual machines enable accounts. A careful scrutiny of this configuration can itself eliminate several vulnerabilities and maintenance activities. The cost of workflows and implementations increases significantly as and when the ripples reach downstream systems or later point of time. Therefore early and proactive mitigation by compliance and governance processes is immensely beneficial. When done right, it does not even require to change very often.