10 Areas of Risk in Enterprise Cloud Security Controls across Infrastructure

Cloud computing has transformed every business across the globe, from basic tools to enterprise applications. The entire enterprise infrastructure is moving to the cloud. With accelerating adoption of cloud, organizations are increasing their attack surface and infrastructure security in cloud computing is an issue given the hyper-connected nature of the cloud.

The below checklist has been created by Nitish Goyal,Information Technology Risk Office at Ocwen
 (many of the points were discussed at CISO Platform 100 & Decision Summit @ Kochi).

10 Areas of Risks in Enterprise Cloud Security Controls across Infrastructure:

  • Compliance to Security Policy, standards and security requirements
    • Applicable security policies, standards and security requirements, if not identified, reviewed periodically and acted upon in time, could lead to failure to comply with security policy / requirements of the Organization resulting in compromise of information and information processing facilities
  • Cloud Governance Model
    • The organization must have mechanisms in place to identify all providers and brokers of cloud services with which it currently does business and all cloud deployments that exist across the enterprise.
    • A contract team representing the customer’s legal, financial, information security and business units has identified and included required contractual issues in the contract from the customer’s perspective, and the service provider’s legal team has provided contractual assurance to the satisfaction of the customer.
    • Legal issues relating to functional, jurisdictional and contractual requirements are addressed to protect both parties, and these issues are documented, approved and monitored.
    • The deployment service models (SaaS, PaaS, IaaS) defines the data protection responsibilities between the customer and service provider, and these responsibilities should be clearly established contractually.
    • Service provider security assurance is provided through ISO27001 Certification.
    • Planning for the migration of data, such as formats and access, is essential to reducing operational and financial risks at the end of the contract. The transition of services should be considered at the beginning of contract negotiations.
  • Cloud Infrastructure Operations
    • Incident notifications, responses, and remediation are documented, timely, address the risk of the incident, escalated as necessary and are formally closed.
  • Identity and Access Management
    • Identity processes assure only authorized users have access to the data and resources, user activities can be audited and analyzed, and the customer has control over access management.
  • Change Control & Configuration Management
    • New Development / Acquisition
  • Data Security & Information Lifecycle Management Classification
    • Data security means must be in place for protecting data, such as a database, from destructive forces and from the unwanted actions of unauthorized users.
    • Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
    • Secure Disposal
  • Datacenter Security
    • Asset Management
    • Controlled Access Points
    • Location-aware technologies may be used to validate connection authentication integrity based on known equipment location.
    • Off-Site Equipment
    • Data Processing Facility
    • Secure Area Authorization
  • Network Security
    • Appropriate network control technologies and policies must be designed to adhere to regulatory compliance rules and to protect information, data applications and infrastructure associated with cloud computing.
  • Infrastructure & Virtualization Security
    • Audit Logging / Intrusion Detection
    • Change Detection
    • Clock Synchronization
    • Capacity projection measures must be in place to avoid the future overload
    • Vulnerability Management
    • OS Hardening and Base Controls
    • Production / Non-Production Environments
    • vMotion Data Protection
    • VMM Security - Hypervisor Hardening
    • Wireless Security
  • Business Continuity Management
    • Operational Resilience
    • Datacenter Utilities / Environmental Conditions
    • Environmental Risks
    • Equipment Location
    • Equipment Power Failures
    • Retention Policy: Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness

Views: 202

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform


CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30, 2020. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19, 2020. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20, 2020. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20, 2020. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2021   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */