7 steps to developing a cloud security plan · 2016-02-05 · whitepaper: 7 steps to developing a...

Whitepaper 2015

7 STEPS TO DEVELOPING A CLOUD SECURITY PLAN

Whitepaper: 7 Steps to Developing a Cloud Security Plan 2

TABLE OF CONTENTS

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Introduction: Understanding the Security Challenge . . . . . . . . . . . . . . . . . . . . . . . 4

Step 1: Review Your Business Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Step 2: Maintain a Risk Management Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Step 3: Create a Security Plan That Supports Your Business Goals . . . . . . . . . . 7

Step 4: Establish Corporate-wide Support and Alignment . . . . . . . . . . . . . . . . . . . 8

Step 5: Create Security Policies, Procedures and Standards . . . . . . . . . . . . . . . . 9

Step 6: Audit and Review Often . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Step 7: Continuously Improve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

About NaviSite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Appendix: Security Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3Whitepaper: 7 Steps to Developing a Cloud Security Plan 3

As enterprises move more of their IT resources to the cloud, protecting against security breaches is a top concern. IT executives often cite worries over security as a reason why they are not taking greater advantage of cloud services.

Yet, as a wide range of studies have demonstrated, looking at security in terms of “cloud vs. on-premises” sheds little light on the actual security challenges facing an enterprise. A company’s security profile is far more influenced by factors such as its industry, the extent of its presence and how it interacts with customers than the type of IT infrastructure it uses.

Security is both a management and technology undertaking. For enterprises that rely on cloud services, it also requires a close working relationship with the cloud provider and a clear understanding of the shared responsibilities.

In our data centres and across our extensive set of managed services and cloud offerings, NaviSite meets some of the highest industry standards for data integrity and security. Yet we know that the success of any security strategy is the result of the partnership we forge with our clients.

To help facilitate this partnership, NaviSite has developed a process and checklist that can be used by enterprise security, compliance, and IT professionals as a

manageable framework for crafting a successful cloud computing security plan.

It defines seven steps—sequentially—that have been tested and refined through NaviSite’s experiences helping hundreds of companies secure enterprise resources according to best practices.

By following these steps, the enterprise can rely on a proven methodology for cost-effectively and securely leveraging cloud services.

NaviSite takes pride in ensuring its enterprise customers’ services are secure and reliable, but encourages all businesses—no matter what provider they are partnering with—to take an active role in confirming their specific security and compliance requirements are being met.

EXECUTIVE SUMMARY


The huge data breaches that have hit the internally-managed IT operations of so many companies across so many industries are a reminder of the critical challenges involved in implementing and maintaining a secure infrastructure.

The prominence of the organisations involved (top names in retail, entertainment, healthcare and even information security), the scope of the attacks (millions of customer records, emails and all kinds of confidential information were stolen), the penalties (hundreds of millions of dollars) and the upheaval in management (top executives lost their jobs) have left a lasting impression.

No Company Is Immune from Attack: These incidents have been a reminder that no company is immune from attack. A careless employee, a misplaced USB drive, credentials stolen via phishing—these and other incidents happen every day. While the right security can block attacks and limit their damage, no security plan can deliver 100 percent protection all the time.

Focus on Fundamentals: In the postmortems on these highly publicised attacks, it became evident that fundamental security measures were often missing: For example, firewalls had not always been implemented and password security standards were lax. More attention to basics might not have prevented the attacks, but it could have mitigated the damage.

Segmentation and Isolation: The ability of hackers to gain access once, and then roam entire networks seemingly at will, has highlighted the value of network segmentation strategies that make it possible to isolate locations where malware is at work and lessen the potential damage.

Ultimately, security is a financial issue. On that score, there is a strong case to be made that cloud providers have a great deal to offer in today’s environment:

• Cloud computing has always provided compelling cost benefits, including scalability with reduced capital expenditure, more efficient use of IT resources and the ability for an organisation to focus on its core competency. These benefits also extend to security: By amortising the cost over a large, multi-tenant infrastructure, a cloud provider is likely to be better able to achieve a higher level of security in a virtualised, cloud environment than enterprises can achieve on their own internally.

• It’s also well established that specific cloud services, such as Desktop-as-a-Service, have the advantage of significantly enhancing security by providing centralised control over the applications and data being used by employees—if a device is lost or stolen or the employee is no longer with the company, the DaaS account can be terminated, eliminating any further access.

Security is a multi-faceted undertaking touching on a wide range of considerations involving management, IT, finance, human resources, customer service and more. Implementing security in a cloud context requires the commitment of both the provider and the client to maintain best practices.

That’s the goal of the process and checklist detailed in this white paper.

INTRODUCTION:

UNDERSTANDING THE SECURITY CHALLENGE


It is important that any cloud security strategy begins with a basic understanding of your specific business goals. Security is not a one-size-fits-all scenario and should focus on enabling:

• Technologies: Authentication and authorisation, managing and monitoring, and reporting and auditing technologies should be leveraged to protect, monitor and report on access to information resources.

• Processes: Methodologies should be established that define clear processes for everything from provisioning and account establishment through incident management, problem management, change control and acceptable use policies that govern access to information.

• People: Organisations need access to the proper skill sets and expertise to develop security plans that align with business goals.

Too often, organisations view internal security and compliance teams as inhibitors to enterprise agility. It’s important that all parties involved in the process have a thorough understanding of business objectives and long-term strategies to enable business growth, and recognise that respecting those goals is essential to successful security.

The best way to do this is to develop cloud security policies based on cross-departmental input. A successful security programme should include contributions from senior management, finance, sales, engineering, manufacturing, human resources and all stakeholders to ensure that policies are aligned and procedures are practical and pragmatic. The broader the input, the more likely the final security plan will truly align with, and support, corporate goals.

CLOUD SECURITY IN ACTION

At NaviSite, we often see customers faced with the challenge of making major security and technology changes to address evolving corporate goals. Take the example of a customer hosting multiple merchant sites using a Payment Card Industry (PCI)-compliant application. The company was acquired and the new parent required stricter controls.

We worked closely with all parties to bolster and better align the acquired company’s security and compliance programmes with the corporate goals of the parent company, identifying and documenting the objectives for the new compliance programme to ensure that they were aligned with the overarching PCI programme.

STEP 1:

REVIEW YOUR BUSINESS GOALS

STEP 7

STEP 1:Review Your Business Goals

STEP 2

STEP 3

STEP 4STEP 5

STEP 6


Regardless of where your IT assets are housed or who manages them, it is naïve to think that they will never be breached. Every organisation needs to develop and maintain a risk management programme, and it should be done centrally and viewed holistically.

A risk management programme is important not only for reducing overall exposure to damaging data breaches, but is also essential for prioritising the utilisation of resources and for supporting long-term business strategies. It is only through a well-defined and carefully maintained risk management programme that you can provide an aggregated view of the risk that a company is willing to accept.

An organisation that can better identify and reduce the risks involved in the introduction of new products, technologies, processes, people and vendors is also an organisation that can better focus on revenue growth and improved profitability.

It’s critical to regularly conduct careful analyses and develop responsible programmes that build in the necessary controls and auditing capabilities within budgetary constraints.

Be sure to factor in the added value of moving assets to the cloud, such as additional benefits to be gained by relying on your provider's business continuity

resources or the advantages that a capability such as Desktop-as-a-Service may be able to offer both in terms of increased mobile flexibility and greater control over distributed resources.


A publicly traded company that outsourced its financial applications to NaviSite conducted a risk management assessment that highlighted the company’s lack of a business continuity and disaster recovery (BCDR) plan.

As we worked with the company—identifying risks, evaluating the value of the assets and looking at annualised loss expectancies—they realised the economic argument and value for enabling seamless failover to a redundant site across the country.

The company now has a solid, cloud-based disaster recovery programme in place with annual testing to ensure business continuity. They did not initially understand the risk they were incurring until they developed a formal risk management programme, and by quantifying that risk, the company was able to take appropriate steps.

STEP 2:

MAINTAIN A RISK MANAGEMENT PROGRAM

STEP 7

STEP 1

STEP 2:

STEP 3

STEP 4STEP 5

STEP 6

Maintain a Risk Management Program


Once goals have been identified and a risk management assessment conducted, it becomes time to detail a specific security plan.

Your plan should include goals with measurable results. The plan should also drive adherence to compliance programmes, technologies and processes—again with very specific results.

Let’s take the example of a growing IT services company that wants to pursue a data centre standardisation programme, such as SSAE 16 (the successor to the SAS 70 standard).

Goals should include:

• A specific date for completion

• Verification of achievement, such as a Service Organisation Controls (SOC) report

• Measurable expected results, such as a 5 percent reduction in reported incidents, a 10 percent reduction in Annualised Loss Expectancy (ALE) or a 20 percent increase in successful customer audits

Often, a security plan needs to be developed both as a result of corporate strategies and to stay aligned with compliance requirements. By partnering with a cloud provider such as NaviSite, organisations are more nimble and can more easily modify their security plans to support evolving corporate strategies and regulations.


The Health Information Technology for Economic and Clinical Health Act (HITECH) addresses the privacy and security concerns associated with the electronic transmission of health information. In doing so it extends the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). NaviSite works closely with a range of healthcare organisations to support HITECH compliance. By partnering with NaviSite, our healthcare clients are able to take advantage of our expertise and also roll out necessary changes more seamlessly, without disrupting the usability of existing applications.

STEP 3:

CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS

STEP 7

STEP 1

STEP 2

STEP 3:

STEP 4STEP 5

STEP 6

Create a Security Plan that supports your business goals.


It is impossible to completely eliminate risk, but it is prudent to mitigate it in a reasonable manner. Balancing (and modifying) security restrictions to facilitate ease of deployment and organisational acceptance inevitably involves tradeoffs.

When it comes to security, you can be assured of one thing: A security plan that exceeds a reasonable cost justification, unnecessarily interferes with corporate agility or otherwise negatively impacts the achievement of key business objectives will not be successful.

Prioritising policies and ensuring that they are not in conflict with other policies from different departments is essential for establishing support and acceptance.

The majority of your time should be spent learning how the business truly functions so that security can better contribute to its success, and then building support for the policies that make sense.


At NaviSite, we have worked with a wide range of companies where security and organisational needs have come into conflict:

• At a manufacturing company involved in building highly sensitive products, the security team designed a plan that was so restrictive that the plant had to ignore the mandated controls to function productively. This led to the failure of the third-party audit and ultimately a recall of the product that was manufactured with the circumvented controls.

• An insurance company developed an application for estimating the cost of the insurance needed to secure the data sources used by the application. Unfortunately, the security policies for the application were written in such a way that internal departments were prevented from viewing critical data needed to perform their jobs.

Companies need to ensure that the security plan is not only aligned with the goals of the organisation, but also with the goals of the major departments that will be implementing it. Gaining this acceptance streamlines adoption throughout the organisation.

STEP 4:

ESTABLISH CORPORATE-WIDE SUPPORT AND ALIGNMENT

STEP 7

STEP 1

STEP 2

STEP 3

STEP 4:

STEP 5

STEP 6

Establish Corporate-Wide Support and Alignment


New clients often ask, “What’s the easiest way to create security policies, procedures and standards?” The answer is simple—turn to best practices. When it comes to establishing security guidelines, it is much easier, more practical and productive to edit than it is to create.

• Read everything you can and apply best practices to creating policies that align with business goals

• Develop procedures that are realistic and that will be acceptable to the organisation

• Wherever possible, turn to industry standards to guide you

This is where a cloud services provider can be invaluable, particularly for growing organisations that have not yet embedded established policies and procedures into the company.


For example, a healthcare provider that needs to provide HIPAA- and HITECH-compliant healthcare services to new and existing patients may need to build security policies that define the constraints in the handling of Protected Health Information (PHI), procedures that define the process

of acquiring PHI, and guidelines that encourage the general adoption of best practices. This process can be disruptive to staff and patients alike.

By turning to NaviSite, organisations can take advantage of our experience in implementing such changes as well as the existence of established processes that can dramatically reduce the learning curve for developing security policies, procedures and standards.

At NaviSite, change management is a clearly defined process governed by well-established guidelines. Each change must be approved by the proper personnel, and then implemented in a quality assurance environment. Once it is tested and approved through a user acceptance procedure, it is introduced to the end-user community in the least intrusive manner possible with a clearly defined back-out procedure in place in case there are unforeseen problems or issues with user adoption.

This is an example of a process that we have found to be very helpful to our clients in implementing and updating security procedures.

STEP 5:

CREATE SECURITY POLICIES, PROCEDURES AND STANDARDS

STEP 6

STEP 1

STEP 2

STEP 3

STEP 4STEP 5:

STEP 6

Create security policies, procedures, and standards.


Whenever there is a security plan in place, it is important to monitor it on a regular basis, report on achievements and audit compliance levels across the organisation. If it is part of your overall business plan, a third-party audit can provide an impartial review.

Some industries mandate audits, and publicly traded companies are typically required to conduct internal audits every quarter when they release financial statements. Understanding the auditing requirements for your business and the frequency of your audits is essential not only for ensuring compliance with relevant requirements but also for maintaining best practices for securing enterprise resources.


SSAE 16 Audits are typically conducted every six months, but at NaviSite we conduct internal audits every three months to ensure ongoing compliance and provide assurance that our data centres and our support infrastructure remain current with SSAE 16 requirements. The SSAE 16 Audit is aligned with our security goals because it assures customers that our processes, procedures and controls have been formally reviewed.

It also demonstrates our compliances with Section 404 of the Sarbanes-Oxley Act. By auditing and reviewing the results regularly, companies can implement a constant audit cycle that ensures that the controls remain in place and that they are being followed. If problems occur, they can be identified and remediated before the next audit cycle.

STEP 6:

AUDIT AND REVIEW OFTEN

STEP 7

STEP 1

STEP 2

STEP 3

STEP 4STEP 5

STEP 6:

Audit and Review Often


A well-developed security plan will allow for the continuous improvement of security and compliance. At a minimum, annually review your cloud-computing security plan with senior executives and your cloud services provider, and revise goals and objectives as needed. Review and edit security policies and procedures, and actively report back to the organisation the accomplishments of the security and compliance teams.


Many companies believe that once they have solid policies and procedures in place that they do not need to revisit them—but your industry and your business will change over time, and the technology available to support your security plan will evolve.

Take mobility as an example where changes are occurring very quickly: Just ten years ago, remote workers had limited access to enterprise applications, but rapid advances in secure remote access have driven most companies to develop policies and procedures to support a mobile workforce. Technology to support these policies and procedures, including cloud-based services such as

• Enterprise Mobility Management (EMM)

• Desktop-as-a-Service

• Managed Office 365

These and other services are enabling businesses to provide the flexibility for employees to work from virtually anywhere. As they are added, the organisation's overall security plan should be adjusted accordingly.

Review all of your generally accepted security policies at least annually. At NaviSite, we review our security policies on an even more frequent basis. An annual review is designed into some compliance policies; if that’s the case for your business, consider reviewing your security policies every six months so you have the time to evaluate your current policies, update them when needed and change procedures when necessary before your next audit.

Continuous improvement is the key to your security plan. Understanding the dynamic nature of your business and constantly evaluating security requirements are the foundation for implementing a successful continuous improvement strategy.

STEP 7:

CONTINUOUSLY IMPROVE

STEP 7:STEP 1

STEP 2

STEP 3

STEP 4STEP 5

STEP 6

Continuously Improve


These seven steps are meant to serve as a framework to guide companies as they develop a secure cloud-computing plan. By following these guidelines, organisations can structure security and compliance programmes to take advantage of the financial benefits of managed cloud applications and services while meeting organisational security.

While every organisation is different, given the financial constraints facing most IT operations today, a properly managed cloud infrastructure provides the opportunity to achieve higher levels of security and compliance more cost-effectively. It allows companies to more efficiently deploy scarce technical personnel.

Selecting a stable cloud service provider with world-class data centres, enterprise cloud-computing infrastructure, application expertise and a proven security methodology will help the enterprise reap the financial rewards of cloud computing while implementing a security framework optimised for the requirements of cloud architectures.

CONCLUSION


NaviSite, Inc., a Time Warner Cable Company, is a leading international provider of enterprise-class, cloud-enabled hosting, managed applications and services. NaviSite provides a full suite of reliable and scalable managed services, including Application Services, Cloud Desktop Services, Cloud Infrastructure Services and Hosting Services for organisations looking to outsource IT infrastructures to help lower their capital and operational costs. Enterprise customers depend on NaviSite for customised solutions, delivered through an international footprint of state-of-the-art data centres.

For more information on NaviSite Europe, go to navisite.co.uk, email [email protected] or call 0800 6122933

ABOUT NAVISITE


Use the proven process described in this white paper and the summary checklist provided here in Appendix A as an easy guide to structuring your cloud-computing security plan.

STEP 1: REVIEW YOUR BUSINESS GOALS

• Understand your business goals and direction

• Develop cloud security policies based on cross-departmental input that includes insights from senior management and all of the stakeholders

• Ensure that all security policies are aligned with strategic goals, and that the procedures are practical and pragmatic

STEP 2: MAINTAIN A RISK MANAGEMENT PROGRAMME

• Develop and maintain a risk management programme centrally, and view it holistically

• Carefully define exactly who is authorised to accept risk on behalf of the enterprise

• Implement a well-defined and carefully maintained risk management programme so you can provide an aggregated view of the risk that a company is willing to accept

• Ensure that security professionals regularly conduct careful analysis to develop responsible programmes and build in the necessary controls and auditing capabilities to mitigate risks and protect organisational assets

• Gain executive-level buy-in to the

cloud computing risk assessment policy, and for publicly traded companies, gain Board-level approval if necessary.

• Consider seamless failover to a redundant data centre and disaster recovery planning integral to risk management.

STEP 3: CREATE A SECURITY PLAN THAT SUPPORTS YOUR BUSINESS GOALS

• Develop goals with measurable results that are consistent with providing support for the growth and stability of the company.

• Include compliance programs, technologies, and processes with specific metrics.

• Work with your cloud service provider to ensure that your security plan is nimble enough to support evolving corporate strategies or regulatory requirements.

STEP 4: ESTABLISH CORPORATE-WIDE SUPPORT AND ALIGNMENT

• Gain the approval of your cloud computing security plan from not only executive management but also the general workforce.

• Make sure security policies are not in conflict with other policies from different departments, and that they are not too time-consuming.

• Establish levels of security that can be centrally managed and conveniently implemented across the organisation.

APPENDIX: SECURITY CHECKLIST


STEP 5: CREATE SECURITY POLICIES, PROCEDURES, AND STANDARDS

• Establish a set of guidelines to ensure that all compliance measures are identified.

• Make sure that compliance requirements are reflected in your policies and procedures.

• Ensure that auditors can clearly review your policies and how you have implemented them, so they can verify that they are being followed.

• Design a comprehensive, layered approach based on a security framework to address common regulatory requirements. This will make it easier to adopt and maintain security procedures that can be audited so you can achieve your security and compliance goals.

• Turn to this 7-step plan as the foundation for your internal audits. If you don’t have these steps in place, you won’t have a structure that auditors can easily follow.

• Read everything you can and apply best practices to creating policies that align with business goals.

• Develop procedures that are realistic and that will be acceptable to the organisation.

STEP 6: AUDIT AND REVIEW OFTEN

• Review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organisation to the security policies and procedures.

• If it is part of your overall business plan, turn to a third-

party audit to provide an impartial review of the controls and report on compliance to established programs.

• Understand the auditing requirements for your business and the frequency of your audits not only for ensuring compliance with relevant requirements but also so you can implement best practices for securing enterprise resources.

• Audit and review the results regularly to ensure that the controls remain in place and that that they are being followed.

• If an audit reveals any potential security or compliance problems, ensure they are remediated before the next audit cycle.

STEP 7: CONTINUOUSLY IMPROVE

• Annually review your cloud computing security plan with senior management and your cloud services provider.

• Re-establish goals.

• Review and edit security policies and procedures.

• Actively report back to the organisation the accomplishments of the security and compliance teams.

These steps should be implemented sequentially, and it is an iterative process based on best practices and focused on continuous improvement.

By following these guidelines, organisations can structure security and compliance programmes to take advantage of the economic advantages of managed cloud applications and services while meeting organisational security and compliance objectives.

NaviSite, Inc., A Time Warner Cable Companywww.navisite.co.uk

© 2012, 2015 Time Warner Cable Enterprises LLC. All rights reserved.

Time Warner Cable Business Class is a trademark of Time Warner Inc. used under license. © 2015 Time Warner Cable Enterprises LLC. All rights reserved.

7 steps to developing a cloud security plan · 2016-02-05 · whitepaper: 7 steps to developing a...

Documents