- Posted by
- On February 28, 2019
- 0 Comments
Cloud Security from a CISOs Perspective is the topic in March at the Cloud Meetup.
The use of cloud-based services (across the IaaS, PaaS and SaaS spectrum) provide new challenges to CISOs as they work to secure the enterprise. A CISO must look at cloud-based services from two, sometimes competing, perspectives. One, is compliance with federal and state mandates as well as industry-base standards.These introduce requirements such as ensuring “least privileged” access and “separation of duties.” The very nature of cloud-based services can conflict with these goals, yet, simply “locking down” cloud-based services would defeat the value they bring to the business. A CISO must also look at cloud form a risk perspective and ensure the security controls applied are risk-commensurate. While the compliance perspective is typically approached as a checklist, the risk-based perspective cannot be. It is more nuanced and cannot rely on an external authority for justification. For this reason, many organizations are not a mature in this category leading to one of two errors: either over-controlling cloud-based services until they no longer provide high value, or under-controlling and placing sensitive data at risk. This discussion will look at this dynamic and provide recommendations for effectively determining and implementing cloud-based security controls.