How can FIs create an effective cloud security framework?
Hamit notes that in many cases, cloud solutions can outperform traditional security solutions. “More often than not,” he says, “cloud providers offer security controls that may even exceed what is feasible or practical in a traditional on-premises environment.”
This provides a solid starting point for FIs making the move, and Hamit offers some advice on how best to apply cloud security solutions to existing frameworks. “There’s no need to recreate the wheel when it comes to creating a framework for cloud security,” he says. “There are a wealth of authoritative resources available online that can easily help an organization that might be looking for a starting point. For example, the Cloud Security Alliance has a number of expert-developed guides and frameworks that can help assess cloud security, help select appropriate controls, and help an organization delineate responsibilities between customer and cloud providers.
It also highlights the need for trained and experienced staff. “Organizations should seriously consider investing in staff training,” he says. “Trying to figure things out on the fly is never a good idea, especially when there are potentially serious security ramifications. Many cloud providers offer training programs and on-demand courses that are great for cloud-specific platforms.For a more holistic view of the fundamentals of cloud computing that have broader application, ISACA offers a Cloud Fundamentals certificate program that teaches and validates a learner’s understanding of essential skills.
LEARN MORE: Learn how cloud security posture management can help banks protect their data.
What tools can be included in this cloud security framework?
First, solutions that help eliminate manual processes. “Automating repeatable tasks can improve cloud security by eliminating manual touchpoints that lead to human error,” Hamit says. “Using tools like Azure Automation will ensure the infrastructure in the cloud conforms to set standards and will simplify ongoing management, freeing IT staff to spend time on more impactful tasks.”
It also highlights the role of integrated cloud tools offered by vendors. “Even in SaaS environments, cloud providers often provide built-in tools that IT and information security can leverage to take some of the guesswork out of it,” he says. “For example, Microsoft Secure Score provides a score, as the name suggests, that gives the organization a view of its security posture in Microsoft 365, as well as specific recommendations across a multitude of risk vectors. Another popular SaaS platform, ServiceNow, offers a similar capability in its Instance Security Center, where an organization can view important security events and monitor its daily compliance score against instance hardening guidelines and to best practices.
When it comes to scaling the cloud and securing key resources, Hamit puts it simply: “Moving forward in the cloud shouldn’t be when organizations are evaluating cloud security. It should be treated like any other risk when evaluating vendors and understanding the implications for security architecture and data flows.