Governance is a must!

How to manage governance on the cloud and not affect cybersecurity — CyberForged

Governance must be controlled on the cloud too

Good morning everyone! Today we are going to put on our cybersecurity politician’s hat to talk about a topic that is usually quite complex: How to manage governance on the cloud and not affect cybersecurity. This topic is usually complex because there are people behind it, each with its own visions, steps, processes, and so on. This produces a situation in which, if governance is not clear enough, cybersecurity can be affected in a system because processes are not controlled or information is not handled properly.

This is precisely an issue that is always taken into account in companies, but very few of them are able to have tight control over it. Perhaps when a company has more control over governance is right at the beginning, because the workers take the new internal policies very seriously, and when the company is really mature since the rules are established, everyone is aware of them and there are already precedents of the consequences of not following them.

It should be noted that this article attempts to expand on the information provided in our previous post, where we talked about the top areas that a company should take into account when performing all its operations in a cloud system. Also, this information is based on the CSA document.

But in order to begin to understand how we should handle governance, the first thing is: What the fuck is governance?

What is governance?

The definition given by the CSA is as follows:

Governance includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other mechanisms for management.

In other words, governance includes everything that has more to do with personnel policy and organization than with technical tasks. A very clear example: When a change in the production systems must be carried out as soon as possible, who has the authority to authorize the change? Under what circumstances could DevOps perform a patch on a server without prior authorization?

These types of questions are answered by governance processes, where any type of activity that occurs in the company must be guided and monitored by established processes. How should a production change be made? For this, there must be a process approved by the company, along with a policy and guidelines so that the change process is done with the least possible risk.

Does this sound like Big Brother? Indeed, and for a good reason (forgive me for being angry): EVERYTHING IN A COMPANY MUST BE REGULATED AND CONTROLLED.

All processes must be clearly defined and approved by the company’s management and managers, as this is the only way to ensure that the information is treated in an acceptable and correct way in any situation.

As we can imagine, the consequence of having good governance in a company is directly the increase of cybersecurity: If a company has all the processes approved and followed, it is very difficult that, for example, there is a situation of exfiltration of sensitive data outside the company.

Well, we already know what governance is, but…. How can we control cloud governance?

Cloud governance

Let’s be honest, if governance in the traditional system is already a curious problem, let’s imagine if we talk about cloud governance. In the latter case, almost 100% of the time we are going to introduce a third party (cloud service provider) that will have access to our data and that, for sure, will make the current architectures obsolete and modifications will have to be made (taking into account that the native “lift-and-sift” action almost always causes problems).

This will introduce more complexity to the issue of maintaining governance in our company, that is clear. But what tools do we have when it comes to being able to continue to control the data and processes in our company in the face of a cloud provider?

Contracts

This is the main way for customers to control the governance, processes, and people of a provider. The contract is the only tool and guarantee of any level of service, both operational and security.

If we as customers need a minimum level of safety, with well-established processes and clear guidelines, this must be signed by both parties in the service contract.

Supplier assessments

Here we are not really asking for governance processes from the supplier, but more of a reality check. It is very simple: We must review and verify that everything the supplier says he has, he really has. That is to say, based on the documentation provided by the supplier, we must conduct an investigation to be sure that everything is in place.

Assessing whether or not it is sufficient based on the evidence provided is our job as employees of the company.

Compliance reporting

This control is the most typical one requested when contracting a supplier.

These are the audit reports that test the internal and external controls to which a supplier is subjected. Normally, these reports attest to whether or not a supplier complies with the policies agreed upon prior to the start of the audit. They can be internal (done by the vendor itself to certify against something, e.g. SOC I/II/III), done by the customer (as verification of services and protections tested by the internal technical team), or done by a third party.

The latter is the preferred one as they mean that an entity that has no interest for any of the parties involved, tests the vendor’s internal measures and policies.

Thanks to these three tools (especially the contracts), we can control how information is handled at the cloud service provider and be sure that it will be treated with a minimum security standard.

What do you think about these tools, do you find them useful or do you think that in reality, it is unrealistic to include security clauses in the contract? Let me know in the comments!

Originally published at https://cyberforged.com on April 22, 2021.