Governance should be really important to you

Top 5 critical governance areas to focus on cloud cybersecurity — CyberForged

Good morning everyone, how are you and how are we doing? We here at CyberForged are super excited because today we are going to talk about the 5 governance areas of cloud cybersecurity that we have to focus on in a very accentuated way because, if we don’t, we will be leaving our systems exposed to all kinds of attacks and will have all kinds of vulnerabilities.

For this list, we have based ourselves on the CSA document “Security Guidance for critical areas of focus in cloud computing v4.0”. We have already been analyzing some of the things discussed in this document in CyberForged, which you can see here or here, for example, where we talk about the most accepted cloud security management model in the community.

Within that paper, today we’re going to focus on the governance type areas, that is, those areas that require strategic vision and direction in a cloud environment. The next article will focus on those domains that have more to do with the operation of the cloud environment rather than the policies that govern it.

Shall we get started?

Governance and Enterprise Risk Management

Let’s face it: Changing the entire operation of an enterprise from an on-premise model to a cloud model brings a host of new issues that can be totally overwhelming for someone without a lot of cloud experience.

Precisely because it is almost a scary topic, we must have a risk process that allows us to be confident that we have the situation well measured and studied. We need to have very well-established internal corporate governance and risk management processes in order to be able to take into account, for example, the risk involved in moving a core functionality of our company to the cloud or moving information classified as highly confidential to the cloud.

Remember that risk is something that should always be monitored and should never be left aside. It can be a long and tedious process, but this does not justify not constantly analyzing the risk of each of the actions we perform in the company.

Cloud cybersecurity and Legal Issues: Contracts and Electronic Discovery

No matter what country we are in or what operations our company performs, we will always be subject to laws and contracts in our services. Sometimes these laws will be specific to the field we operate in and sometimes they will be general laws affecting a whole type of data. Examples of specific laws are the GDPR, which applies specifically to the identification data of individuals, or the PSD2, which applies to all payment systems in the world.

In any case, we must always be aware of the legality behind the operations of our company and what requirements are introduced in order to comply with them (greater protection of sensitive data, more layers of security in public bodies…).

Remember that ignorance of the law does not exempt from compliance, so when strategic plans are being made in terms of cloud cybersecurity, we must take into account (among other factors) in which regions of the world the data will be hosted and where they come from in order to find out which laws apply in each case.

Compliance and audit management

Well, all companies have internal policies (and if they don’t, they should have them from the minute the first cybersecurity worker joins the staff) that dictate how to work and how to make the necessary changes.

It is extremely important that compliance with these policies is constantly monitored, otherwise what is the point of a policy that is not being enforced throughout the company? If a policy exists, it is because it MUST be complied with and monitored.

As a result of this monitoring, we can say that we can have an audit trail of compliance with security policies in the company.

Information Governance

A typical question when moving data to the cloud is: Who is responsible for its cybersecurity? Who is responsible for putting in place compensatory security measures so that sensitive data can be considered secure in the cloud? Even: Who can say that data classified as sensitive can go to the cloud?

All these questions must be answered before making any move to the cloud, otherwise, we will be influencing the level of security that the data will have in the target system. Even when the data is already in the cloud, we must keep it under control (for example, if new data is created within the same cloud).

Cybersecurity cloud policy creation

Precisely because of the data governance and risk governance that every company must carry out, the need for the creation of the company’s internal policies must be clear. In a future article, we will talk about the different types of policies that exist within cybersecurity, but for now, the most important thing is the creation of internal policies.

In a future article, we will talk about the different types of policies that exist within cybersecurity, but for now, the most important thing to say is that there must be a sufficient number of policies to be able to regulate all the operations and changes that the company faces both in its day-to-day operations and in its strategic vision.

These policies must be constantly monitored as discussed in the previous sections.

If 90% of our governance efforts were focused on looking at these previously described areas, we could say that we would be in compliance with our due diligence and due care in the topic of cloud cybersecurity. Although next day we will look at the areas we need to focus on when we talk about cloud operations, what do you think about these areas? Do you take enough care of them in your day-to-day life to say that there is not much risk associated with them in your companies?

Let me know in the comments!

Originally published at on April 19, 2021.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Miguel Angel Diaz Bautista

Miguel Angel Diaz Bautista

A computer science engineer, with an extensive background in balancing cybersecurity with bussiness.