09) Does your organisation have a policy governing the use of cloud services?
Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Please provide the Cloud Services Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
What is it?
A cloud services policy outlines the rules relating to using cloud services. Historically, systems and data were kept on premises, but more recently cloud computing has become a significant factor and, in many organisations, more systems and data are now in the cloud than on premise.
Typically this is associated with cloud environments such as Amazon Web Services or Microsoft Azure, but there are also thousands of cloud-based services available that people often don’t consider. Many web- and app-based services fall under this category. File sharing services, online project planning tools, all result in company data being moved or stored off premises in the cloud (or quite simply on someone else’s computers). From an end user standpoint this is often so transparent that they do not even realise they are sending data to or through third parties.
As a result, a breach of the third party can result in your data and/or systems being compromised. Another issue is that when employees use cloud-based services, there is often no awareness of it and the IT function is unable to enforce controls against it. For example, the company may have excellent password complexity requirements and multi-factor authentication implemented on on-premise systems, but they likely aren’t present on the DropBox account an employee set up unbeknownst to the organisation in order to share a presentation for an important meeting.
As such, it is important to explicitly define what cloud-based services are allowed, define their terms of use, and, where possible, have controls to enforce such policies.
Why should I have it?
With how easy it is for sensitive data to inadvertently end up on outside cloud systems without any controls or even awareness it is important for clients of suppliers to know that policies and measures are in place to make sure their data is kept safe and that the supplier is unlikely to experience compromises or service disruptions as a result of the careless use of cloud services.
How to implement the control
In its simplest form a cloud services policy defines which cloud services may be used for what purposes and what measures should be taken. Defining this typically requires looking at the organisations processes to see where cloud services may be in use. Traffic analysis of endpoints on the network is another useful way to identify what cloud services people may be interacting with, some of which may escape process review.
Once this information is gathered, formal processes and platforms may be defined as to which platforms should be used for various business functions and a policy can be implemented for enforcement. One very useful technical control for controlling access to cloud services and therefore enforcing policy is a CASB (Cloud Access Security Broker) solution.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
