visio-stencils

Cloud – External Third Party Review and Processes

September 5, 2017

Problem

Currently corporate has many cloud / external third party review and processes

The Cloud security group has identified risks in the areas of:

  • Software as a Service (SaaS) – Lack of governance, visibility, and controls in the SaaS site usage.
  • Risk introduction when deploying cloud technologies and practices.
  • Corporate application re-platforming – Lack of service cloud models for public and hybrid platform implementations.
  • Secure application migration – numerous security requirements from multiple IT departments create confusion for application managers.

 

Affects

  • Lines of Business (LOB) are driven by time to market to implement before there is a strategy in place and before there is communication about the technology.
  • Consequently, each cloud public / external third party or hybrid cloud deployment may be unique with varied controls and corporate policies, procedures and approvals may not cover the services being deployed.

 

The impact of which is

  • Risk exposure to corporate in the following areas.
  • Increased attack surface by allowing other companies and infrastructure to be handlers of customer data, IP and Corporate data.
  • Less control and visibility because these services reside outside of our corporate network.

 

A successful solution would

  • Reduce risk to corporate by
    • Extending the development of Cloud Security Strategy to cover public and hybrid cloud technologies and practices.
    • Developing and implementing control procedures and processes for public and hybrid cloud technologies and practices.
    • Ensure consistent execution of Cloud Security controls.
    • Developing and implementing SaaS application security validation and remediation processes.

 

Scope

Provide processes and resources to guide IT security teams in the evaluation and deployment of cloud platforms and strategies (hybrid and public).

 

Develop a program approach to support remediation of SaaS sites using a CASB / CASM Tool for reporting analytics.

 

Build and provide an internal information base of research on cloud technologies and practices (hybrid and public).