Watch: Secure Migration to the Cloud

Date October 27, 2021
Authors William J. Heaven
Categories

Highlights from the October 27, 2021 webinar in the HBK Risk Advisory series, “Assessing Cybersecurity Risks,” hosted by William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director, HBK Risk Advisory Services, and featuring presentations by: Pawel Pikul, Senior Manager, Vertilocity; and Chris Bowman, vCIO Vertilocity

  • Key terms to understand:

    – Identity/access management: how we identify an individual and assign access permissions and privileges

    – Data protection: a method for controlling what users can do with the data they can access even outside the confines of the corporate network; the organization must ensure their data is protected no matter where employees are working with it

    – Availability: how much time a system is available for use. In cloud service provider (CSP) agreements:99 percent means 7.3 hours of downtime per month, 99.5 percent is 3.65 hours per month downtime, 99.5 percent is 21.91 minutes per month, 99.999 percent is 26.3 seconds per month and Improved availability is typically provided through redundancy.

  • Shadow IT:

    -Cisco defines Shadow IT as “IT-related hardware or software (in use) by a department or individual without the knowledge of IT or security group within the organization. It can encompass cloud services, software, and hardware.”

    -There are risks involved with shadow IT. Controlling it requires constant discovery and evaluation of whether the cloud provider is complying.

  • Evaluating the security posture of a CSP:

    Risks include:

    -Lack of a common framework among cloud providers. You have to assess each environment separately

    -No industry-specific standards, though industry experience is important

    -CSPs vary widely: from the giants to regional data centers to small specialty data centers

    -Compare flexibility of dedicated solution to out-of-box solutions

    -Check on compliance with formal third-party security assessments, including SSAE 18, SOC1, SOC2, HIPAA and PCI-DSS

    Considerations that affect performance in the cloud include your goals, performance, availability, technology stack and costs and security/compliance.

  • Understand how they protect your data, such as unauthorized access, your access controls, and in what circumstances the CSP might have access to your data (should be included in your agreement)

    – Is data encrypted and who has access to the encryption key to ensure data is secure and encrypted?

    – How is data protected from unauthorized access?

    – Who is responsible for managing and monitoring for unauthorized access

    – Organization needs to know it is responsible for configuring the controls so the data is secure in the cloud and enabling those security features.

  • Protecting your cloud workload:

    Formerly, you built a firewall around your data and it stayed within those walls.

    Traditional idea of a firewall at entrance to your network does not provide the security needed today.

    • Four areas of cloud security:

    – Identity: User name and password are too easily stolen in current environments. Microsoft calls passwords the weakest link in the security chain. Need additional verification. Solutions include multifactor authentication, fingerprints which that are difficult to copy. It has been proposed that multifactor authentication can protect 99.9% of identify attacks.

    – Conditional access: policies to restrict access by geographic location, client application, public IP address, registered devices (mobile device management); adaptive policies like risk-based sign-in; note unusual methods like access from a developer tool instead of a web browser

    – Devices: protect the integrity of devices at remote locations by patching and installing updates, restricting access, and ensuring compliant devices via encryption as part of mobile device management Data protection: four steps include

    -classification, identifying data by its sensitivity

    -labeling, making data easy to search for by category

    -encryption, to prevent unauthorized access

    -access restriction policies, taking information from classification and labeling and imposing controls

  • How to discover and properly control cloud apps

    Shadow IT: Controlling shadow IT is an ongoing process:

    –Discover what applications and machines are in use

    –Evaluate and analyze whether they are compliant with permissions

    –Manage the environment by establishing polices and removing applications that don’t comply with those policies and implementing controls including a feedback mechanism to know when other applications come into the organization.

  • Automated tools exist to assess your environment and report on it. They provide documentation to demonstrate your efforts and compliance.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.