ISACA Now Blog


 ‭(Hidden)‬ Admin Links

Knowledge Center > ISACA Now

3 Steps of Cloud Security Adoption

Gary Miller, CISSP, CISA, CIA, CRMA, CCSA, ITILv3 Senior Director of Information Security at TaskUs Posted: 11/24/2015 8:40:00 AM | Category: Cloud Computing | Permalink | Email this post

Cloud adoption is trending—and it is an inevitable choice for any enterprise that wants to stay relevant in today’s interconnected world.

The security of storing and processing critical data outside of the enterprise’s control is a central factor to the analysis of cloud adoption.

So whether your organization employs a cloud-first strategy or is still sitting on the sidelines of the cloud game, there are three key steps to understanding what risks the cloud poses to your data.


  1. Assess your current cloud usage. What cloud services are your users already using to do their jobs? Security leaders should sponsor a project to inspect all network traffic using a web proxy server or cloud access security broker (CASB) to fully identify your enterprise’s app consumption. The next step is differentiation between enterprise-sanctioned apps and rogue shadow IT apps. The prevalence of shadow IT is either unknown or underestimated by the IT departments at most enterprises. The mounting risks from decentralized and uncontrolled cloud service adoptions for the gamut of enterprise applications has left CIOs wondering how to best assess the extent of shadow IT services that have migrated to the cloud without any adequate control measures or oversight from IT. While these shadow IT systems may have served as a quick win to the business when implemented, the legacy impact of these cloud solutions is redundancy and an increased attack surface throughout the enterprise. As surveillance and data leakage concerns continue to haunt consumers and businesses alike, security due diligence of cloud solutions is paramount.

  2. Adjust your strategy to reduce cloud risk. There may be significant cost and efficiency gains possible by moving select services to the cloud. Risk reduction measures should be evaluated concurrently to securely scale your cloud adoption. Consider cloud identity management solutions for single sign-on to enable centralized access controls, including multifactor authentication options. Further, automated user provisioning will inject security into your application portfolio management. Another recommendation to security leaders is to leverage a layer 7 next-gen firewall for web traffic classification and control. This visibility will allow you to block risky, nonbusiness apps, such as peer-to-peer sharing, or restrict quasi-business apps, such as file sharing services, to only privileged users/groups with a demonstrated need.

  3. Plan your future cloud model. Whether your business users want to consume Software as a Service (SaaS) solutions or your IT infrastructure teams see value in Infrastructure as a Service (IaaS) offerings, there are many ways to mitigate your risks while satisfying both sides. Advanced security analytics, data context and application auditing made available by CASBs can enable deep integration into many foundational enterprise apps (Office 365, Google Apps, AWS, Azure). It is also imperative to formalize your application risk assessment when choosing between cloud-based SaaS and increasingly available on-premise SaaS solutions for those critical services that your risk managers cannot bless to the cloud. Some niche cloud service providers (e.g., Github, JIRA) also offer on-premise options to customers, and new Docker container technologies (Replicated) are now allowing vendors to offer the same SaaS experience, but delivered on-premise, in an effort to keep a better handle on enterprise data and security. In the ultimate decision of cloud adoption, your future cloud model may well be sitting behind your own firewall.

Senior Director of Information Security at TaskUs


CSX 2015—From a young professional’s perspective

Jason Yakencheck, CISA, CISM, CISSP-ISSAP
Posted: 11/20/2015 9:12:00 AM | Category: Security | Permalink | Email this post

ISACA’s inaugural CSX Conference took place in Washington, DC on 19-21 October, and it immediately raised the bar for IT security conferences. The hands-on pre-conference workshops and education sessions during the event provided tremendous value and insight into cybersecurity best practices and industry trends. As a young professional, the opportunity to hear from some industry experts and leading figures within the cybersecurity field was exceptionally beneficial.

The conference provided young professionals a chance to network with subject matter experts, vendors from large corporations or cybersecurity startups, as well as our peers. We were able to understand ways in which threats are evolving and the skills needed to keep up with the demands of protecting systems and sensitive information. It was easy to follow the rapid reactions and thoughts of attendees, as they discussed the conference topics on Twitter, as the updates were displayed on monitors throughout the expo hall or conference center.


Big Data: Beware Comfortable Inaction

Ed Moyle Director, EmergingBusiness and Technology, ISACA Posted: 11/13/2015 3:08:00 PM | Category: Risk Management | Permalink | Email this post

Former US President John F. Kennedy once said, “There are risks and costs to action, but they are far less than the long-range risks and costs of comfortable inaction.” He was speaking about ways to decrease antagonism among nuclear powers, but I think there’s a lesson in what he said for those of us in the business world as well. Specifically, sometimes things arise that seem risky in the short term; we’re nervous about doing them because of potential short-term risks or disruption to the organization. But when these potential downsides are weighed against the status quo (i.e., the “comfortable inaction” Kennedy was talking about), taking the short-term risk might very well be the more optimal path when viewed over a longer horizon.


Acting as a Liaison to Help Develop Secure Web Applications

Craig R. Hollingsworth, CISA ISSO, RTI Posted: 11/10/2015 3:18:00 PM | Category: Security | Permalink | Email this post

A challenge that has developed in our work with US federal clients is taking a system that we develop here at RTI through the certification and accreditation (C&A) process and receiving an Authority to Operate (ATO). To date, we have at least 1t systems that have undergone C&A. One of my early learning experiences was working with the US Department of Homeland Security on a moderate impact web application that was developed and hosted at RTI. In this experience, I learned to act as an effective liaison between our development group and the DHS directorate’s security office.


Global Privacy Study: How Does Your Organization Compare?

Yves Le Roux, CISM, CISSP Chair, ISACA’s Privacy Task Force Posted: 11/6/2015 8:16:00 AM | Category: Privacy | Permalink | Email this post

Major privacy breaches of customer data records are becoming common news headlines, shattering the trust of customers who expected the affected enterprises to protect their personal information. Almost 75 percent of the respondents to ISACA’s 2015 Privacy Survey indicate that their enterprises’ use of privacy policies, procedures, standards and other management approaches is mandatory, while 19 percent indicate that their use is “recommended.” This finding is a reflection of good practice because written policies and procedures should be at the heart of every enterprise, regardless of size.

<< First   < Previous     Page: 1 of 107     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.