5 Things you should Know About Multi-Cloud Security
1)Global Security Compliance Impacts The Bottom Line Security Failures Cost Millions Of Dollars.
In the news every day, there are stories of companies being subject to Ransomware or fined for violating privacy standards.
CyberCrime will cost the world $10.5 Trillion dollars this year.
(Morgan) For a data Breach, the largest corporate fine (as of Aug 2021) was $4.2 Million dollars. (Authors)
Because most modern applications are distributed, there are many types of vulnerabilities that can arise, and these can be found anywhere- Not only in networking, infrastructure, and application layers, but also in physical plant, telecommunications, human engineering and the like.
Regular testing of all types is a good idea. While this article deals with technology architecture issues, other security aspects should not be ignored.
2) General Architecture Principles
A general architecture that deals with security concerns should be mapped to security controls at all parts of the enterprise- Business Operations and Support, IT Operations and Support, Technology solutions and services, and security and risk management. Within each of these areas, specific controls will need to be created to insure compliance.
(“Enterprise Architecture Working Group | CSA”)
As security constraints cover every part of the enterprise, upper management advocacy is necessary. Many security efforts fail due to lack of stakeholder sponsorship. The C-suite (and preferably the company Data Protection Officer (DPO) and the Certified Information Systems Security Officer (CISSO) as well) should be aware of the controls and audit status of the entire enterprise.
3) Gdpr, Pci, Pii And Other Security Requirements
There are a plethora of different security strictures (techtarget) to be aware of when working in an international environment. There are also ongoing efforts (Giannopoulou and Wang) in various organizations to provide more universal security standards across the world.
In the current environment, best practices are to design infrastructure that complies with all the countries in scope. For example, the EU has the General Data Protection Regulation. Please be aware that there are many conditions on the implementation of these regulations (secondary usage, Data protection agreements, etc) that have to be taken into account.
What Is The General Data Protection Regulation (Gdpr)
A more precise definition of the terms can be found in the relevant security requirements, but to provide context, from the GDPR specification (“GDPR Archives - GDPR.eu”): “Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.”) (Wolford)
What Are Pii And Pci?
Personally Identifying Information (PII) is a term for data that can be used to select a specific individual. Whether a single piece of information in the collection, or multiple pieces that can be combined to find a specific person qualifies. The US Department of Homeland Security defines PII as : 'Any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual” (“What is Personally Identifiable Information?”)
“As Security Constraints Cover Every Part Of The Enterprise, Upper Management Advocacy Is Necessary. Many Security Efforts Fail Due To Lack Of Stakeholder Sponsorship”
PII security is not just good practice. There are also some places where a violation might cost a company “up to €20 million, or up to 4 percent of the annual worldwide turnover of the preceding financial year, whichever is greater”... (“GDPR fines and notices”)
The Payment Card Industry Data Security Standard (PCI DSS) - which the US department of homeland security defines as “Security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.” Failure to implement proper PCI security can cost a company up to $500,000 per incident. (“PCI-DSS: Security - Penalties”)
4)What About Hardened Environments Like Governments Use?
For systems that need a more stringent security environment, there are complex security requirements you must meet before you can begin processing. For example, the FedRamp security protocols require a host of very specific controls across the enterprise. (“FedRAMP Security Controls Baseline document”)
These security constraints can be built-in. (*Google as an example) This then requires mapping to the company's environment and data needs. (“Google Cloud FedRAMP implementation guide | Cloud Architecture Center”)
5)How Does A Company Adopt These Policies?
The company should get a Security Audit from a firm that can provide documentation of compliance with the required standards. Assuming the audit finds vulnerabilities, that analysis and remediation planning is done by the security department, Once all remediations have been done, certification and continued compliance monitoring will provide valuable insight into any security vulnerabilities that might arise.