Small Business Guidance

One of the projects we currently have underway in the UK chapter relates to the provision of guidance tailored towards small businesses. Cloud offers start-ups and small businesses the IT capabilities they need to compete with more established organisations but it is unlikely that such firms will have dedicated security teams tasked to secure such capabilities.  This project aims to provide pragmatic insight to help those asked to secure cloud services in small businesses to close some of that gap. 

Here's an update from Andy Camp who is running with this project...

Update

Version 4.0 of the CSA Security Guidance for Critical areas of Focus in Cloud Computing is a 152 page document full of extremely useful information. This document is however difficult to interpret and onerous to implement for the majority of Small and Medium Enterprises (SME’s) who constitute over 99% of businesses in the UK and whose turnover (2014 Figures) represents 47% of the private sector turnover in the UK

The document is difficult to interpret either because the SME’s do not directly employ specialist Security resources or because even if they do there are other more pressing operational security issues to be addressed. This is further complicated by the fact that Cloud suppliers are 3rd parties and so Procurement and Legal expertise may also be required to navigate the 3rd party security assurance activities conducted  alongside procurement and legal issue resolution.

The UK government has previously stated its intention to use more SME’s with the caveat that they must be appropriately secure, demonstrated through participation in the Cyber Essentials scheme. The requirement to obtain Cyber Essentials (if selling to the UK public sector) and changes to legislation (e.g. GDPR) and regulatory requirements means that SME’s cannot afford the luxury of simply assuming security of their data and services in the cloud.

This SME guidance is essentially a business-based 3rd party security assurance approach for SME’s to use to assess prospective cloud suppliers. It is based upon a Business Impact Assessment, a simple method of supplier assurance that leads to a Risk statement and options to manage any identified risks. The criticality of the cloud supply chain to the SME can then be used to prioritise implementation of the risk management activity.

SME’s largely focus on their core revenue earning activities. The mantra for them therefore is that any work on non-core activity must meet three quality criteria: it must be Appropriate, Affordable and Achievable.

The final cloud security report for SME’s will include guidance on

    • Context – assessing what legislation, regulation, contracts and business strategy affects Cloud Service adoption
    • Business Impact – if your cloud supplier fails, what impact is your business likely to suffer?
    • Cloud Supplier Assurance – assessing each supplier to see if strength of their controls meets the needs of the organisation.
    • Risk Assessment - using both the Business Impact and Supplier Assurance Activities to see if the risk of using a particular cloud supplier is acceptable to your business.
    • Working out your options – the steps you can take to mitigate the risk of cloud to your business
  • Implementing your option(s) – taking account of the resources you have, suggested approaches to prioritise and address the risk mitigation options for the most, to the least, critical cloud service you use.

Comments

Post a Comment

Popular posts from this blog

CSA UK Applying MITRE ATT&CK Cloud and Microsoft K8 Matrix

Image
The Cloud Security Alliance UK chapter is presenting a series of sessions to provide CISO's, Cloud Security Architects, DevSecOps and SOC teams a breadcrumb roadmap of how to apply the recently published (late 2019)  MITRE ATT&CK for the Cloud  and also take influence from Microsoft’s recent Threat matrix on Kubernetes (K8).   We are seeking feedback or additional items you would like us to cover.  The proposed series of sessions will cover:   Session 1: [ Author/Presenter: Stephen Owen] 90 mins planned online 24th June CSA session on "What is MITRE ATT&CK and Cloud" and what benefits it brings to each of the stakeholders  What is  MITRE ATT&CK Enterprise  and  Cloud Where to start How to take advantages of the current  MITRE ATT&CK Cloud  and combining with Microsoft’s K8 Matrix;  Suggested practices to follow targeted to each of the below roles: Cloud Security Architects DevSecOps SOC Team  Cloud/CISO Lea...
Read more

Understanding ISO 27001 certification

A guest blog by Steve Watkins, Director at IT Governance Ltd Even though ISO 27001 is the international standard for implementing an ISMS (information security management system) and is used by thousands of organisations around the globe, it occasionally faces criticism on a number of issues. Those with first-hand experience of ISO 27001 know that, when implemented correctly, it provides a comprehensive guide to managing the information security risks that organisations face. Further, the accredited certification scheme that enables organisations to demonstrate that they conform with the requirements in ISO 27001 offers real benefits to those who understand how to interpret claims of certification appropriately. So, what are the Standard’s critics potentially misunderstanding? This blog takes a look at some of the misconceptions, and explains why ISO 27001 is an appropriate framework for managing your information security. What are the criticisms of ISO 27001 certification? You don’t k...
Read more

What is hybrid cloud computing?

Image
    (Hybrid) cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. National Institutes for Standards in Technology (NIST) While a Hybrid Cloud can take many forms; in essence it means managing two (or more) disparate cloud environments (say private & public) as one, or having management tools in place that let the two (or more) environments be managed and appear as one single environment. Hybrid cloud uses a mix of on-premises, private cloud together with third-party, public cloud services; with orchestration between multiple platforms thus allowing workloads to move between the various cloud environments as computing needs; thus giving businesses greater flexibility and more deployment options. A cloud is hybrid when; You extend an internal web server (that has “burst...
Read more