FeaturesSecurity Compliance

Respondents of a recent ISACA survey predicted that in the next 12 months, cloud computing will contribute about 10% of enterprise network security issues, alongside data leakage (17%), inadvertent employee mistakes (16%) and BYOD (13%).

According to Robert E. Stroud (pictured above), CGEIT, CRISC, a member of ISACA's Strategic Advisory Council, the survey results showed "a general awareness of security breaches and the need to arm industry professionals with the tools to ensure that stakeholder value is delivered." Stroud is a past international vice president of ISACA, and member of the ISACA Framework Committee. He is also vice president of strategy and innovation and service management and governance evangelist at CA Technologies.

In conjunction with the survey findings, ISACA released an online publication "COBIT 5 for Information Security" based on the recently launched COBIT 5 business framework.

Stroud said, "'COBIT 5 for Information Security' provides guidance for IT practitioners on implementing effective security practices regardless of the environment (on-premise, public or private cloud), and reinforces the alignment between business values and effective security practices."

How does COBIT 5 differ from its predecessor COBIT 4.1?

"Information security has always formed a pivotal part of the COBIT guidance in version 4.1. With COBIT 5, this continues with the separation of Governance and Management domains and a focus on the Enterprises risk tolerance and acceptance," Stroud said.

"To assist our growing security practitioner base, at ISACA we have delivered the 'COBIT 5 for Information Security' publication to ensure that organizations can reduce their risk profile by appropriate management of security," he added.

Linda Hui (pictured below), managing director of F5 Networks Hong Kong and Taiwan, said, "COBIT 5 is a good business framework that put the stakeholder needs into consideration. It is a good practice to take a holistic approach in security and using a single integrated framework for ease of management and a quicker way to trace issues."

ISACA's Stroud said the most common threats with cloud computing include the inappropriate use of passwords and access controls. "For example, by not changing them frequently, by not correctly changing them, by communicating insecurely, and by adopting poor security practices within the cloud provider."

"One of the primary threats that is less known regarding cloud computing is the inappropriate access a cloud provider has to information. This can expose an enterprise's data to the wrong organization," Stroud said. "Often, enterprises organizations negate to gain assurances that information has been effectively deleted, including backups, once the relationship is terminated."

F5 Networks' Hui, "The cloud is subjected to all sorts of threats. The more reputable the cloud service is, the higher chances it would be the target of an attack."

"DDoS (Distributed denial of service), being one of the most common security threats, can become a common threat to cloud services as well -- whether they are software-as-a-service, infrastructure-as-a-service, or storage-as-a-service. Since the cloud is used to deliver IT services -- regardless whether in a private or public cloud environment -- DDoS attacks can halt the availability of cloud services to their users," Hui said.

"DDoS attacks have become more sophisticated nowadays, particularly on the application level, which are harder to defend against. This is a less known network security threat as DDoS attacks are commonly understood to attack at the network level. While it is less expected that a targeted attack would occur at the application level, such attacks are harder for hackers to generate and are also harder for users to defend against," Hui added. 

"According to a recent survey from a security company, Hong Kong companies are subjected to 54 new attacks every week. Therefore, to defend DDoS attacks, the security framework has to be flexible and expandable in order to add new logic to defend such new attacks," she said.