New COBIT 5 framework to guard against cloud threats
Robert E. Stroud, CGEIT, CRISC, member of ISACA's Strategic Advisory Council
Respondents of a recent ISACA survey
predicted that in the next 12 months, cloud computing will contribute about 10% of enterprise network security issues, alongside data leakage (17%), inadvertent employee mistakes (16%) and BYOD (13%).
According to Robert E. Stroud (pictured above), CGEIT, CRISC, a member of ISACA
's Strategic Advisory Council, the survey results showed "a general awareness of security breaches and the need to arm industry professionals with the tools to ensure that stakeholder value is delivered." Stroud is a past international vice president of ISACA, and member of the ISACA Framework Committee. He is also vice president of strategy and innovation and service management and governance evangelist at CA Technologies
COBIT 5 business framework
Stroud said, "'COBIT 5 for Information Security' provides guidance for IT practitioners on implementing effective security practices regardless of the environment (on-premise, public or private cloud), and reinforces the alignment between business values and effective security practices."
How does COBIT 5 differ from its predecessor COBIT 4.1?
"One of the primary threats that is less known regarding cloud computing is the inappropriate access a cloud provider has to information."
-- Robert E. Stroud, member of ISACA Strategic Advisory Council
"Information security has always formed a pivotal part of the COBIT guidance in version 4.1. With COBIT 5, this continues with the separation of Governance and Management domains and a focus on the Enterprises risk tolerance and acceptance," Stroud said.
"To assist our growing security practitioner base, at ISACA we have delivered the 'COBIT 5 for Information Security' publication
to ensure that organizations can reduce their risk profile by appropriate management of security," he added.
Linda Hui (pictured below), managing director of F5 Networks
Hong Kong and Taiwan, said, "COBIT 5 is a good business framework that put the stakeholder needs into consideration. It is a good practice to take a holistic approach in security and using a single integrated framework for ease of management and a quicker way to trace issues."
Inappropriate access control
ISACA's Stroud said the most common threats with cloud computing include the inappropriate use of passwords and access controls. "For example, by not changing them frequently, by not correctly changing them, by communicating insecurely, and by adopting poor security practices within the cloud provider."
"One of the primary threats that is less known regarding cloud computing is the inappropriate access a cloud provider has to information. This can expose an enterprise's data to the wrong organization," Stroud said. "Often, enterprises organizations negate to gain assurances that information has been effectively deleted, including backups, once the relationship is terminated."
DDoS attacks at application level
"The more reputable the cloud service is, the higher chances it would be the target of an attack."
-- Linda Hui, managing director of F5 Networks HK and Taiwan
F5 Networks' Hui, "The cloud is subjected to all sorts of threats. The more reputable the cloud service is, the higher chances it would be the target of an attack."
"DDoS (Distributed denial of service), being one of the most common security threats, can become a common threat to cloud services as well -- whether they are software-as-a-service, infrastructure-as-a-service, or storage-as-a-service. Since the cloud is used to deliver IT services -- regardless whether in a private or public cloud environment -- DDoS attacks can halt the availability of cloud services to their users," Hui said.
"DDoS attacks have become more sophisticated nowadays, particularly on the application level, which are harder to defend against. This is a less known network security threat as DDoS attacks are commonly understood to attack at the network level. While it is less expected that a targeted attack would occur at the application level, such attacks are harder for hackers to generate and are also harder for users to defend against," Hui added.
"According to a recent survey from a security company, Hong Kong companies are subjected to 54 new attacks every week. Therefore, to defend DDoS attacks, the security framework has to be flexible and expandable in order to add new logic to defend such new attacks," she said.
0 reader's comment