Difference between revisions of "User:Shawndouglas/sandbox/sublevel45"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
Finally, we address security when using SaaS. Though not exactly the laboratory space, let's take a look at the financial sector to start. Like laboratories, banks are regulated not only to protect their own assets but also the assets of their customers, including customer data. Given the concerns about security in the cloud early in its history, it has taken some time for the financial sector to warm up to moving some of its functions into the cloud.<ref name="MoodysBest18">{{cite web |url=https://www.moodysanalytics.com/articles/2018/best-practices-for-saas-security |title=Best Practices for SaaS Security |work=Moody's Analytics |publisher=Moody's Analytics, Inc |date=April 2018 |accessdate=21 August 2021}}</ref> However, since approximately 2016, banks and financial services firms have begun shifting to the cloud in droves.<ref name="DeloitteCloud19">{{cite web |url=https://www2.deloitte.com/global/en/pages/financial-services/articles/bank-2030-financial-services-cloud.html |title=Cloud banking: More than just a CIO conversation |publisher=Deloitte |date=2019 |accessdate=21 August 2021}}</ref> Writing for the World Economic Forum in December 2020, the CEO of Tenemos, Max Chuard, noted<ref name="ChuardCloud20">{{cite web |url=https://www.weforum.org/agenda/2020/12/cloud-and-saas-technology-can-drive-inclusive-banking/ |title=Cloud and SaaS technology can drive inclusive banking. Here are 3 reasons how |author=Chuard, M. |work=World Economic Forum |date=10 December 2020 |accessdate=21 August 2021}}</ref>:
[[File:NISTRiskManApproach.png|right|450px|thumb|'''Figure 4.''' A diagram of an organization-wide risk management approach, as published in NIST SP 800-37 Rev. 2. NIST says this diagram "addresses security and privacy risk at the organization level, the mission/business process level, and the information system level. Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization."<ref name="NISTSP800-37v2_18" />]]After discussing cloud standards, regulations, and security, it makes sense to next address the topic of [[cloud computing]] [[risk management]]. Risks beget risk management, which in turn begets security. Whether the risks are near the home, on an airplane, or with an online bank account, risk management practices limit the risks, usually through some "security." "The five-year crime numbers in my neighborhood are going up," one might assess. "I shall manage the risk with a home security system," is the risk management action performed. In the same way, engineers add multiple layers of redundancy to an airplane's components to mitigate the assessed risk of instrument failure, and banks require access controls like strong passwords on online accounts to protect customer data and limit their liability. As such, it shouldn't be surprising to talk about employing security and process control measures as part of managing risks in the cloud.


<blockquote>Cloud and SaaS present an alternative way of running a bank’s IT infrastructure. Core banking and/or the digital front office operates on a public or private cloud rather than on physical infrastructure in the bank’s premises. Banks pay a subscription to access the solutions.
We learned in the last chapter that the National Institute of Standards and Technology (NIST) represents a strong example of a standards and recommendations body in the U.S. In their 2018 SP 800-37 Rev. 2 ''Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy'', NIST says the following about risk management for information systems<ref name="NISTSP800-37v2_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final |title=SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy |author=National Institute of Standards and Technology |date=December 2018 |accessdate=21 August 2021}}</ref>:


Both cloud and SaaS carries lower infrastructure costs, they allow products to be created, delivered and changed faster, and they offer immense resilience, scalability, and security. Cloud-based SaaS platforms are also continuously updated, meaning banks benefit from the latest innovations.</blockquote>
<blockquote>Managing information system-related security and privacy risk is a complex undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning, executing, and managing projects, to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. Risk management is a holistic activity that affects every aspect of the organization, including the mission and business planning activities, the enterprise architecture, the SDLC processes, and the systems engineering activities that are integral to those system life cycle processes.</blockquote>


However, the improved security of cloud and SaaS does not preclude challenges. In the case of financial services firms, finding a balance between client-side encryption to protect financial data and its tendency to constrain overall performance and functionality is a real challenge.<ref name="DeloitteGetting19">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/ch/Documents/financial-services/deloitte-ch-fs-Cloud-for-Swiss-Banks-report-digital.pdf |format=PDF |title=Getting cloud right: How can banks stay ahead of the curve? |publisher=Deloitte |date=2019 |accessdate=21 August 2021}}</ref> And that same challenge exists for other regulated (and less regulated) organizations turning to SaaS cloud solutions.
As Figure 4—from the same NIST guide—notes, there are three main levels at which an organization must approach risk management activities for their information systems: the organization level, the mission/business process level, and the information system level. The arrow on the left highlights the criticality of proper communication across all three levels in order for the organization to make the most of their risk management activities. Just as IT forms the base of any software-driven business efforts, critical stakeholders in IT form the base of communication about IT risk and security requirements. Without those stakeholders' knowledge and feedback, business processes and company policy would be ill-informed. Now let's start from the top of the pyramid and head downward. Note that without strong leadership, well-crafted business goals, and management buy-in on quality, budget, and security, business processes would be a mess and IT-related efforts would be sub-par and at-risk.


When moving to a SaaS-based approach to running critical systems, the shared responsibility paradigm says that both CSP and customer should be managing SaaS security. Are access and audit rights in the SaaS implementation as strong as they should be? How is data managed and processed in relation to location requirements? How are risks mitigated if the vendor goes out of business or changes its operational focus? What contingency plans are in place should the organization need to migrate to a new vendor or bring applications back in-house? What assessments and audits have been made of the CSP's security?<ref name="MoodysBest18" /> (These and other questions are addressed further in Chapter 5.)
The implication with Figure 4 and NIST's guide is that effective planning and communication is critical to ensuring information systems are implemented securely during their entire life cycle. Many organizations approach this task by developing, implementing, and enforcing a [[cybersecurity]] plan, in which identifying cybersecurity requirements and objectives—i.e., [[risk assessment]] and management—is a vital component. (See the ''[[LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan|Comprehensive Guide to Developing and Implementing a Cybersecurity Plan]]'' for much more on this topic.)  
 
In 2018, Moody's Analytics pointed out "seven pillars of SaaS security wisdom." While they were looking at these pillars from the perspective of banks and financing, they are equally applicable to any regulated organization moving to SaaS cloud solutions, including laboratories. Those SaaS security pillars are<ref name="MoodysBest18" />:
 
:1. ''Access management'': Carefully control user access uniformly across the SaaS platform, using strong, vetted business rules (addressing user roles, data requirements, allowed system, allowed workflows, etc.) that have been documented, disseminated, and learned.
:2.'' Network control'': Decide what network mechanisms to employ in order to meet security goals, including jump servers, network access control lists, etc. if more granular access control is required.
:3. ''Perimeter network control'': Decide whether a simple firewall or set of firewalls is sufficient. Additional perimeter protections include intrusion detection and prevention systems.
:4. ''Virtual machine management'': Recognize that while costly, keeping virtual machines up-to-date is vital. Whether this is your responsibility or the CSP's, staying on top of patches and updates better ensures protection from the latest threats.
:5. ''Data protection'': Determine if the data encryption is sufficient for your regulatory needs to protect personally identifiable information. Best practices and standards should be guiding the endeavor to protect both data in transit and data at rest.
:6. ''Data governance and incident management'': Decide how data governance policies dictate your SaaS services. Data governance determines who has the authority to manage and control data assets and how authorized individuals are able to use those data assets.<ref name="OlavsrudWhatIs21">{{cite web |url=https://www.cio.com/article/3521011/what-is-data-governance-a-best-practices-framework-for-managing-data-assets.html |title=What is data governance? A best practices framework for managing data assets |author=Olavsrud, T. |work=CIO |date=18 March 2021 |accessdate=21 August 2021}}</ref> Not only does this also guide the first pillar, access management, but it also clarifies responsibilities for data management and security. This includes stating who's responsible for incident management and how the organization will go about monitoring, tracking, reporting, and learning from security incidents.
:7. ''Scalability and reliability'': Determine how scalable the underlying cloud infrastructure will be to run your SaaS applications. Is it horizontal or vertical scaling? Are proxy servers geographically distributed for a more robust service? And what assurances are in place should disaster strike (i.e., recovery plan)?
 
Like public, hybrid, and multicloud cloud services, SaaS vendors should make clear the security aspects. Most major vendors like SAP<ref name=SAPTrustCenter">{{cite web |url=https://www.sap.com/about/trust-center/certification-compliance.html |title=SAP Trust Center |publisher=SAP America, Inc |accessdate=21 August 2021}}</ref>, Adobe<ref name="AdobeTrustCenter">{{cite web |url=https://www.adobe.com/trust.html |title=Adobe Trust Center |publisher=Adobe, Inc |accessdate=21 August 2021}}</ref>, and Atlassian<ref name="AtlassianTrustCenter">{{cite web |url=https://www.atlassian.com/trust |title=Atlassian Trust Center |publisher=Atlassian, Inc |accessdate=21 August 2021}}</ref> will have a trust center for customers to gauge how the vendor's SaaS products are managed in reference to security and compliance. Some SaaS software vendors, however, will host and manage their solutions in a public cloud. Those SaaS vendors should have at a minimum one or more web pages explaining where their solution is hosted, what security controls are in place with that public cloud provider, and what additional security controls, if any, the vendor applies. Of course, access management and other security controls are still very much the responsibility of the customer.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 19:11, 21 August 2021

Figure 4. A diagram of an organization-wide risk management approach, as published in NIST SP 800-37 Rev. 2. NIST says this diagram "addresses security and privacy risk at the organization level, the mission/business process level, and the information system level. Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization."[1]

After discussing cloud standards, regulations, and security, it makes sense to next address the topic of cloud computing risk management. Risks beget risk management, which in turn begets security. Whether the risks are near the home, on an airplane, or with an online bank account, risk management practices limit the risks, usually through some "security." "The five-year crime numbers in my neighborhood are going up," one might assess. "I shall manage the risk with a home security system," is the risk management action performed. In the same way, engineers add multiple layers of redundancy to an airplane's components to mitigate the assessed risk of instrument failure, and banks require access controls like strong passwords on online accounts to protect customer data and limit their liability. As such, it shouldn't be surprising to talk about employing security and process control measures as part of managing risks in the cloud.

We learned in the last chapter that the National Institute of Standards and Technology (NIST) represents a strong example of a standards and recommendations body in the U.S. In their 2018 SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST says the following about risk management for information systems[1]:

Managing information system-related security and privacy risk is a complex undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning, executing, and managing projects, to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. Risk management is a holistic activity that affects every aspect of the organization, including the mission and business planning activities, the enterprise architecture, the SDLC processes, and the systems engineering activities that are integral to those system life cycle processes.

As Figure 4—from the same NIST guide—notes, there are three main levels at which an organization must approach risk management activities for their information systems: the organization level, the mission/business process level, and the information system level. The arrow on the left highlights the criticality of proper communication across all three levels in order for the organization to make the most of their risk management activities. Just as IT forms the base of any software-driven business efforts, critical stakeholders in IT form the base of communication about IT risk and security requirements. Without those stakeholders' knowledge and feedback, business processes and company policy would be ill-informed. Now let's start from the top of the pyramid and head downward. Note that without strong leadership, well-crafted business goals, and management buy-in on quality, budget, and security, business processes would be a mess and IT-related efforts would be sub-par and at-risk.

The implication with Figure 4 and NIST's guide is that effective planning and communication is critical to ensuring information systems are implemented securely during their entire life cycle. Many organizations approach this task by developing, implementing, and enforcing a cybersecurity plan, in which identifying cybersecurity requirements and objectives—i.e., risk assessment and management—is a vital component. (See the Comprehensive Guide to Developing and Implementing a Cybersecurity Plan for much more on this topic.)

References