Companies seeking to improve information security without much expense are turning to the cloud for security as a service (SecaaS), which promises low costs and high flexibility. But when cloud security is already a concern, outsourcing security services themselves to the cloud poses a significant set of risks to address. That is according to a new free, downloadable white paper from the US-based IT association ISACA. It evaluates the impact of SecaaS on an enterprise and outlines 10 key questions to ask—and answer—before deploying it.
According to Security as a Service: Business Benefits With Security, Governance and Assurance Perspectives, among the key questions to ensure risks are managed are:
Which cloud service model is best suited for our needs?
Where will the information be located and what retention policies apply?
How will the information be protected (what physical and logical controls will be in place)?
How will we include the provider and outsourced services in the business continuity and disaster recovery plans?
Can data be transferred to another provider if the contract is terminated?
Patrick Hanrion, CISM, CISSP, CNE, director of Security and Privacy, McGladrey LLP, was author of the white paper. He said:
“Enterprises can outsource information security services, but they cannot outsource accountability for security. Answering these questions helps to ensure that controls are in place to protect the enterprise’s information assets.”
The ISACA guide stresses that companies using SecaaS must still know the information and IT assets that are critical to them and manage the risk associated with using a vendor to protect these assets.
“Without this vital understanding, there is no way for the enterprise to determine which security services it needs and which threats it needs to protect against,” said Hanrion.
Security as a Service outlines strategies for addressing risk, as well as key governance and assurance considerations based on guidance in the COBIT framework. The paper is free to download at http://www.isaca.org/SecaaS.
