Cisco uses a variety of external cloud services, in concert with our internal IT service offerings. These cloud services could be storing or working with internal confidential material, so before we select which services to use, the cloud service providers (CSPs) which furnish these capabilities must go through a risk assessment process. This is to ensure their environments comply with our internal Information Security (Infosec) requirements, align to our system architecture and meet overall business objectives.
As customers use more and more cloud services, they will need to make similar risk assessments. Today Information security and access security are the two biggest customer challenges around cloud service utilization because it is often difficult to know and prevent individual users from enabling them. Often, it’s difficult to know how many cloud services your employees are actually using. Cisco IT had assumed that there were about a hundred cloud services in use; an audit revealed several times more than that actually used by Cisco employees.
How does Cisco IT and Information Security protect the company’s information assets stored in hundreds of cloud services?
Providing a Framework for CSP Management
When data and brand are in the hands of a third-party cloud service provider, we want to make sure there are adequate controls to ensure security and fiscal responsibility. Other important concerns include architectural alignment and business resiliency with an eye toward risk mitigation. We assume that if our employees are using, or want to use, a new cloud-based service to do their job, it must be meeting a business need. Our job is to find out how to meet that need – either by certifying the current cloud service, or by finding an alternative service that we can certify and approve.
Cisco IT has established a global governance process of Cloud Service Providers under the umbrella of the Cloud Service Provider Management Office (CSPMO). The CSPMO is a cross-functional organization made up of IT Risk Management, Global Procurement Services, and InfoSec. It oversees the policy and processes for risk assessment/remediation and coordinates the framework for IT Service Owners and business partners to work closely together in the selection of CSPs. This CASPR process (Cloud/Application Service Provider Remediation) process is the primary vehicle to ensure CSPs are assessed, and the appropriate visibility is available to critical stakeholders around CSP usage.
As part of the CASPR process, IT teams (via IT Service Owners) partner with business stakeholders to find approved cloud service capabilities whenever they are required. InfoSec is a strategic partner in helping to protect Cisco’s information and brand by setting data security standards, conducting security risk assessments and establishing remediation plans when necessary. IT service owners ensure architectural alignment exists while Global Procurement Services helps mitigate contractual risk and protects Cisco’s legal interests around terms and conditions and potential future intellectual property rights. It is a co-dependent relationship between IT, InfoSec, Procurement and the business to ensure relevant oversight of our CSP suppliers.
The CASPR process: Categorizing Risk
The CASPR process is designed to protect and reduce our exposure to risks in the area of compliance (see image, below).
Benefits of having a Cloud Service Provider Management Office
Having one governing body to oversee external CSP management has advantages. The CSPMO provides, owns and maintains a single global policy that outlines the requirements for using any 3rd party cloud-based service provider at Cisco. This policy also informs Cisco employees and contractors on the process for conducting an appropriate risk assessment to ensure global oversight of all 3rd party Cloud Service Providers (CSPs) used by Cisco. This organization promotes visibility as to which CSPs are approved for Cisco use. It also lays out a streamlined engagement process to request a new CSP and guidance through the assessment process and guidelines (policy) on the CSPs we use today. In short, the buck stops here, and this serves to enhance our internal, as well as our Cisco on Cisco experience. Why? Because if we know how and what we utilize externally we can better understand what Cisco needs and should develop for Cisco consumption.
Creating that awareness is the first step. If you are a mid-sized company, you want to talk about your program with other IT companies that have that program. Cisco went through this process. All the companies we engaged discovered that there was considerably more traffic going to cloud service providers than they realized. That is across the board. Moreover, we are finding that people understand that not knowing how much or what kind of traffic is going out to CSPs is a real problem. And knowing how much of your data is already on the cloud is the first step to protecting it.
For further information visit my Inside Cisco IT: Finding Secure Cloud Services webinar recording.