In late October, the fifth revision of the Building Security In Maturity Model (known as the BSIMM-V) was released. In a nutshell, the BSIMM is one of the primary frameworks for understanding modern software security practices; taken from their own self-description, it aims to provide “a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time.” One of the trends we measure at CloudLock is the evolution of governance within our customer base. We are in a fortunate position, in that we have the opportunity to hear from a tremendously broad group of CISOs, collaboration security analysts, and related information professionals every day, and glean from all of those conversations where and how strategy and practical initiatives are coming together.
What we are seeing as we enter the final months of 2013 is an increased awareness of the importance of the work that organizations like the BSIMM are doing. Governance modeling in the cloud needs to address two specific pain points: (1) the consistent enforcement of compliance policy, (2) the establishment of end-user focused awareness programs that combine incident remediation and training. We can, in fact, readily map the BSIMM’s governance model to these requirements:
What works particularly well in the conceptual framework presented here is that each level of the program is oriented towards “prescriptive guidance for all stakeholders and auditability of SSDL activities.” If we take this framework and convert it into a cloud-specific model, in fact, we can identify establish a 4-step CloudLock Governance Compliance and Policy framework that any strategic move to the cloud (regardless of platform) should contain: CloudLock – Governance Compliance and Policy Framework
By establishing a straightforward, policy-driven model for ensuring regulatory awareness and governance inside of a cloud initiative, information security leaders can dramatically reduce the risk to their data, reputation, and organizations. Where once this kind of work might take months or years to complete, the cloud has made it possible to successfully implement this kind of control in real-time. Take, for example, a customer who implemented a set of policies inside of a Google Apps domain, and the effect on their user adoption (the chart on the left) compared to their PII exposures (the chart on the right):
If you’re interested in hearing more about how to implement the same type of controls within your own environment, we’ll call you. Let us know how to reach you.