You can't outsource security responsibility, warns expert panel

It's your responsibility to check that your cloud provider's security is up to snuff, adds panel at CloudSec 2016

Organisations may be able to outsource some of their security workloads, but it's impossible to outsource responsibility or accountability, a panel of experts has warned.

Speaking at CloudSec 2016 recently, Rik Ferguson, VP security research, Trend Micro said: "There' a great temptation to outsource due to the lack of realisation that you can't outsource accountability. People think they can offload both the work and the responsibility, but you can't. People need to understand that to be compliant [with regulation], they still need to be part of the process."

Michael Wignall, national technology officer at Microsoft, added that organisations should make clear demands of their cloud-based outsourcing partners.

"The risk and ownership question around cloud services depends on what you're consuming. If you're consuming IaaS [Infrastructure as a Service], you patch it. If it's SaaS [Software as a Service], the provider patches it. So you need to first understand what level of service you want.

"Then you need to understand the regulatory environment you're in. Ask suppliers how they comply against these rules. What's the requirement for data both at rest and in transit? Ask providers to test against these rules, then ask for the evidence and results," said Wignall.

Troels Oerting, global CISO at Barclays, echoed Ferguson's comment that responsibility cannot be handed to someone else, then described his demands to cloud partners.

"We have a big vendor assurance programme," said Oerting. "My data needs to be secure, and you can delegate the work but not the responsibility. I want my data to be just as safe as if it was in my own data centre, and I want to be able test it. And the big providers don't like that."

With the panel recommending that cloud providers be quizzed and tested on their security, Darren Argyle, global CISO at financial services firm Markit, explained that this is only possible if your organisation is seen as a sufficiently important customer.

"We found that we had lots of cloud services, because people were buying them on their credit cards. That means you won't have an enterprise-level agreement to have enough wind behind you to force through what you need.

"So find these services, aggregate them together, then you'll have more clout. Also be aware that not all clouds are the same, some are more secure than others, so find out which you are using. The relative security of the offerings should be a big decision maker. Also understand your own risk appetite. If you know the risks and get the business to buy in, you'll be able to manage your risk profile better," added Argyle.

Computing's Enterprise Security and Risk Management Summit 2016 will be happening on 24 November in central London. Attendance is free to qualified end users.

The event will be followed by the Security Excellence Awards. Entries are open now to both vendors and end users.