CARTA and Cloud computing security risks

According to cloud network services, cloud computing is full of security risks. For smart customers, they will be able to ask questions and then consider getting an assessment for security from a neutral third party before going ahead and committing to a cloud vendor.

Cloud computing has unique attributes, requiring risk assessment in areas like data recovery, integrity, privacy, and a legal issue evaluation in areas like regulatory compliance, e-discovery, and auditing.

Customers need to demand transparency, avoiding going for vendors who don’t want to provide information about their security programs. Ask questions regarding policymakers’ qualifications, coders, architects, and operators; technical mechanisms and risk control processes; and whatever level of testing which has been done in verifying that the control and service processes are functioning that they are intended for and that the vendors can be able to identify the unanticipated vulnerabilities.

The following are some of the issues that customers have to raise with the vendors before selecting the right cloud vendor.

Privilege user access

Data that is processed outside the enterprise brings a high-risk level since the outsourced service tends to bypass the personal and physical controls that the IT shops can exert on the internal programs. You have to get enough information regarding those, managing your data. Let the supply provide you with detailed information on the oversight and hiring of the privileged administrators and their control over access.

Regulatory compliance

The customers are responsible for the integrity and security even when it is held as a service provider. The traditional service providers tend to undergo external audits as well as security certification. Providers of cloud computing who don’t want you to go through security are better avoided.

Data location

When you utilize the cloud, you might not know the exact location where the data is hosted. There is a possibility that you might not even know which country it will be stored in. As cloud network services providers, they need to commit to processing and storing data in certain jurisdictions and whether they will have to commit that are contractual so that the local requirements for privacy are met on behalf of the customers.

Data segregation

Data being in the cloud is an environment that is shared alongside data that comes from various customers. Although using encryption is effective, you don’t need to take it as a cure-all. It would be best if you found out what can be done in segregating data.

The cloud services provider should provide evidence of the encryption schemes tested and designed by experienced specialists. At times, there happen to be encryption accidents, which can end up making the data unusable with the normal encryption complicating its availability.

Recovery

Even if you are not sure where your data is, you should be able to tell what will happen to your service and data in case there happens to be a disaster. Any application that doesn’t replicate the application and data infrastructure across various sites is doomed to fail.

How Continuous Adaptive Risk and Trust Assessment reduces Cloud computing security risks

Cloud computing is a powerful and convenient way to access computing resources on demand, but it also poses significant security challenges. Traditional security solutions rely on static rules and policies that may not be able to cope with the dynamic and complex nature of cloud environments. Moreover, cloud users often have limited visibility and control over the security posture of their cloud providers, which may expose them to unknown or unexpected risks.

To address these challenges, Gartner proposed a new approach to IT security called Continuous Adaptive Risk and Trust Assessment (CARTA) . CARTA is based on the principle of zero trust, which means that no user, device, or service should be trusted by default, and that security decisions should be made based on real-time data and context. CARTA aims to enable continuous and adaptive security assessment and response across the entire IT lifecycle, from planning and development to deployment and operation.

One of the key benefits of Continuous Adaptive Risk and Trust Assessment is that it can help reduce cloud computing security risks by providing more granular and flexible access control mechanisms. Unlike traditional role-based access control (RBAC), which grants permissions based on predefined roles and identities, CARTA leverages attribute-based access control (ABAC), which considers various attributes of the user, device, service, data, environment, and situation . ABAC allows for more fine-grained and dynamic authorization policies that can adapt to changing conditions and risks.

For example, suppose a user wants to access a sensitive file stored in the cloud. With RBAC, the user would either have access or not, depending on their role. With ABAC, the user's access could depend on additional factors, such as their location, device type, time of day, network type, or behavior patterns. If the user tries to access the file from an unfamiliar location or device, or at an unusual time or frequency, the system could either deny access or request additional verification, such as a password or a biometric scan. This way, ABAC can prevent unauthorized or malicious access attempts that may bypass RBAC.

Another benefit of Continuous Adaptive Risk and Trust Assessment is that it can help improve the visibility and accountability of cloud security by using data analytics and automation. CARTA advocates for collecting and analyzing data from various sources, such as logs, events, alerts, audits, or feedbacks, to detect anomalies and threats in real time .

CARTA also recommends using automation tools to respond to security incidents quickly and efficiently, such as isolating compromised devices, revoking access tokens, or applying patches. By using data analytics and automation, CARTA can help cloud users monitor and manage their cloud security more effectively and proactively.

In conclusion, Continuous Adaptive Risk and Trust Assessment is a new IT security approach that can help reduce cloud computing security risks by enabling continuous and adaptive security assessment and response. By using ABAC instead of RBAC, CARTA can provide more granular and flexible access control mechanisms that can adapt to changing conditions and risks. By using data analytics and automation, CARTA can also improve the visibility and accountability of cloud security by detecting and responding to anomalies and threats in real time.