Cloud Done Right
Cloud computing is a big shift from the traditional way businesses think about IT resources. What is it about cloud computing?
Why is cloud computing so popular? Here are 10 points to consider for cloud security
Continue to own security, even for cloud resources
When it comes to cloud, there’s certainly a school of thought that IT leaders can hand over the responsibility of the service, including security, to the cloud provider. However, that’s not the case. The cloud service, like any other IT resource, must be managed and secured using policy, monitoring applications, and security tools.
Get your own security house in order first
Before contracting with a cloud provider, first ensure your organization’s internal security is up to date. With security, it’s often said that you’re only as secure as your weakest link. Don’t let this be the corporate network.
Embrace the cloud so you can own the cloud
Occasionally run into an IT or business leader that is trying to stave off the adoption of cloud. The fact is, even if you don’t embrace cloud services, business units or individual employees will push to bring them in. IT should evaluate corporate applications, processes, and data based on their value to the organization and the level of risk when deployed in the cloud. Then, from this information, build a cloud usage policy that dictates what’s allowed to be shifted to the cloud and what can’t be. When a cloud resource is going to be used, make sure it’s crystal clear what precautions and tools need to be employed to use that service securely.
Build a list of cloud service providers
that IT has researched and find acceptable with respect to security. A good place to start is with low-risk, non-critical services until the business fully understands the security ramifications.
Build a set of SLAs that cloud providers need to adhere to
The first step in this process is to go through your cloud provider’s contracts and SLAs with a fine-toothed comb and understand what is included and what is not. For example, does the cloud provider take responsibility for your data and give security guarantees? Does the service provide visibility into security events? Are monitoring tools included or can they interoperate with your corporate tools? Once the research has been done, evaluate your own compliance and security needs and create your own SLAs. I would highly recommend using lawyers to finalize the negotiations of contracts and SLAs.
Create a test environment for developers
In no way should internal developers ever test software in the cloud using live data or actual customer information.
Extend your corporate identity management into the cloud
Look for services that comply with SAML, OpenID, and other federation standards that enable your organization to extend identity management tools into the cloud. Two-factor authentication should be used for sensitive data.
Deploy strong client security tools
and keep browsers properly updated and protected. In most cases, workers will access cloud services through Web browsers. Ensure the proper security measures are taken to protect the workers and company data.