Securing the Cloud a Top Concern
I moderated a CIO roundtable on the topic of the cloud several ago in New York. The round table was intended to be a general discussion on cloud strategy but quickly morphed into session specifically on cloud security. The fact that it turned into dedicated discussion on security wasn’t a big surprise to me given the fact that security remains, by far, the top concern for CIOs regarding the cloud. Don’t get me wrong, cloud services are being consumed much faster than premise-based infrastructure or applications but how to handle cloud security is keeping CIOs up at night.
Based on the conversation, I thought it made sense to put together they key take-aways from the session. These include the following ten considerations for a cloud strategy:
- Continue to own security, even for cloud resources. When it comes to cloud, there’s certainly a school of thought that IT leaders can hand over the responsibility of the service, including security, to the cloud provider. However, that’s not the case. The cloud service, like any other IT resource, must be managed and secured using policy, monitoring applications, and security tools.
- Get your own security house in order first. Before contracting with a cloud provider, first ensure your organization’s internal security is up to date. With security, it’s often said that you’re only as secure as your weakest link. Don’t let this be the corporate network.
- Embrace the cloud so you can own the cloud. Once in a while I run into an IT or business leader that is trying to stave off the adoption of cloud. The fact is, if you don’t embrace cloud services, the business units — or even individual employees — will bring them into the organization. IT should evaluate corporate applications, processes, and data based on their value to the organization and the level of risk when deployed in the cloud. Then, from this information, build a cloud usage policy that dictates what’s allowed to be shifted to the cloud and what can’t be. When a cloud resource is going to be used, make sure it’s crystal clear what precautions and tools need to be employed to use that service securely.
- Build a list of cloud service providers that IT has researched and find acceptable with respect to security. A good place to start is with low-risk, non-critical services until the business fully understands the security ramifications.
- Build a set of SLAs that cloud providers need to adhere to. The first step in this process is to go through your cloud provider’s contracts and SLAs with a fine-toothed comb and understand what is included and what is not. For example, does the cloud provider take responsibility for your data and give security guarantees? Does the service provide visibility into security events? Are monitoring tools included or can they interoperate with your corporate tools? Once the research has been done, evaluate your own compliance and security needs and create your own SLAs. I would highly recommend using lawyers to finalize the negotiations of contracts and SLAs.
- Create a test environment for developers. In no way should internal developers ever test software in the cloud using live data or actual customer information.
- Audit the cloud provider’s certifications. Ask for a list of the service provider’s certifications such as SAS 70 Type II or ISO 27001. Then examine the audit to identify any kinds of security gaps and find ways of filling them. If the security provider does not let you do your own audit of them, that should be a huge red flag.
- Encrypt all the data before it goes to the cloud. As part of this, ensure the provider has the capability of wiping data from memory and storage that has been released or is no longer being used.
- Extend your corporate identity management into the cloud. Look for services that comply with SAML, OpenID, and other federation standards that enable your organization to extend identity management tools into the cloud. Two-factor authentication should be used for sensitive data.
- Deploy strong client security tools and keep browsers properly updated and protected. In the majority of cases, workers will access cloud services through Web browsers. Ensure the proper security measures are taken to protect the workers and company data.