Four steps to a safe cloud deployment
The traditional perimeter barrier to IT security is no longer effective in a complex cloud environment which has no clearly identifiable boundaries. While technical answers are only part of the solution, a well-rounded program is needed with total business involvement. Security must be incorporated into business and data processes throughout the enterprise — and not just on the perimeter or in the cloud.
There are four broad steps that organisations should follow when developing their cloud security defense:
Step 1: A risk-based approach
Establishing an approach based on the perceived risks is essential for organisations preparing to move applications and data to the cloud. Any review of the potential risks must be undertaken from a viewpoint of how it affects the entire enterprise.
Organisations need to be proactive in identifying issues and finding the correct balance between securing and enabling business activities.
There are four main components to a risk-based methodology:
- Assess the various levels of risk from a compliance and operational viewpoint.
- Address security issues in order of priority.
- Continually monitor and improve the security environment.
- Only use proven security technologies and flexible sourcing models for security transformation programs.
Step 2: Secure design applications
Most applications are not designed to run in a potentially hostile environment.
CIOs must therefore ensure that all data and applications are thoroughly reviewed and amended before they are deployed on a cloud platform.
The aim is to make them self-defending, which requires new strategies from developers to application development and data management. They need to focus on protecting information to ensure confidentiality, integrity and availability.
Preferably, architect security should be addressed during the requirements and design phases of a new system with security measures, access control and encryption built-in at a fine-grained level.
Step 3: Ongoing auditing and management
Continuous compliance monitoring must be in place for the secure delivery of cloud services. Traditional regimes of monthly or annual audits are meaningless in an environment that is constantly changing.
To enable forensic examination and analysis in the event of a security breach, there needs to be ongoing monitoring and maintenance of incident records and log files.
This information must be available in real time to facilitate rapid response, notification and containment measures.
Step 4: Infrastructure and network security
When using a cloud-based service, an enterprise has minimal direct control over infrastructure and network security, including operational procedures, network configuration and intrusion prevention.
These are all critical areas, so it is important that the user undertakes a thorough review of the service provider's policies as part of the due diligence process during contract negotiation and service sourcing.
Look at other options if they fail to meet appropriate standards.
Sign up for Computerworld eNewsletters.