login | About | Contact Us  
Internal cloud security planning: 5 questions to ask
Internal cloud security planning: 5 questions to ask

First things first: Come up with a cloud security plan


Even if many organizations lack the intestinal fortitude to scrutinize their own (possibly deficient) security practices, there are still plenty of valid cloud security fears. Transferring the responsibility of protecting sensitive data to a third party is hair-raising, especially in an industry that has to comply with regulations such as HIPAA, SOX or PCI DSS. Throw in hypervisor vulnerabilities, DDoS attacks, application-level malware and other problems, and the line between rationalizations and legitimate worries is blurred.

Cloud risks still involve many unknowns, so formulating a comprehensive cloud strategy is a must. Skeptics may cite some variation on German field marshal Helmuth von Moltke the Elder’s famous saying “No campaign plan survives first contact with the enemy.” But if you don’t have some sort of workable plan in place, will you be prepared to adapt and improvise as conditions change?

“The best place to start planning is with the highest risk,” said Michael Denning, General Manager, Security Business, CA Technologies. “Invariably, that’s your privileged users. They are able to access the most sensitive systems and data, and you can be sure that auditors will look at them closely.”

Your CFO or comptroller is your biggest risk for financial applications and data. Your head of HR needs to be properly managed to ensure that leaky personnel files don’t come back to haunt you. And, of course, the biggest risk of all is your CEO.

Attackers know this, which is why C-level executives are constantly targets of so-called “whaling attacks,” such as the CEO subpoena phishing scam.

Privileged users can also be the most difficult to secure, though, because they will often veto any security control they don’t like. After all, these are the bosses. Thus, it’s not going to be easy to put a blanket ban on riskier devices, such as smartphones or tablets, so you’d better have a Plan B. Instead of banning the devices, you can establish proper authentication, access control and identity enforcement to ensure that your privileged users are at least who they say they are.

A plan to protect your most privileged users has the added benefit of providing you with an overall cloud security roadmap. Are remote-user risks a concern? Your most privileged users will probably want remote access. How about data loss protection? Your privileged users have more rights to more data than anyone else. What about securing mobile devices? Your CEO probably has several of them.
Evaluating cloud providers’ security: 7 questions to ask
Evaluating cloud providers’ security: 7 questions to ask

Moving from internal controls to third-party evaluation


As you move from evaluating yourself to evaluating potential cloud vendors, don’t forget to investigate how far cloud services have already spread into your organization. Has your sales team signed up for Salesforce.com? Are your project managers using Basecamp? Has HR invested in Taleo?

As name brand cloud/SaaS providers, Salesforce.com, Basecamp and Taleo all have solid reputations. Getting those projects to conform with internal security controls shouldn’t be an issue. You’ll want to vet others, though, and make sure they aren’t fly-by-night providers that don’t take the time to properly secure their environments.

According to Denning of CA Technologies, moving to the cloud is more manageable than most people think, especially if you move slowly and deliberately. He advocates a crawl-walk-run approach. “First, map your organization,” Denning said. “Understand your users and what they are allowed to do.”

After your internal controls are in place, get out of the data center business and start shifting resources into private clouds. “You’ve actually accomplished quite a lot when you have your space and your servers in someone else’s data center.”

Finally, as licenses expire and as upgrade cycles hit, you’ll be in position to knowledgeably and safely begin scrutinizing the public cloud vendors you’ll begin to trust with your mission-critical resources.

It’s important not to get complacent about evaluating cloud vendors. As the Ponemon-CA study found, too many people simply take cloud vendors at their word when it comes to security.

Macaulay of Bell Canada suggests starting with the basics before digging too deeply into their security practices. “Ask cloud providers to explain governance for their infrastructure. Ask what policy standards apply and how they enforce those policies. If they don’t have good answers, or if they don’t seem to know what you’re talking about, cross them off your list,” he said.

Effective security involves policies, technology and operational controls. Yes, you can drill down – way down – within those three categories, but those are the general areas. “If you focus on the bookends when evaluating vendors, you should learn a lot about how they will handle your data,” Macaulay said.

Those bookends are governance on one end, or how will data be managed and secured; and auditing on the other end, or how do providers prove they’re doing everything they claim to be doing?
Following that advice will get you started. This article itself is just a start. Articles in the coming months will dig into more cloud security best practices, including authentication and identity management, access controls, application security, monitoring and reporting, and auditing and compliance. Stay tuned.

Cloudbook Journal
Vol 2 Issue 2, 2011

This article is featured in the
Vol 2 Issue 2, 2011 of the
Cloudbook Journal

Find more Stories from this Issue >>
Copyright © 2012 cloudbook: The Cloud Computing & SaaS Information Resource. All Rights Reserved.