As your enterprise makes the transition to all things cloud, you may find that securing your infrastructure is one of the key challenges. Not only is the network adding complexity all the time with increased data flows and the addition of more devices, but navigating a cloud security strategy is much more complicated than in the days where the network was secured with a good firewall.
The security plane has widened, and so must the security strategy. When working with your cloud provider on a security plan, be sure to address the following areas:
Governance and policy: Generally, cloud providers handle security controls and compliance as a part of their own infrastructure. This means that the user of the cloud infrastructure assumes a risk policy, meaning they undertake a certain level of risk by transferring security management to the cloud provider. Take time to read over your service level agreement (SLA) and ask questions about how security will be handled.
Each situation related to governance and policy will be different based on the platform, Software as a Service (SaaS), and infrastructure used by the provider.
Asset management: You need to have a record of each system that is deployed and the defined security level for each of those systems. You need to use a change control process to handle the addition of new instances, assign the ownership of each asset and monitor the cloud accounts, both through the provider’s site and through your own accounts payable.
Access control: Role-based security is a cornerstone of good security management, which holds true with cloud applications. You’ll need to regularly audit and review access based on a “need to know” standard.
Incident response: In the event of a breach, you should know how your provider plans to retrieve data and how both provider and user will work together to reduce the impact of the event.
Business continuity: In the event of a critical system failure due to a natural disaster or fire, you need to know that your business will not have an interruption in processes. Using cloud systems typically means that you are more agile during this type of problem and can shift data quickly, but it’s important to have a plan in place before the event occurs.
You’ll also want to be familiar with your provider’s disaster recovery and business continuity plans. Know what happens if they decide to no longer support the system you’re using or if they go out of business. Considering a variety of possible events is an important step in completing your own security strategy.
Creating a comprehensive cloud security strategy begins with a provider who places the same priority on security. Before you choose a cloud provider, contact us at Clarksys.