Managing IT Security in the Cloud
7 Things to Consider, Part 1
There are many inherent benefits in leveraging the public cloud, such as infrastructure agility, scalability, cost-efficiency, and in many cases, performance. In the past couple of years we’ve seen that companies, from small to large enterprises, which have significant footprint in the traditional data center more willing to adopt cloud infrastructure and migrate critical workloads onto cloud infrastructures. Even with these benefits, many of our clients and prospective clients are still hesitant to go “all-in” on public cloud due to concerns around security and visibility. All enterprises, whether a born-in-the-cloud company or a traditional enterprise, should consider 7 things when managing IT security in the cloud:
1. Align Cloud Security of Your Organization to SLAs and Business Objectives
There are many security products and solutions out there in the marketplace that can help secure data, applications, OS, and network configurations in the cloud. Instead of just chasing after the shiny objects, it is important that you vet the right ones that are truly aligned with your SLAs and business objectives. Organizations should understand and document current critical business metrics and how they will change when operations go into the cloud — and figure out how cloud security solutions could help uphold these metrics of success. Of course, effective governance, risk, and compliance processes (internal audits) should also exist before bringing on new solutions.
2. Disaster Management
A good security solution should not just simply detect potential threats and block attacks. It should also have disaster management capabilities (or align with your existing DR strategy) to recover any lost data and track origin of the attack for subsequent investigation. One of the most widely employed disaster management strategies is secondary data back-up centers detached from their respective primary servers. Therefore, only the primary servers are affected in case of an attack. Companies should conduct periodic exercises for this and plan for proper steps that can be taken to ensure business continuity in the event of a significant breach.
3. Risk Management
Similar to securing a traditional data center (on-premise), in a cloud-based setting you also need to fully grasp all the major risks your company data face by conducting a comprehensive threat assessment. What type of data do you handle, process, and store? Which is the most sensitive part of your data, which if leaked, would result in negative publicity and impact on the bottom-line? It’s important to keep in mind that certifications and accreditations (PCI, HIPAA, ISO, SOC, etc.) for cloud providers don’t mean that you’re assured compliance—it’s ultimately your responsibility to encrypt and secure your own data. Encryption keys should also be protected in a robust manner.
In my next blog, we will look at the final 4 areas to consider with IT Security in the Cloud. Stay Tuned!
CMI – Your Adaptable Data Center Company