I always chuckle when I think back to those Microsoft Windows Live commercials where they exclaim: “To the Cloud!” like they’re super heroes. In 2006-2007 the term “Cloud” was an overused buzzword that had no official meaning – at that time, it seemed like a lot of people were talking about cloud computing or putting things in the cloud but no one could actually articulate what that meant in simple terms or how it would work.
A real understanding and documentation in the technology community about cloud computing probably didn’t come together until mid-to-late 2008.
Today is a much different story. This year Gartner reported that:
nearly one third of organizations either already use or plan to use cloud or software-as-a-service (SaaS) offerings to augment their core business…
It is truly amazing to see how much this segment has matured in such a short period. We’re well past the buzzword stage and “The Cloud” is a reality. As we change the nature and meaning of the traditional infrastructure, we also need to ensure that the way your organization approaches security changes with it.
Fundamentally, we cannot implement cloud security the same way we go about implementing traditional security. The biggest difference being that some of the infrastructure components and computational resources are owned and operated by an outside third party. This third party may also host multiple organizations together in a multi-tenant platform.
To break the buzzword down in terms of cloud + security, here are the three best steps to help you both develop a cloud strategy as well as ensure that security is involved to minimize risk:
Security professionals should be involved early on in the process of choosing a cloud vendor with the focus being on the CIA triad of information security: Confidentiality, Integrity and Availability.
Concerns about regulatory compliance, controls and service level agreements can be dealt with up front to quickly approve or disqualify vendors.
It’s Still Your Data
You know what is best for your company and understand how policies and regulations effect your business. It’s not reasonable to expect your provider to fully understand how your business should be governed. You are ultimately responsible for the protection of your data and to ensure that your provider can implement the best and most necessary security measures.
Continuously Assess Risk
It’s important to identify the data that will be migrated. Does it make sense to migrate credit card data, sensitive information or personally identifiable information? If so, what measure will you put in place to ensure that this information continue to be protected once you migrate it to the cloud? How will you manage this data differently? What are the metrics around security controls will you use to report to audit and compliance?
These questions plus many more will help you to assess where your risk is. As each of these questions are answered they must be documented in your policies and procedures going forward.