March 1, 2023
Juggling security in the cloud can seem like an insurmountable task, especially when hybrid cloud and multicloud environments come into play. While your cloud service provider (CSP) can help manage some layers of cloud security, you’ll still be left with management of at least your users and data, if not your application layer.
One way to help keep track of all the security vectors within your organization is to divide them into these ten zones of enterprise cloud security. Any cloud security policy should cover each of these areas. You can also assign a single engineer or administrator to have ownership over each zone.
Risk management includes aspects of all of the below. It spells out your ability to evaluate and mitigate risk in the use of your cloud environment. Risk management policies should include overall governance of cloud services, including who takes responsibility for managing contracts and overall cloud operations, who is in charge of the security team(s), what happens when a contract is broken, how overall security and risk is evaluated for CSPs, and any other potential legal issues. Risk management can also describe how your organization handles sensitive data, including how data is protected during a security event involving a CSP.
Carefully review all SLAs with your CSP as well as the contract itself to determine who is responsible for what within your cloud environment. Check for data ownership issues, security breach disclosure clauses, privacy policies, and any international laws that could come into play (if your cloud provider has facilities overseas, for example). You must be clear on who is responsible for various breach scenarios within the environment.
All data that resides in the cloud must be carefully tracked and managed, both for security purposes and to reduce overall costs by archiving old data or bumping it into a lower performance tier when no longer needed regularly. Information lifecycle management should include policies on how to locate, migrate, and handle data stored in the cloud. Be sure to clarify data ownership as part of your cloud contract, as mentioned above.
Specific industries and data types like health data or even e-mail discussing legal matters must be treated differently in the cloud than everyday business information. Use a compliance checklist, third party auditors, and certified compliant hosting providers to achieve compliance. eDiscovery can be added to your cloud environment to help locate archived e-mails and other data should they be required for a court case. Your CSP can help configure specific cloud instances tailored to long-term archive and eDiscovery as well as to meet specific compliance standards.
Operational security focuses on traditional infosec models and how daily procedures can affect security and business continuity. When adopting a cloud operational security policy, examine any additional risks involved in using a CSP as opposed to on-premise infrastructure, and conversely consider how the provider may in fact improve your security through monitoring, IPS/IDS, firewalls, etc. Business continuity plans like backup and disaster recovery also come into play as part of operational security, as they can help you recover from malicious activity. A key factor in operational security is virtualization platforms. Consider how multitenant environments may affect your security and whether any of your systems might require isolated VMs. Be sure to ask your CSP about how they handle hypervisor updates and vulnerabilities.
.png){kind=logo}
We're here to help you tackle what's next in your digital journey.
