3 keys to keep enterprise clouds secure

Outsourcing has won out over ownership, and the rush to the cloud continues to gather pace. Where security is concerned there are two major trends that threaten to expose your company to unnecessary risk. There's a lack of planning and due diligence when choosing cloud providers, and there's a murky grey area when it comes to responsibility. They can both be mitigated by building security planning into your system from the start, instead of trying to retro-fit.

There are standards that can be applied to inform your planning, and help you to assess the maturity of your security model. The Cloud Controls Matrix (CCM) by the Cloud Security Alliance seeks to uncover a set of fundamental security principles that you can use to assess your prospective cloud providers, or, if you're a cloud vendor, to guide your development and enable you to tick all those vital security boxes for customers.

Evaluating cloud provider security

When shopping for a cloud partner there's a lot to consider and you should use something like the CCM to drill down into the details. Looking at the bigger picture, you need to address a lot of potential security risks.

Before you start to build out a security plan, probably drawing on your existing governance, risk and compliance processes, take time to analyse your data and identify all of your assets. Data classification and discovery is often overlooked and good security is about protecting everything, not just whatever is in your line of sight.

Ask any prospective cloud provider to produce detailed documentation on their setup. A complete set of terms should be hammered out in your Service Level Agreement (SLA) that covers every potential eventuality down the line. This will protect you and establish levels of responsibility. You should be clear on data encryption in transit and storage, compliance and legal exposure, levels of authentication, and what happens in the event of service breakdown.

It's important to understand exactly what control you are ceding to an external party. Try to avoid the vendor lock-in that typically accompanies proprietary software. There are plenty of good applications and services out there that meet industry standards and deliver the functionality you need. You can also leverage more value from your existing tools and systems by investigating their security capabilities; you may find that you aren't maximising the potential of what you already have.

Consider how the system will be managed and how security incidents are handled. Is there a mechanism in place to detect and report security breaches? Without it, you simply don't know how secure your system is.

Changing roles: who's responsible for this?

Separate internal security teams are a thing of the past. Those responsibilities are typically being infused within infrastructure and network administration roles. There's a danger when this occurs that too much responsibility is being heaped onto already overburdened shoulders. Is the necessary expertise there? Are roles and responsibilities clearly defined? Do your internal employees have the mechanisms of control in place?

There could be an easy answer to this. If you're prepared to outsource your data or application delivery and management, then why treat security any differently? A dedicated external team with the correct expertise can own your security model and ensure that it meets high standards across the board, from compliance and governance, to privacy policy, auditing, data protection, and beyond.

Whether you need to adhere to ISO 27001/27002 or NIST compliance standards, you can bet that a dedicated external cloud security team working with these frameworks daily is going to have a better handle on them than internal staff with divided responsibilities. An external audit can document gaps in your system and give you a realistic snapshot of your risk. Before you can control and mitigate risks, you need to understand what they are.

Building a solid foundation

The shift to the cloud is not a one-off process; it's a fluid evolution, and so establishing a model for your plan which can inform everything that comes later is important. You're not looking to find that one perfect solution, you're trying to adopt an approach and a set of standards that will ensure security beyond the horizon. Achieving a high level of security with your private or public cloud services and applications is easier and cheaper if you start right.

Make sure that boat is seaworthy before you launch, because finding and plugging leaks when you're out in the middle of the ocean is asking for trouble.

Michelle Drolet is founder of Towerwall , a data security services provider in Boston, Massachusetts with clients such as PerkinElmer, Smith & Wesson, Middlesex Savings Bank, Brown University and Bahamas Telecom. You may reach her at michelled@towerwall.com

Join the CSO newsletter!

Error: Please check your email address.

More about ISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michelle Drolet

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts