Steps for developing a cloud security policy
Potential cloud computing security vulnerabilities can stretch across the entire enterprise and reach into every department and device on the network. Therefore, security needs to be robust, diverse, and all-inclusive. Security policy advice and consent from stakeholders across business units can provide a clearer picture of current security and what steps are needed to improve security. Departmental IT audits can reveal resources and workloads that need to be addressed in any cloud security policy initiative.
Regardless, organizations can significantly reduce cloud security risks by first formulating a policy that reflects the unique organization systems, configurations, and above all, requirements for the organization’s unique business processes.
Consider the following steps to begin formulating an organization-wide policy:
- Step 1: Assess governance and compliance processes
Catalog IT governance and compliance by reaching out and documenting IT responsibilities—the security, privacy, and compliance policies that protect the organization and its resources. These responsibilities guide formulation of needed cloud-specific steps to conform to corporate guidance and compliance in accordance with cloud vendor services. For example, if data from the legal department must be available at all times, per regulation, for discovery and audit, cloud-based storage vendor platforms must conform to those compliance obligations.
- Step 2: Evaluate security controls of cloud vendors
Not all clouds are created—or provisioned—equally. Performing due diligence of existing and potential cloud partner security practices is recommended. This can be accomplished by documenting the partner’s security options and formulating internal solutions that can augment the cloud service offerings. During evaluation, request service level agreements (SLAs) and security audits from cloud vendors.
- Step 3: Tighten access
Cloud security policies should specify clear roles for defined personnel and their access to defined applications and data. This process should account for all shadow IT resources and specify how access is logged and reviewed.
- Step 4: Keep a lid on data
Sensitive data at rest and in motion as it traverses the cloud and internet should be encrypted. Many cloud providers open up Application Program Interfaces (APIs) to their services, which third parties can take advantage of to enforce their encryption or data loss prevention (DLP) policies, among other security measures. Clearly document security requirements for internal and external data stores.
- Step 5: Secure connections
Do not overlook data security to and from the cloud. Set clear policies on connectivity security, including secure sockets layer (SSL) and virtual private network (VPN) requirements, data-in-transit encryption, and network traffic scanning and monitoring.
- Step 6: Cover the perimeters
A single infected endpoint can cause a data breach in multiple clouds. Formulate policies for device access to cloud resources and the required endpoint security.
- Step 7: Integrate security
No single security solution is enough. However, too many security solutions with no integration may create gaps or vulnerabilities. Find ways to integrate and leverage shared policies, such as DLP from your devices and extend that to the cloud.
- Step 8: Conduct frequent security audits
Maintain current and effective security by periodically auditing all policies. During these audits, ensure cloud services are configured as expected. Upgrade components to remain ahead of the latest threats. Regularly check the cloud vendor's SLAs and its system security audits.
An organization’s cloud security policy will evolve over time as new threats and remedies present themselves. This calls for a regular review of the threat landscape and modification of defenses accordingly. Among the promising new technologies and strategies for protecting cloud computing are higher levels of security automation, artificial intelligence for quicker threat detection, and service-based cloud security platforms.