While the IT industry has made significant strides in public and hybrid cloud computing security, many businesses remain concerned about new and emerging cloud security challenges and how they can create a cloud security policy to protect the organization. A new generation of malware and exfiltration techniques continue to threaten data and apps on premises and in the cloud. Meanwhile, ongoing cloud security challenges include data theft, misconfiguration, vulnerabilities introduced through bring your own device (BYOD) policies, shadow IT, and incomplete cloud visibility and control. In McAfee's 2018 cloud security report and survey, "Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security," respondents identified visibility into cloud processes and workloads as their number one security concern. The second hot-button issue was lack of control in the cloud.
Lack of visibility. Security personnel cover on-premises, private cloud data, and workloads—this data is on-site and under their governance. However, most enterprises also rely on public or hybrid cloud apps and services, where a third-party provider oversees the cloud infrastructure. Organizations need to implement policies that ensure visibility into third-party cloud platforms.
Lack of control. With software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) vendors, the organization, not the third party, remains solely responsible for protecting data and user access. This means that organizations need to leverage that visibility to formulate a strategy and policy for cloud data protection.
These concerns are intimately linked. Without proper cloud visibility, organizations cannot exercise proper security controls. According to Gartner research, 95% of all cloud security failures (through 2020) will be primarily the customer’s fault—usually by misconfiguring their services.
Other top concerns voiced in the McAfee survey and report include the following:
- Lack of consistent security controls over multi-cloud and on-premises environments
- Inability to prevent malicious insider theft or misuse of data
- Advanced threats and DDoS attacks against cloud infrastructure
- Spread of attacks from one cloud to another
The best solution for improving an organization’s cloud computing security is to develop a comprehensive approach that is all-encompassing yet flexible enough to quickly respond to new threats and cloud security challenges.
Steps for developing a cloud security policy
Potential cloud computing security vulnerabilities can stretch across the entire enterprise and reach into every department and device on the network. Therefore, security needs to be robust, diverse, and all-inclusive. Security policy advice and consent from stakeholders across business units can provide a clearer picture of current security and what steps are needed to improve security. Departmental IT audits can reveal resources and workloads that need to be addressed in any cloud security policy initiative.
Regardless, organizations can significantly reduce cloud security risks by first formulating a policy that reflects the unique organization systems, configurations, and above all, requirements for the organization’s unique business processes.
Consider the following steps to begin formulating an organization-wide policy:
- Step 1: Assess governance and compliance processes
Catalog IT governance and compliance by reaching out and documenting IT responsibilities—the security, privacy, and compliance policies that protect the organization and its resources. These responsibilities guide formulation of needed cloud-specific steps to conform to corporate guidance and compliance in accordance with cloud vendor services. For example, if data from the legal department must be available at all times, per regulation, for discovery and audit, cloud-based storage vendor platforms must conform to those compliance obligations.
- Step 2: Evaluate security controls of cloud vendors
Not all clouds are created—or provisioned—equally. Performing due diligence of existing and potential cloud partner security practices is recommended. This can be accomplished by documenting the partner’s security options and formulating internal solutions that can augment the cloud service offerings. During evaluation, request service level agreements (SLAs) and security audits from cloud vendors.
- Step 3: Tighten access
Cloud security policies should specify clear roles for defined personnel and their access to defined applications and data. This process should account for all shadow IT resources and specify how access is logged and reviewed.
- Step 4: Keep a lid on data
Sensitive data at rest and in motion as it traverses the cloud and internet should be encrypted. Many cloud providers open up Application Program Interfaces (APIs) to their services, which third parties can take advantage of to enforce their encryption or data loss prevention (DLP) policies, among other security measures. Clearly document security requirements for internal and external data stores.
- Step 5: Secure connections
Do not overlook data security to and from the cloud. Set clear policies on connectivity security, including secure sockets layer (SSL) and virtual private network (VPN) requirements, data-in-transit encryption, and network traffic scanning and monitoring.
- Step 6: Cover the perimeters
A single infected endpoint can cause a data breach in multiple clouds. Formulate policies for device access to cloud resources and the required endpoint security.
- Step 7: Integrate security
No single security solution is enough. However, too many security solutions with no integration may create gaps or vulnerabilities. Find ways to integrate and leverage shared policies, such as DLP from your devices and extend that to the cloud.
- Step 8: Conduct frequent security audits
Maintain current and effective security by periodically auditing all policies. During these audits, ensure cloud services are configured as expected. Upgrade components to remain ahead of the latest threats. Regularly check the cloud vendor's SLAs and its system security audits.
An organization’s cloud security policy will evolve over time as new threats and remedies present themselves. This calls for a regular review of the threat landscape and modification of defenses accordingly. Among the promising new technologies and strategies for protecting cloud computing are higher levels of security automation, artificial intelligence for quicker threat detection, and service-based cloud security platforms.
Cloud security policy resources