Setup cloud security controls

Setup cloud security controls

The security controls are a prioritized, highly focused set of actions that have a support team to make them implementable, usable, scalable, and compliant with all industry or government security requirements. These controls assume that an organization has management control over the application and infrastructure s of the IT environment. A condition that is no longer true once cloud resources are implemented.

Organizations considering moving data to the cloud need to understand exactly where the data will be located or processed. The first question when moving any data to the cloud is whether the cloud provider has data security policies and standards that are appropriate for business users. Not all cloud services are designed to provide a high level of security and protection for the organizations data.

Privacy policies often permit cloud providers to analyze the data, the usage or associated metadata, which they use for purposes such as targeted advertising or to predict consumer trends. For most businesses, the use of such a cloud provider would not be appropriate.

A first step in the due diligence should be to analyze the target market for the cloud provider, review its privacy policy and understand what the terms of use or service agreement provide with respect to the privacy and security of the data. If comfortable with the cloud provider as an enterprise level provider, additional due diligence and negotiation, should focus on higher levels concerns.

Next the organization should have an information security strategy in place supported with policies, procedures, standards, guidelines, and regulatory and compliance requirements. Take into account the data classification and data protection regulations that dictate the roadmap to migration. Determine which processes, systems and data can be migrated and what service model will best suit the needs for each of the selected application in line with the security strategy.

Strong and solid organizations understand the value of maintaining control of their own internal data, including intellectual property, source code, and any other sensitive data that would benefit from the existence of policies designed to restrict access or block over-sharing. Hybrid operating environments can create some unique challenges in the area of information protection and compliance. Make sure there is a data loss prevention solution that can protect the data while the employees are increasingly going to the web and cloud.

Tasks

1. Read the specific policies and standards in place that aim to secure data both in transit and in the cloud infrastructure.
2. Ensure that the cloud provider SLA acknowledge sole ownership of the data stored on the service and that both contractual and logical controls prevent vendor access without authorization.
3. Reviewing the cloud providers business continuity plan and require notice of changes to that plan, and if this is not possible, setting certain minimum business continuity requirements in the SLA.
4. Ensure that the cloud provider has an obligation to provide the notice of its receipt of any warrant, subpoena or similar request and to provide an opportunity to intervene and prevent the data disclosure.
5. Ensure that the cloud provider datacenters, whether owned by the vendor or third parties, maintain an adequate level of physical security controls, such as appropriate alarm systems, fire suppression, visitor access procedures, security guards and video surveillance.
6. Revise the organization policies and procedures of risk management, configuration and change management, vulnerability management, business continuity and disaster recovery plans, incident handling, security assessments, security awareness and training, and forensics to take into account the cloud deployments.

Hints and tips

• It is crucial evaluating the cloud provider’s security policies.
• Understand the cloud data so it can be identified where the most sensitive data resides.
• Follow strict industry regulations (e.g. HIPAA, PCI DSS) relating to where sensitive data is held and how it is secured, if applicable.
• Make good use of the services provided by cloud providers that can help comply with industry regulations.
• Enforce the principle of least privilege to protect the most sensitive data.
• Cloud providers provide encryption options for data at rest in the hosted systems, it is even more important to have the data encrypted during transit.
• Make sure to implement a unified method for pushing policies out to govern access and control, regardless of whether the security gateways and services being used to govern application access control and protect information.
• Apply a universal policy enforcement, wherein the policy is set once and then pushed out to virtual gateways and security appliances.
• Enforce two-factor authentication to reduce the risk of unauthorized access to mission-critical data stored in the cloud.
• Legal counsel should be involved early in the process so that a list of key data protection and SLA requirements can be addressed.
• The data is going to spread across multiple networks and devices after migration, with varying levels of risk and security. Before taking an effective plan to avoid risk completely, here is a checklist to answer:
  • What type of sensitive data is used, stored or transferred?
  • Who has access to this data?
  • Why, when and where are the users accessing this data?
  • How is the data stored when it is idle?
  • How is data access controlled?
  • What are the compliance requirements?
• To keep the data secure in the cloud requires a whole new level of security procedures and strategies.

Activity output

• Foundation for security policies and standards