Exploits & Vulnerabilities
10 Steps to Securing Your Journey to the Cloud
Consumers are understandably hesitant about using applications and storing data in the public cloud. Concerns such as: “Is my data secure?” “Who has access to my data?” and other questions are common as they consider making the journey to the cloud.
Consumers are understandably hesitant about using applications and storing data in the public cloud. Concerns such as: “Is my data secure?” “Who has access to my data?” “What happens if the public cloud provider suffers a breach?” or “Who is responsible if my data is exposed?” are common as they consider making the journey to the cloud.
Despite an inherent loss of control with cloud computing, the consumer still bears some responsibility for their use of these services.
The Cloud Standards Customer Council published the "Security for Cloud Computing: 10 Steps to Ensure Success" white paper which includes a list of steps, along with guidance and strategies, designed to help public cloud consumers evaluate and compare security offerings in key areas from different cloud providers.
1. Apply governance, risk, and compliance processes. Security controls in cloud computing are similar to those in traditional IT environments, but your need to understand your own level of risk tolerance and focus on mitigating the risks that your organization cannot afford to neglect.
2. Audit both operational and business processes. Audits should be carried out by appropriately skilled staff, alongside the sets of controls established to meet your security requirements.
3. Understand the user privledges. Organizations manage dozens to thousands of employees and users who access cloud applications and services, each with varying roles and entitlements. You need to control their roles and privileges.
4. Secure data and information. Cloud computing brings an added focus on data security because of the distributed nature of the cloud computing infrastructure and the shared responsibilities that it involves.
5. Put muscle behind privacy policies. You are responsible not only for defining policies to address any privacy concerns and raise awareness of data protection within the organization, but also for ensuring that your cloud providers adhere to the defined privacy policies.
6. Assess application security. Clearly defined security policies and processes are critical to ensure the application is enabling the business rather than introducing additional risk.
7. Ensure secure network connections. You should expect certain external network perimeter safety measures from your cloud providers.
8. Evaluate physical security. An important consideration for security of any IT system -- even a cloud-based one -- concerns the security of physical infrastructure and facilities.
9. Double check the cloud SLA's security terms. Since cloud computing typically involves two organizations ‐ the service consumer and the service provider, security responsibilities of each party must be made clear.
10. Understand the security requirements of the exit process. The exit process must allow you to retrieve your data in a suitably secure form, including clarity on backup retention and deletion.
The paper discusses these steps in detail, along with the threats, technology risks, and safeguards for cloud computing environments. Want a walkthrough? Download a recording of the recent webinar on the 10 Steps to Ensure Success here. Trend Micro’s Jonathan Gershater (@jgershater) led and authored step 3 of the paper: Manage Peoples, Roles and Identities.