7 Steps to Secure Cloud
Organizations looking to leverage the significant advantages of cloud computing would like to list security as one of those benefits. But in reality, it’s not an automatic win. Moving an enterprise to the cloud in the most secure and efficient way is more of a journey, which can be simplified into seven steps.
Too often companies try to choose a cloud vendor first, and then create a plan to get there. This is like driving backward down a long highway with many entry and exit ramps. Instead, plan first. Include your actual current state, desired future state and a realistic transition plan based on standards, guidelines and proven processes.
The current state may not be obvious. A quick survey of any group of business leaders generally finds that many who believed they were not yet working in the cloud really were in the cloud to a certain extent. It could be a result of shadow IT or simple ignorance among a team trying to improve its productivity, but the cloud is there. Accurately assessing your current state is critical to choosing an end state and building a plan to get there.
One of the most common reasons enterprise cloud transitions fail is because data isn’t properly classified before being pushed to the cloud. Taking this step in advance helps you find your data once in the cloud, saving you time, money, risk and troubles.
Data classification must follow a strategy that specifies which types of data to classify and defines the category tags before the actual tagging can begin, which seems tedious but is necessary.
It’s human nature to focus on the highest profile aspects of security, but making choices based on levels of encryption between hypervisors is not the way to choose a security scheme for your enterprise in the cloud.
Most clouds that serve large enterprises have existing security infrastructures for their clients. Look to security infrastructures that most closely match your internal environment, not those with the most number of bits in their encryption keys.
Some of the most overlooked considerations when choosing a cloud environment include: •
- How to perform cloud-based auditing (yes, you still have to do it)
- How to enforce controls
- How global data will flow
- How flexible the standard operating environments (SOEs) will be
Choosing the right base security scheme to start with is a critical step on your journey.
Now that you’ve chosen a cloud security scheme, you’re ready to start designing your cloud security. You must customize, augment, tweak and own the security that will extend and enforce your enterprise security policies most efficiently. This is where a cloud agility layer, such as CSC Agility Platform, can extend your policies once to all your various cloud services, whether they are public, private or hybrid.
Beyond getting the most of today’s technology and future-proofing for tomorrow, the other key consideration is crafting your SOEs. Too often environments are either too rigid, so people work around them, or too lax to provide enough security. Using an agility layer with policy-based governance and management, you can get the most security from your cloud today and tomorrow.
Myth-busting time. Until a few years ago, conventional wisdom said to start small and just nibble on the edges of your enterprise as you move to the cloud. After exhaustive and time-consuming studies, everyone always came up with email as the first transitional element. That was then.
Now we have example after example of successful enterprises migrating entire core-business workloads to the cloud. HR, sales, finance and development are all great use cases to build when moving to today’s cloud. And use-case templates around SAP can save you time and money without sacrificing security.
Be sure to test both pre- and post-migration, and work within an overall migration plan, but don’t hesitate to get your key workloads to the cloud.
When you pick a cloud partner, do not give up your responsibility for security. It’s critical that you plan and understand how your security will be operated, either by you or on your behalf.
You need policy-based controls and enforcement that extend into any cloud you choose, even public clouds, or you’ll drive yourself mad. Since you’ve now designed continuous monitoring capabilities into your scheme, it’s time to focus on those capabilities. Attacks are continuous, and so must be your vigilance. This is also the place to plan/rehearse/evolve your cloud auditing to handle the new cases, new features and obligatory changes caused by companies not under your direct control.
Security by policy, all the time and auditable: This is how to operate security in the cloud.
If you think responding to a security event in your enterprise is hard, just wait until you get to the cloud and you no longer have access to the hardware, are unsure of the geographically applicable laws and regulations, and don’t even know where to send your “go team.”
Incident response in the cloud is not harder, but it is different. Advanced planning and practice are critical. There should be no introductions necessary during an event. Joint teams that practice together using pre-established policies, processes, playbooks, accesses and recovery systems are key to a successful recovery in the cloud.
Cloud security is neither automatic nor easy, but it’s possible and completely worth the effort. An enterprise that builds security into its cloud transition plans ahead of time is already off to a great start. Following these seven steps will help you survive the move.