Study Different Cloud Models and Categories
Step No. 3: Study different cloud models and categories
Enterprises need to study the different cloud models (public, private, hybrid) as well as the different cloud categories (SAAS, PAAS, IAAS), as they have general differences that directly relate to security control and responsibility.
All enterprises need to have an opinion and policy for these cloud approaches in the context of their own organizations and the risk profile of their own businesses (discussed previously in step two).
A good source in support of this issue and other security implications of the cloud can be found in the recent ENISA publication, "Cloud Computing: Benefits, risks and recommendations for information security." Legal organizations should also play an important role here, as issues such as warranty and liability will play an important part of this analysis.
Step No. 4: Apply your service-oriented architecture (SOA) design and security principles to the cloud
Most organizations have been using SOA principles in their application development organizations for a number of years. Isn't the cloud a massive expansion of SOA? The cloud is just service orientation taken to its next logical step. The SOA security principles of highly distributed security enforcement, combined with centralized security policy administration and decision making, apply directly to the cloud. There is no need to reinvent this wheel when moving your focus from SOA to cloud. Just transfer the principles.