In this article, I will discuss six ways enterprises can improve cloud security. Yes, you read that correctly. Enterprises-cloud consumers-must work to improve cloud security. Most of the discussion around security of the cloud has focused on what the cloud providers should do. The data and application services are on their premises. But enterprises need to remember that they bear a large-and in some situations, the largest-part of cloud security responsibility. Enterprises must never forget that they will face the majority of the blame if security breaches occur. They are, after all, the entities that have collected the data.
Cloud security is best thought of as a joint responsibility between cloud providers and enterprises, and the dividing line between the two currently is a bit...cloudy. The dividing line depends directly on the type of cloud model that is in play, ranging from software as a service (SAAS) to platform as a service (PAAS) to infrastructure as a service (IAAS).
On one end of the spectrum, SAAS approaches what could be considered a security black box, where application security activities are largely not visible to the enterprise. On the other end of the spectrum is IAAS, where an enterprise is principally responsible for the security of the application, data and possibly other levels of the infrastructure stack.
What should enterprises do to improve security in a cloud computing model and prepare to reap the most benefit from the cloud? The following are six steps to take:
Step No. 1: Learn from your existing, internal private clouds and the security systems and processes you built around those
Yes, you have internal clouds already. Over the last 10 years, medium to large enterprises have been setting up internal clouds, although they didn't refer to them as clouds. They were often referred to as shared services, such as authentication services, provisioning services, database services or enterprise data centers (which were hosted on relatively standardized hardware and operating system builds).
Step No. 2: Assess the risk and importance of your many IT-enabled business processes
While the potential reward of cost savings realized by moving to the cloud might be relatively easy to calculate, one cannot do a "risk versus reward" calculation without first understanding the risk side of the equation. The cloud providers can't do this analysis for enterprises, as this totally depends on the business context of the business process. Low service-level agreement (SLA) applications with relatively high cost are obvious first candidates for the cloud. As part of this risk-weighing effort, the potential regulatory impacts also need to be considered, as some data and services are simply not allowed by regulators to move off-site, out of state or out of country.