Identify the Foundational Controls

Foundational controls are core to an organization’s security philosophy. They represent maybe 60 security controls (or less), which protect the assets your organization values most. Focusing on them will ensure that as your business embraces cloud technologies, your approach is consistent with the security controls.

Security in the cloud—and an organization’s confidence—directly correlate to workload. Each workload has unique considerations, such as regulatory factors and user dependencies. By focusing on the workload and not solely the cloud IT, you can implement a focused security program with the potential to offer more security than traditional implementations.

All too often, cloud technology is adopted without buy-in from all parties. As a result, important security details may be omitted, which can lead to integration and usability challenges. Successful cloud security implementations require key stakeholders to be aware of and agree upon benefits and challenges.

Cloud adoption often involves a number of parties, both internal and external. Organizations should adopt a documented risk mitigation plan to allow administrators and staff to rapidly deal with issues in the cloud. This plan should include not only documentation of risk, and responses to those risks, but also education and training.

Many clouds leverage virtualization capabilities. Organizations should implement a storage image management process, which ensures that only appropriate images are actively available. Its also important that all deployed images are correctly identified and managed to prevent image sprawl.

Clouds are complex. Prior to migrating to cloud technologies, organizations should first evaluate applications and infrastructure for vulnerabilities and ensure that all security controls are in place and operating properly. Ethical hacking is a secondary activity which organizations should use to check their cloud applications for common vulnerabilities.

New security services have entered the market that allow organizations to achieve best-of-breed security without the usual overhead. Areas such as intrusion prevention, access and identity management, and security event log management present opportunities for organizations to achieve security goals without putting a strain on existing resources.

As organizations adopt cloud-based technologies, they should also look at their resiliency needs. No technology is perfect and the same goes for the cloud. Make sure that workloads, which are critical to the business, can be rapidly restored in the event of a catastrophe or attack. Be careful to ensure that workloads can be readily restored with minimal impact on business continuity.

Failing to properly monitor cloud implementations can result in performance, satisfaction and security issues. Implement an active monitoring program that identifies any threats to the success of the cloud implementation.

Security in general is not a point-in-time statement, but more of an ongoing effort to keep the bad guys out while letting the good guys work. Organizations must be diligent in managing cloud technologies and in regularly reviewing security.