1Identify the Foundational Controls
Foundational controls are core to an organization’s security philosophy. They represent maybe 60 security controls (or less), which protect the assets your organization values most. Focusing on them will ensure that as your business embraces cloud technologies, your approach is consistent with the security controls.
2Focus on the Workload
Security in the cloud—and an organization’s confidence—directly correlate to workload. Each workload has unique considerations, such as regulatory factors and user dependencies. By focusing on the workload and not solely the cloud IT, you can implement a focused security program with the potential to offer more security than traditional implementations.
3Build Consensus Early
All too often, cloud technology is adopted without buy-in from all parties. As a result, important security details may be omitted, which can lead to integration and usability challenges. Successful cloud security implementations require key stakeholders to be aware of and agree upon benefits and challenges.
4Implement a Risk Mitigation Plan
Cloud adoption often involves a number of parties, both internal and external. Organizations should adopt a documented risk mitigation plan to allow administrators and staff to rapidly deal with issues in the cloud. This plan should include not only documentation of risk, and responses to those risks, but also education and training.
5Dont Forget Image Management
6Conduct a Security Evaluation
Clouds are complex. Prior to migrating to cloud technologies, organizations should first evaluate applications and infrastructure for vulnerabilities and ensure that all security controls are in place and operating properly. Ethical hacking is a secondary activity which organizations should use to check their cloud applications for common vulnerabilities.
7Take Advantage of Security Services
New security services have entered the market that allow organizations to achieve best-of-breed security without the usual overhead. Areas such as intrusion prevention, access and identity management, and security event log management present opportunities for organizations to achieve security goals without putting a strain on existing resources.
8Develop a Resiliency Program
As organizations adopt cloud-based technologies, they should also look at their resiliency needs. No technology is perfect and the same goes for the cloud. Make sure that workloads, which are critical to the business, can be rapidly restored in the event of a catastrophe or attack. Be careful to ensure that workloads can be readily restored with minimal impact on business continuity.
9Actively Monitor Performance
10Follow a Cloud Lifecycle Model
Security in general is not a point-in-time statement, but more of an ongoing effort to keep the bad guys out while letting the good guys work. Organizations must be diligent in managing cloud technologies and in regularly reviewing security.