Identify the Foundational Controls
Foundational controls are core to an organization’s security philosophy. They represent maybe 60 security controls (or less), which protect the assets your organization values most. Focusing on them will ensure that as your business embraces cloud technologies, your approach is consistent with the security controls.
Focus on the Workload
Security in the cloud—and an organization’s confidence—directly correlate to workload. Each workload has unique considerations, such as regulatory factors and user dependencies. By focusing on the workload and not solely the cloud IT, you can implement a focused security program with the potential to offer more security than traditional implementations.
Build Consensus Early
All too often, cloud technology is adopted without buy-in from all parties. As a result, important security details may be omitted, which can lead to integration and usability challenges. Successful cloud security implementations require key stakeholders to be aware of and agree upon benefits and challenges.
Implement a Risk Mitigation Plan
Cloud adoption often involves a number of parties, both internal and external. Organizations should adopt a documented risk mitigation plan to allow administrators and staff to rapidly deal with issues in the cloud. This plan should include not only documentation of risk, and responses to those risks, but also education and training.
Dont Forget Image Management
Many clouds leverage virtualization capabilities. Organizations should implement a storage image management process, which ensures that only appropriate images are actively available. Its also important that all deployed images are correctly identified and managed to prevent image sprawl.
Conduct a Security Evaluation
Clouds are complex. Prior to migrating to cloud technologies, organizations should first evaluate applications and infrastructure for vulnerabilities and ensure that all security controls are in place and operating properly. Ethical hacking is a secondary activity which organizations should use to check their cloud applications for common vulnerabilities.
Take Advantage of Security Services
New security services have entered the market that allow organizations to achieve best-of-breed security without the usual overhead. Areas such as intrusion prevention, access and identity management, and security event log management present opportunities for organizations to achieve security goals without putting a strain on existing resources.
Develop a Resiliency Program
As organizations adopt cloud-based technologies, they should also look at their resiliency needs. No technology is perfect and the same goes for the cloud. Make sure that workloads, which are critical to the business, can be rapidly restored in the event of a catastrophe or attack. Be careful to ensure that workloads can be readily restored with minimal impact on business continuity.
Actively Monitor Performance
Failing to properly monitor cloud implementations can result in performance, satisfaction and security issues. Implement an active monitoring program that identifies any threats to the success of the cloud implementation.
Follow a Cloud Lifecycle Model
Security in general is not a point-in-time statement, but more of an ongoing effort to keep the bad guys out while letting the good guys work. Organizations must be diligent in managing cloud technologies and in regularly reviewing security.