Building a Secure Cloud Environment
A secure IT strategy often emerges as a key concern
- By Sumeet Sabharwal
- Apr 01, 2014
Cloud computing is fundamentally revolutionizing how businesses
deliver and operate the services and products they bring to
market. The ability to leverage virtual infrastructure in a public
cloud context enables compelling and strategic benefits including
increased agility, improved scalability, reduced costs and capital
expenses, and more efficient deployment of IT resources, all of which allow an
organization to focus on growing their core business. However, security often
emerges as one of the key concerns at the corporate executive (CxO) level as enterprises
shape their IT strategy around cloud computing. Though it is a big issue,
it is one that can be addressed effectively with the right level of planning, design
and investment.
Security is fundamental to any data and application management infrastructure,
and cloud computing is no different. When properly constructed, a cloud infrastructure
can offer greater security than a legacy system; however, when poorly
constructed, a cloud-based infrastructure introduces risk across the enterprise. If
we’ve learned anything from the many high-profile data breaches in recent months,
it’s that the weaknesses that were exploited more commonly reside in the corporate
network than in the cloud.
Businesses of all types and sizes can benefit from the security experience and economies
of scale provided by a cloud service provider. Service providers have often made
extensive investments across their entire fabric to safeguard systems and data including
specialized resources and expertise to implement advanced security technology and
procedures. As a result, a cloud service provider is often able to offer superior and
more comprehensive security in a virtualized cloud environment than the individual
enterprise can achieve through a purely physical architecture.
Building a Secure Base
Over the past 15 years, NaviSite has built an extensive track record of working with
businesses and organizations of all sizes to enable their compliance and security
requirements. As part of its portfolio of compliant hosting services, NaviSite has
developed and refined several best practices to help keep customer data safe and
accessible. These best practices enable the maximization of the operational and cost
advantages of managed cloud services without compromising organizational security
and compliance objectives.
Review business goals: It is important
that any cloud-based security
plan begins with the basic understanding
of specific business goals. Security
is not a one-size-fits-all scenario and
should include contributions from all
stakeholders to ensure that policies are
aligned and procedures are practical
and pragmatic. The best way to do this
is to develop cloud security policies in
an inclusive model early on by involving
various departments and groups
that will be impacted. The broader the
input, the more likely that the final security
plan will truly support and align
with the corporate goals.
- Maintain a risk management program: Companies must assess
threats and assets in order to manage
and minimize risk. A well-defined
and independently-staffed risk
management program can provide
IT leaders with an ongoing, aggregated
view of risk the organization
is willing to accept.
- Create a security plan that supports
business goals: A cloud computing
security plan should include
goals with measurable results that
are consistent with the growth and
stability of the company. It should include a specific date for completion, verification of achievement and measurable
expected results.
- Establish corporate-wide support: A key element of a successful cloud computing
security plan is support and adoption of the plan across the organization. Prioritizing
policies and ensuring that they are not in conflict with other policies from
different departments is essential for establishing support and acceptance.
- Create security policies, procedures and standards: New clients often ask,
“What’s the easiest way to create security policies, procedures and standards?”
The answer is simple—turn to best practices. Companies should apply best
practices to create policies that align with business goals and develop procedures
that are realistic and acceptable to the organization.
- Audit and review often: It is important to review the security plan on a regular
basis, report the achievement of goals, and audit the compliance of the organization
to the security policies and procedures. If it is part of the overall business
plan, a third-party audit can provide an impartial review of the controls and
report on compliance to established programs such as SSAE 16, PCI DSS or
Safe Harbor.
- Continuously improve: Make it part of the business’ standard protocol to review
all generally-accepted security policies at least annually. Companies should
even consider reviewing security policies every six months so that there is time
to evaluate current policies, update as needed and change procedures when necessary
before the next audit.
Treat Security as a Partnership
While a cloud provider should bring deep security expertise, a business cannot
simply “outsource” security to its cloud provider. IT leaders must ensure each portion
of the IT system is designed specifically to guarantee maximum security once
all data and applications are migrated to the cloud.
It is critical to approach the task of establishing and managing security in the
cloud as a partnership between the data owner/application developer and cloud
service provider at the application development stage because any gaps in security
at that level can render the entire infrastructure vulnerable.
Keeping Threats at Bay
Once data and applications have been migrated onto the cloud, the cloud service
provider should partner with the application developers to assume front-line responsibility.
It is crucial to ensure security at the cloud infrastructure level and
to ascertain that the service provider is managing the company’s data against the
highest level of security.
As more and more remote devices connect to the cloud, the need for secure
access becomes even more vital. Organizations that hire seasonal and part-time
workers are progressively faced with the pressing need to have advanced security
levels for their data. With this increased workforce mobility and concepts like
bring-your-own-device (BYOD), the challenge of safeguarding data from potential
hazards is becoming more insistent.
One way businesses are addressing the security challenges of BYOD is by deploying
desktop-as-a-service (DaaS) solutions to manage control of corporate information
through the centralization and separation of sensitive data from user
devices. As a result, DaaS creates a secure and scalable environment where businesses
can add, remove or modify desktops without compromising data security.
Architecting a cloud infrastructure is an opportunity for businesses to leverage
technology to deliver better products and services at a lower cost. By adhering to
well-established best practices, companies can effectively work with cloud providers to
build security into their systems from the ground up. Following these
guidelines, an organization can structure its security and compliance
programs to take advantage of the benefits of managed cloud applications
and services while ensuring their data and applications
adhere to the highest available security standards.
This article originally appeared in the April 2014 issue of Security Today.