Building a Secure Cloud Environment

A secure IT strategy often emerges as a key concern

• By Sumeet Sabharwal
• Apr 01, 2014

Cloud computing is fundamentally revolutionizing how businesses deliver and operate the services and products they bring to market. The ability to leverage virtual infrastructure in a public cloud context enables compelling and strategic benefits including increased agility, improved scalability, reduced costs and capital expenses, and more efficient deployment of IT resources, all of which allow an organization to focus on growing their core business. However, security often emerges as one of the key concerns at the corporate executive (CxO) level as enterprises shape their IT strategy around cloud computing. Though it is a big issue, it is one that can be addressed effectively with the right level of planning, design and investment.

Security is fundamental to any data and application management infrastructure, and cloud computing is no different. When properly constructed, a cloud infrastructure can offer greater security than a legacy system; however, when poorly constructed, a cloud-based infrastructure introduces risk across the enterprise. If we’ve learned anything from the many high-profile data breaches in recent months, it’s that the weaknesses that were exploited more commonly reside in the corporate network than in the cloud.

Businesses of all types and sizes can benefit from the security experience and economies of scale provided by a cloud service provider. Service providers have often made extensive investments across their entire fabric to safeguard systems and data including specialized resources and expertise to implement advanced security technology and procedures. As a result, a cloud service provider is often able to offer superior and more comprehensive security in a virtualized cloud environment than the individual enterprise can achieve through a purely physical architecture.

Building a Secure Base

Over the past 15 years, NaviSite has built an extensive track record of working with businesses and organizations of all sizes to enable their compliance and security requirements. As part of its portfolio of compliant hosting services, NaviSite has developed and refined several best practices to help keep customer data safe and accessible. These best practices enable the maximization of the operational and cost advantages of managed cloud services without compromising organizational security and compliance objectives.

Review business goals: It is important that any cloud-based security plan begins with the basic understanding of specific business goals. Security is not a one-size-fits-all scenario and should include contributions from all stakeholders to ensure that policies are aligned and procedures are practical and pragmatic. The best way to do this is to develop cloud security policies in an inclusive model early on by involving various departments and groups that will be impacted. The broader the input, the more likely that the final security plan will truly support and align with the corporate goals.

• Maintain a risk management program: Companies must assess threats and assets in order to manage and minimize risk. A well-defined and independently-staffed risk management program can provide IT leaders with an ongoing, aggregated view of risk the organization is willing to accept.
• Create a security plan that supports business goals: A cloud computing security plan should include goals with measurable results that are consistent with the growth and stability of the company. It should include a specific date for completion, verification of achievement and measurable expected results.
• Establish corporate-wide support: A key element of a successful cloud computing security plan is support and adoption of the plan across the organization. Prioritizing policies and ensuring that they are not in conflict with other policies from different departments is essential for establishing support and acceptance.
• Create security policies, procedures and standards: New clients often ask, “What’s the easiest way to create security policies, procedures and standards?” The answer is simple—turn to best practices. Companies should apply best practices to create policies that align with business goals and develop procedures that are realistic and acceptable to the organization.
• Audit and review often: It is important to review the security plan on a regular basis, report the achievement of goals, and audit the compliance of the organization to the security policies and procedures. If it is part of the overall business plan, a third-party audit can provide an impartial review of the controls and report on compliance to established programs such as SSAE 16, PCI DSS or Safe Harbor.
• Continuously improve: Make it part of the business’ standard protocol to review all generally-accepted security policies at least annually. Companies should even consider reviewing security policies every six months so that there is time to evaluate current policies, update as needed and change procedures when necessary before the next audit.

Treat Security as a Partnership

While a cloud provider should bring deep security expertise, a business cannot simply “outsource” security to its cloud provider. IT leaders must ensure each portion of the IT system is designed specifically to guarantee maximum security once all data and applications are migrated to the cloud.

It is critical to approach the task of establishing and managing security in the cloud as a partnership between the data owner/application developer and cloud service provider at the application development stage because any gaps in security at that level can render the entire infrastructure vulnerable.

Keeping Threats at Bay

Once data and applications have been migrated onto the cloud, the cloud service provider should partner with the application developers to assume front-line responsibility. It is crucial to ensure security at the cloud infrastructure level and to ascertain that the service provider is managing the company’s data against the highest level of security.

As more and more remote devices connect to the cloud, the need for secure access becomes even more vital. Organizations that hire seasonal and part-time workers are progressively faced with the pressing need to have advanced security levels for their data. With this increased workforce mobility and concepts like bring-your-own-device (BYOD), the challenge of safeguarding data from potential hazards is becoming more insistent.

One way businesses are addressing the security challenges of BYOD is by deploying desktop-as-a-service (DaaS) solutions to manage control of corporate information through the centralization and separation of sensitive data from user devices. As a result, DaaS creates a secure and scalable environment where businesses can add, remove or modify desktops without compromising data security.

Architecting a cloud infrastructure is an opportunity for businesses to leverage technology to deliver better products and services at a lower cost. By adhering to well-established best practices, companies can effectively work with cloud providers to build security into their systems from the ground up. Following these guidelines, an organization can structure its security and compliance programs to take advantage of the benefits of managed cloud applications and services while ensuring their data and applications adhere to the highest available security standards.

This article originally appeared in the April 2014 issue of Security Today.