Building a Secure Cloud Environment A secure IT strategy often emerges as a key concern

Building a Secure Cloud Environment

A secure IT strategy often emerges as a key concern

Building a Secure Cloud Environment A secure IT strategy often emerges as a key concernCloud computing is fundamentally revolutionizing how businesses deliver and operate the services and products they bring to market. The ability to leverage virtual infrastructure in a public cloud context enables compelling and strategic benefits including increased agility, improved scalability, reduced costs and capital expenses, and more efficient deployment of IT resources, all of which allow an organization to focus on growing their core business. However, security often emerges as one of the key concerns at the corporate executive (CxO) level as enterprises shape their IT strategy around cloud computing. Though it is a big issue, it is one that can be addressed effectively with the right level of planning, design and investment.

Security is fundamental to any data and application management infrastructure, and cloud computing is no different. When properly constructed, a cloud infrastructure can offer greater security than a legacy system; however, when poorly constructed, a cloud-based infrastructure introduces risk across the enterprise. If we’ve learned anything from the many high-profile data breaches in recent months, it’s that the weaknesses that were exploited more commonly reside in the corporate network than in the cloud.

Businesses of all types and sizes can benefit from the security experience and economies of scale provided by a cloud service provider. Service providers have often made extensive investments across their entire fabric to safeguard systems and data including specialized resources and expertise to implement advanced security technology and procedures. As a result, a cloud service provider is often able to offer superior and more comprehensive security in a virtualized cloud environment than the individual enterprise can achieve through a purely physical architecture.

Building a Secure Base

Over the past 15 years, NaviSite has built an extensive track record of working with businesses and organizations of all sizes to enable their compliance and security requirements. As part of its portfolio of compliant hosting services, NaviSite has developed and refined several best practices to help keep customer data safe and accessible. These best practices enable the maximization of the operational and cost advantages of managed cloud services without compromising organizational security and compliance objectives.

Review business goals: It is important that any cloud-based security plan begins with the basic understanding of specific business goals. Security is not a one-size-fits-all scenario and should include contributions from all stakeholders to ensure that policies are aligned and procedures are practical and pragmatic. The best way to do this is to develop cloud security policies in an inclusive model early on by involving various departments and groups that will be impacted. The broader the input, the more likely that the final security plan will truly support and align with the corporate goals.

  • Maintain a risk management program: Companies must assess threats and assets in order to manage and minimize risk. A well-defined and independently-staffed risk management program can provide IT leaders with an ongoing, aggregated view of risk the organization is willing to accept.
  • Create a security plan that supports business goals: A cloud computing security plan should include goals with measurable results that are consistent with the growth and stability of the company. It should include a specific date for completion, verification of achievement and measurable expected results.
  • Establish corporate-wide support: A key element of a successful cloud computing security plan is support and adoption of the plan across the organization. Prioritizing policies and ensuring that they are not in conflict with other policies from different departments is essential for establishing support and acceptance.
  • Create security policies, procedures and standards: New clients often ask, “What’s the easiest way to create security policies, procedures and standards?” The answer is simple—turn to best practices. Companies should apply best practices to create policies that align with business goals and develop procedures that are realistic and acceptable to the organization.
  • Audit and review often: It is important to review the security plan on a regular basis, report the achievement of goals, and audit the compliance of the organization to the security policies and procedures. If it is part of the overall business plan, a third-party audit can provide an impartial review of the controls and report on compliance to established programs such as SSAE 16, PCI DSS or Safe Harbor.
  • Continuously improve: Make it part of the business’ standard protocol to review all generally-accepted security policies at least annually. Companies should even consider reviewing security policies every six months so that there is time to evaluate current policies, update as needed and change procedures when necessary before the next audit.

Treat Security as a Partnership

While a cloud provider should bring deep security expertise, a business cannot simply “outsource” security to its cloud provider. IT leaders must ensure each portion of the IT system is designed specifically to guarantee maximum security once all data and applications are migrated to the cloud.

It is critical to approach the task of establishing and managing security in the cloud as a partnership between the data owner/application developer and cloud service provider at the application development stage because any gaps in security at that level can render the entire infrastructure vulnerable.

Keeping Threats at Bay

Once data and applications have been migrated onto the cloud, the cloud service provider should partner with the application developers to assume front-line responsibility. It is crucial to ensure security at the cloud infrastructure level and to ascertain that the service provider is managing the company’s data against the highest level of security.

As more and more remote devices connect to the cloud, the need for secure access becomes even more vital. Organizations that hire seasonal and part-time workers are progressively faced with the pressing need to have advanced security levels for their data. With this increased workforce mobility and concepts like bring-your-own-device (BYOD), the challenge of safeguarding data from potential hazards is becoming more insistent.

One way businesses are addressing the security challenges of BYOD is by deploying desktop-as-a-service (DaaS) solutions to manage control of corporate information through the centralization and separation of sensitive data from user devices. As a result, DaaS creates a secure and scalable environment where businesses can add, remove or modify desktops without compromising data security.

Architecting a cloud infrastructure is an opportunity for businesses to leverage technology to deliver better products and services at a lower cost. By adhering to well-established best practices, companies can effectively work with cloud providers to build security into their systems from the ground up. Following these guidelines, an organization can structure its security and compliance programs to take advantage of the benefits of managed cloud applications and services while ensuring their data and applications adhere to the highest available security standards.

This article originally appeared in the April 2014 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3