Creating a cloud security policy
Posted on 26 June 2013.
Building a cloud security policy is a crucial step to take before diving into the cloud to ensure maximum benefits are achieved and data is secure. But some organizations, in the rush to adopt, forgo this crucial task.

In fact, a recent survey by the Ponemon Institute showed 36 percent of businesses do not have a centralized cloud security policy in place and 45% do not enforce employeesí use of private clouds. This can lead to rogue cloud usage and potentially catastrophic data failures.

Scott Hazdra, principal security consultant for Neohapsis, lists 10 questions every organization moving to the cloud needs to ask beforehand.

1. What do we want to put in the cloud Ė data, applications or both? Based on this, you will be able to identify criteria to determine the best cloud provider and service required such as IaaS, PaaS or SaaS.

2. Do we have a good data classification policy and procedure and what type of data will we allow in the cloud Ė sensitive corporate data, protected data such as PII, SSNs or HIPAA related, day-to-day operational data? If you donít have a good data classification policy, create that too so you arenít inadvertently transmitting and storing data in a cloud that you donít want there.

3. What existing policy does our company have that also applies to what we want to do in the cloud?

4. What have others in our industry done and what can we borrow? Calling up a peer whoís already ventured into the cloud and has experience with the good, the bad and the unexpected can really help you craft your policy. Checking out what a standards body, like ISO, NIST or the CSA, has created is also a great idea for discovering policy areas you may not have considered.

5. Who within our organization is allowed to enter into agreements with cloud providers? Who has authority to negotiate SLAís? Who can set up an application in or move data to the cloud and with whom should it be approved beforehand?

6. Where can my data or application be physically located? Where your data lives and where it could be moved to have legal and privacy implications.

7. What is our exit strategy and policy for removing data or application from this cloud provider? Having a clear exit strategy before you start prevents you from potentially large operational costs or downtime later.

8. If we choose to put sensitive or protected data in the cloud, how well does the cloud providerís security policies and procedures align with our organizations? Ensuring your cloud providerís security program maturity is as advanced or more advanced than yours is a good sign.

9. For applications in the cloud, who within our organization is allowed to modify settings on the cloud that affect performance? Define who, when and under what circumstances changes can be made.

10. How should we manage administrative privileges to the cloud provider? For example, do you allow application developers to make changes to security settings in the cloud to improve performance?

Crafting a good cloud security policy involves thinking of the right questions and answering those questions about what and why you are moving assets to the cloud, finding a good fit in a provider and understanding your organizationís culture. Consulting with your peers and reviewing existing cloud policies and standards is a mandatory exercise.

Lastly, take your newly created policy and allow the different stakeholders in your organization to comment. If you follow these guidelines, the better prepared youíll be when that first packet of data moves from your servers out into your providerís trusted cloud.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th