Cloud-based solutions face different challenges than home grown IT systems. They are developed with security in mind from standardised, hardened operating systems to specialist intrusion protection mechanisms, security situational awareness and dedicated incident response teams.
So, if clouds are built with security in mind, what issues do CIOs really need to concern themselves with?
- First, is your data suitable for the cloud and the protection it offers? You want to pay particular attention to data that requires regulatory oversight such as PCI or HIPPA. Remember while the cloud provider can give you the capabilities to meet the compliance requirements, as the CIO, you still remain the responsible party.
- Second, can your cloud provider meet the service levels you need for your clients? Actually the nature of cloud often means that service levels, such as availability and performance should scale with your needs, but like all IT systems they will, on occasion, require maintenance schedules. Check the terms and conditions of the providers you are considering.
- Third, how does the cloud provider respond to incidents? This is one to consider carefully because incidents will happen. Even with the best security, there will always be a weak factor somewhere that can be exploited. No one knows where the next zero day attack will come from - until it happens. Having an effective incident response mechanism will reduce the impact of any breach and ensure the best protection. As clouds are globally connected, it is valuable to ensure that the provider has global reach capabilities, especially with time sensitive exploits.
With all of that in mind, here are 4 steps CIOs can take to help ensure cloud computing security.
1. Establish a risk-based approach – In my blog on “A holistic view of security & risk 6 ways to ensure you've covered the bases,” I discussed assessing the risks and reducing them to an acceptable level. This is a critical step for CIOs. They need to analyze the business needs, using a risk-based approach to identify the service model and security levels necessary to support their enterprise. Only by taking a risk-based approach can you ensure that the security the cloud offers meets your real world needs. It also means that you can decide for yourself if extra defence mechanisms (such as encrypting data, strong authentication or an increased audit regime) are required to reduce your exposure to an acceptable level.
2. Design (or convert) applications to securely run in the cloud. Cloud brings up the need for a new approach to application development and data management. Applications and data now need to be able to protect themselves, meaning new cloud apps should be developed with the security built in. Design security in at the beginning
by following development guidelines such as the Ruby On Rails Security Guide, which has excellent advice on session hijacking, session storage, replay attacks and session fixation countermeasures. Ensure you have application vulnerability scanning (link to HP appscanning capability) as part of your development lifecycle.
3. Implement ongoing auditing and management. Continuous compliance monitoring is essential to securely delivering cloud services and ensuring compliance. Why implement snapshot compliance programs that are labour and time intensive. Setup properly, a continuous compliance program can demonstrate compliance at any moment in time, making it efficient in those snap audits that catch you off guard. By implementing continuous compliance, you will have a higher degree of confidence that your cloud service always meets your security needs.
4. Assess infrastructure (and platform) security during service sourcing. Infrastructure is the foundation of your cloud service. As enterprises have little or no influence or control over a provider’s implementation of mechanisms and security controls in these areas, a thorough review of the service provider’s policies should be completed as part of the due diligence process during contract negotiation and service sourcing. Do these policies follow with a recognized standard such as ISO 27001? Can the service provider demonstrate that they are following these policies? Do they offer continuous compliance? Ensuring you have a solid foundation for securing your data is a great start to your cloud deployment activity.
Download this HP White Paper titled “Optimize by securing and managing cloud-based enterprise services” to read more about the steps CIOs can take to secure their enterprise, or check out these resources to learn how HP is helping its clients with security threats, as well as implementing a security strategy that supports your key business initiatives: