Q
Get started Bring yourself up to speed with our introductory content.

What policies should be in a cloud infrastructure security program?

Expert Dan Sullivan explains which policies and security controls enterprises should include in their cloud infrastructure security program to prevent cloud security compromises.

Our organization works with a number of VIPs, and because we use a cloud-based infrastructure we've been asked...

to put a program in place to ensure we don't suffer an incident like last year's iCloud hack. We have a small IT department. What policies or security controls would you start with?

Security policies should be driven by an enterprise's long-term business strategies, risk assessments and tolerance for those risks. While the seemingly endless stream of news stories about data breaches are not likely to end anytime soon, enterprises can learn from such attacks so they can improve procedures and controls.

If you have a small IT department, start by learning from others. For example, the SANS Institute has a number of policy templates that can get you started. Begin with policies on authorized use, authentication and passwords, network security, desktop security, mobile devices and BYOD. If your company uses a public cloud provider or SaaS service, check the Cloud Security Alliance website for guidance and training on cloud security. Larger organizations and midsize companies with basic security policies and controls in place can leverage maturity models and guidance from the CERT division of the Software Engineering Institute; it offers guidance on resilience management, insider threats and capability assessments.

Keep in mind that security is a joint responsibility. The iCloud attack exploited attacks on user accounts, security questions and passwords. Your organization's employees should be advised to use passwords that are not easily guessed. In the past, that meant not using passwords readily found in a dictionary; today it includes not using passwords based on information available on social networks. Note that VIPs and executives are especially worthy targets for attackers willing to invest the time to collect and analyze publically available personal data, so be sure to advise them to do the same.

Ask the Expert!
Perplexed about cloud security? Send Dan Sullivan your questions today! (All questions are anonymous.)

Next Steps

Get help crafting cloud security controls in an ever-changing environment.

This was last published in March 2015

Dig Deeper on Public Cloud Computing Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which policies are critical to your organization's cloud infrastructure security strategy?
Cancel
Authentication, passwords and network security.
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close