Sergey Nivens - Fotolia

What policies should be in a cloud infrastructure security program?

Expert Dan Sullivan explains which policies and security controls enterprises should include in their cloud infrastructure security program to prevent cloud security compromises.

Our organization works with a number of VIPs, and because we use a cloud-based infrastructure we've been asked...

to put a program in place to ensure we don't suffer an incident like last year's iCloud hack. We have a small IT department. What policies or security controls would you start with?

Security policies should be driven by an enterprise's long-term business strategies, risk assessments and tolerance for those risks. While the seemingly endless stream of news stories about data breaches are not likely to end anytime soon, enterprises can learn from such attacks so they can improve procedures and controls.

If you have a small IT department, start by learning from others. For example, the SANS Institute has a number of policy templates that can get you started. Begin with policies on authorized use, authentication and passwords, network security, desktop security, mobile devices and BYOD. If your company uses a public cloud provider or SaaS service, check the Cloud Security Alliance website for guidance and training on cloud security. Larger organizations and midsize companies with basic security policies and controls in place can leverage maturity models and guidance from the CERT division of the Software Engineering Institute; it offers guidance on resilience management, insider threats and capability assessments.

Keep in mind that security is a joint responsibility. The iCloud attack exploited attacks on user accounts, security questions and passwords. Your organization's employees should be advised to use passwords that are not easily guessed. In the past, that meant not using passwords readily found in a dictionary; today it includes not using passwords based on information available on social networks. Note that VIPs and executives are especially worthy targets for attackers willing to invest the time to collect and analyze publically available personal data, so be sure to advise them to do the same.

Ask the Expert!
Perplexed about cloud security? Send Dan Sullivan your questions today! (All questions are anonymous.)

Next Steps

Get help crafting cloud security controls in an ever-changing environment.

Here are six policies you need to know if you're looking at cloud security

Dig Deeper on Public Cloud Computing Security