Andrea Danti - Fotolia

Cloud security policy brings risk out of the shadows

To put it bluntly, migration to the cloud is happening -- so deal with the data classification and information security decisions upfront.

Business leaders want to use the cloud, period. For years now, security professionals have raged against the machine, looking for possible ways to dissuade leadership within their respective organizations that cloud computing is a losing proposition from a security standpoint. However, the cloud offers distinct advantages over what we can often build in-house, business leaders know it, and that means we've essentially lost the battle when it comes to cloud policy.

In a September SANS Institute survey focused on cloud architecture and security, 83% of the 485 IT professionals surveyed indicated that they are building hybrid clouds, with 61% citing faster time to deployment as their main driver for cloud implementation and 54% saying they use cloud services because they can't scale their own systems in-house. These findings align with an earlier report from KPMG that found business executives moving to cloud are focused primarily on business transformation and performance, followed by agility and then cost savings. To put it bluntly, cloud is happening -- so deal with it.

Most of the security professionals I know have already come to this realization.

Bridging the visible divide

That said, most organizations are not moving all of their data and their workloads to the public cloud. This means that we'll continue to maintain some internal infrastructure while connecting our environment to a variety of different cloud services over time. The big question: How best to do this, especially since many cloud service providers (CSPs) are not altogether forthcoming with security information?

Before worrying about CSPs and a lack of transparency, however, first put together a cloud security policy, especially if your organization doesn't have one. A cloud security policy (or a cloud-specific section of an outsourcing policy at a minimum) defines the types of data that can and cannot move to the cloud, and how to address the risks for each type. Who can make decisions about shifting workloads to the cloud? And from a technical standpoint, who is authorized to migrate or access the data across different applications and environments? This information is critical for cloud risk assessment and risk management decisions later on.

Here are some key things to consider when you're putting together a cloud security policy, and questions to ask:

  • Do you have an executive sponsor? Without backing from a c-level executive or top-level group, it's unlikely that your cloud security policy will have the proper organizational support that it needs to be accepted and enforced.
  • Determine who will "sign off" for cloud projects: Is this the CIO? If not, who? Defining the procurement workflow for approval and review is critical; this may not be covered in its entirety in the policy, but should have some basic elements addressed.
  • Does your cloud security policy address the sensitivity and classification levels of specific data types (structured and unstructured data, intellectual property, financial and accounting information, customer and employee records, PII)? The standard way to tackle this issue is to reference existing classification policies and data types/levels -- that is, assuming your organization has these policies in place; most don't. The cloud security policy should specify what can and cannot be done -- relocation, for example -- with particular data types.
  • Does your cloud security policy specifically address compliance? If you must comply with various internal policies, government mandates, data security laws and privacy regulations, then mentioning these compliance obligations explicitly in the cloud security policy will improve your alignment with the other controls in place.

Once you have a sound policy defined, the rest of your approach to cloud security comes down to cloud risk assessment and risk management. When someone in your organization wants to use cloud services, you can check the policy, see what kind of data and assets are involved, and then perform some risk assessment of the cloud providers. Sounds simple, right? Unfortunately, there are lots of reasons why security assessment of cloud providers is challenging.

Unknown risk profiles

Cloud providers don't usually offer all the details about their security controls and processes that we would like -- not to you, not to anyone. Why should they? Business is great, and just keeps getting better, so they're not likely to open the kimono anytime soon. You'll get a variety of audit reports like the SSAE 16 SOC2 or perhaps an ISO standards review (27001 or 27002 being the most common). Even those reports won't satisfy your needs entirely, because they're usually a bit vague and only apply to  specific areas of the CSP's environment.

There's another factor to consider here -- most of the larger cloud providers probably have a better grip on security than you do.

Whether you like it or not, this is the new normal. Security teams need to make risk-based decisions with incomplete information, and that means placing some degree of trust in the cloud provider. You're also unlikely to get contract statements, including SLAs, changed with the biggest providers unless your organization is very large and bringing a big book of business to them.

There's another factor to consider here -- most of the larger cloud providers probably have a better grip on security than you do. Does this mean you should trust them completely? Of course not: Security is a challenge for everyone, and we need to do our homework whenever someone has our systems, applications and data in their environment.

Do the diligence, read the contracts, review the audit reports; and ultimately, make sure that you can remain compliant and meet your most critical security needs within the cloud provider's environment. You'll find new options available from vendors and security service providers for your hybrid cloud, which means you can still get the job done -- but you'll need to do it differently than before. For the foreseeable future, the name of the game in security when it comes to cloud is adaptability and flexibility … which is why you're using the cloud in the first place, right?

Next Steps

Find out how CIOs tackle hybrid cloud security

How to assess cloud providers' responsiveness to security issues

Are there enterprise advantages to hybrid cloud?

Dig Deeper on Hybrid and Private Cloud Computing Security