When organizations move IT services into the cloud, they must consider the policy ramifications of these moves....
This remains true for implementations of software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). Cloud security policy intersects with almost every area of IT defense strategy, but let's focus on three particular hotspots: vendor selection, data classification and minimum security control standards.
Selecting cloud computing vendors is a tricky part of an overall cloud security policy, fraught with political, financial and technical peril. Vendors often approach business unit managers without involving IT. When technical professionals don't get involved in a project until after the organization signs the contract, implementation can be very disruptive. From a policy standpoint, organizations should consider adopting policies that require the inclusion of IT professionals, business unit leaders, legal counsel and compliance experts in the early stages of vendor selection. Each of these stakeholders should have input into the requirements that the committee uses to select a vendor, and the cloud security policy should spell out requirements for stakeholder approval.
Many organizations already have data-classification policies that categorize information into segments based upon sensitivity. Some of those classification efforts are a little "dusty" and might need refreshing in the era of cloud computing. One of the first questions organizations face when adopting cloud services is whether sensitive information may move to the cloud. The first hurdle to answering this question is often that the organization doesn't have a clear definition of sensitive information. The early stages of a cloud program are an excellent time for an organization to revisit this definition and clearly state in its cloud security policy what controls and approvals are required, before moving data at different classification levels into the cloud.
Finally, organizations should review their information security control standards with an eye toward cloud computing deployments. Some existing control requirements simply may not apply in a cloud environment or might require modification to meet the organization's underlying security requirements. For example, the organization might have an existing control requirement that states that all public-facing applications must be shielded by a stateful inspection firewall and have certain rules in place to protect those servers. An IaaS provider may not expose firewall rules directly but use security groups to facilitate protection of servers. Security standards should be rewritten to include appropriate control standards for a cloud computing environment.
Should you write a cloud-specific security policy?
There's no doubt every organization that considers moving services to the cloud must ensure that its policies address cloud security concerns. That doesn't necessarily mean, however, that security teams need to fire up Microsoft Word and start a new document entitled "Cloud Security Policy." Writing a comprehensive cloud security policy is certainly one possible path, but organizations may also consider incorporating cloud language into their existing security policies and standards.
Proponents of the single-document approach argue that creating a one-stop shop for cloud security policy facilitates cloud adoption by putting all of the requirements in one place. Others, myself included, feel that this approach treats cloud computing as separate and distinct from other IT activities. The cloud will only become more integrated into our technology activities and, as an integral component, it should be addressed within the same policies that govern all other infrastructure, data and applications.
Whichever approach you take, these early days of cloud computing are the right time to adjust your organization's security policy to reflect the reality of cloud security concerns. The shared responsibility model requires that organizations clearly outline the controls required to protect our information assets and spell out the provider and customer responsibilities for implementing, maintaining and monitoring those controls on an ongoing basis.
Here are six cloud security policies to know
Identify and tackle the challenges in network-cloud integration
Read about the growing security concerns with the rise in cloud adoption