vali_111 - Fotolia


Why cloud onboarding requires an enterprise security plan

Cloud onboarding shouldn't require sacrificing security. Expert Ed Moyle explains how enterprises can implement a plan to keep their organizations safe.

Ask almost any practitioner in today's enterprises, and they'll say that cloud has been quite a challenge over the past few years. We all can probably spell out in detail the numerous technical issues we've encountered, our struggles with shadow cloud adoption, where employees surreptitiously use cloud services without involving IT -- or in some cases, without any formal approval at all, and the many issues we've had getting service providers to toe the line from a contractual standpoint.

Despite the complexity, cloud use continues to proliferate. In fact, what seemed tremendously scary to many security pros just a few years ago is now, albeit slowly, becoming part of the normative fabric of daily operations. As time goes by, cloud onboarding applications and services by enteprises are becoming more effective as they build and put in place the mechanisms to ensure cloud services are added to the portfolio with a minimum of fuss and controlled risk. The process becomes easier and the organization becomes nimbler as a result.

One proof point of this is the relatively recent survey from the Cloud Security Alliance, which found that 71.2% of organizations now have a formal process to allow users to request new cloud services to add to the portfolio. This is a very effective strategy for at least two reasons: first, it provides a vehicle for technology organizations to centralize and standardize the services used. For example, if they know two groups in different business units want to use the same service, they can investigate volume pricing; alternatively, if they discover two groups that wish to use different services that satisfy the same requirement, they might investigate to see whether one is willing to standardize. This potentially allows for more streamlined management, more leverage with the provider selected, better pricing and other benefits. In addition, doing this lets folks in the technology organization know what's coming down the pike and gives them a chance to prepare -- to investigate the service and the provider, to validate the technical architecture, to investigate possible security countermeasures and to establish contractual parameters and SLAs.

That is a great step organizations can take, usually for little to no cost, to help manage the process and make it smoother. But it's not the only step for cloud onnboarding services. There are a number of other strategies organizations can employ to help ease the process, but that might not be quite as intuitive. Obviously things like appropriate transition planning, risk analysis and understanding of technical and business requirements are paramount, so this is not to suggest a substitute for those key activities -- but hopefully enterprises are doing those things already. Below, we examine a few of the strategies that, while useful, aren't as ubiquitous in the field.

It bears noting that these are only a few of a near-infinite array of options; this article focused on strategies that are low cost, generic enough that most enterprises can implement them and that are relatively quick to get up and running.

Strategy #1: Per-service exit strategies

Remember the card game Freecell? A smart person once told me that the key to playing Freecell well is to not move a card into an empty cell unless I have a plan for how to move it back. Cloud onboarding requires enterprises to heed that same advice. The process, from an enterprise-wide IaaS implementation, to a business team's use of SaaS, to anything in between, is more seamless when there is an exit strategy or a plan for how to transition off the service -- either to something in house or to a competing service provider -- should things go south.

As time goes by, enterprises continue to on board cloud applications and services more effectively.

Planning this in advance has a few benefits. Ideally, an enterprise will never need to use the exit plan that it developed. But having it in the back pocket can be a lifesaver should it actually be needed. Additionally, the exercise of creating the strategy helps the team think objectively through the requirements for the service -- both from a business and a technical level. Specifically, since enterprises will want to make sure that all of the essential features are covered in a transition, getting to an understanding of those features is a major piece of the planning exercise. Additionally, it helps mitigate cloud provider lock-in. Why? Because the transition plan also needs to address how to transition data from the service provider -- so any situation that limits that, such as nonstandard data formats or awkward integration points, will come to light as enterprises create and document the plan.

Strategy #2: Discovery and inventory

Most organizations by now realize that one of the major challenges associated with cloud is shadow adoption. This refers to services that come into the organization almost organically"via individuals, small teams and business units without central oversight by the technology team. This can create challenges, as it undermines efforts to standardize, leads to suboptimal pricing and represents an area of potentially unmanaged risk for the organization.

To help combat shadow cloud risks, establishing a mechanism to discover and track new cloud usage can provide significant value. First and foremost, information that organizations already have can help security managers discover usage that might not already be known; for example, log files from forward proxy devices, purpose-built discovery tools from cloud access security brokers or even add-on products designed to work with existing networking equipment can potentially help locate new cloud usage when it occurs.

Likewise, information that enterprises might gather from other activities, such as from a business impact assessment or security risk analysis, can help reveal areas of unexpected usage. With this data available, the next step is building and maintaining a list of the discovered services, such as via an asset management tool or similar mechanism. This allows enterprises to keep an ongoing master record of what they have in place, who to contact about it, who the providers are and important information about risk, usage, contractual parameters and just about anything else companies might need to know down the road for onboarding cloud services.

Strategy #3: Metrics and performance data

The last strategy probably won't be rocket science for most practitioners, but it bears mentioning all the same. Specifically, the ongoing collection of metrics related to cloud usage within the organization can be particularly helpful. It's particularly effective in light of the two strategies outlined above. Why? First and foremost, consider that the metrics enterprises collect will help determine if and when they may need to pull back from an existing relationship and initiate an exit strategy. Likewise, the information collected during the inventorying process can establish a feedback loop with a metrics effort: as an enterprise learns about what services exist, it collects better metrics. And as companies collect better metrics, they build out a more comprehensive profile of what has been fielded.

Of course, these are only a few of the possible strategies enterprise can employ for cloud onboarding services. That said, these relatively simple steps can help give companies a leg up in what is, as we all know, a fairly complicated technical landscape.

Next Steps

Find out more about cloud-based application security vulnerabilities

Learn how federated identity can secure cloud applications

Discover strategies and techniques for secure cloud migration

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security