Five Security Questions to Ask When Moving to the Cloud

As game changing as the cloud is for business, it is important to remember that it is still in an early stage of development. Due to little standardization in cloud structure, it is vital that any CIO considering moving to the cloud consider a variety of security issues. NetIQ’s Patrick Eijkenboom suggests five security questions be part of a careful and studied approach before making the jump to cloud. We already know that the cloud is a disruptive influence that will push many organizations to examine how to evolve to fit into the world of cloud computing. Cloud First initiatives in both government and media are being encouraged and the emergence of cloud technology is already presenting some significant challenges for security standards and practices. Most of these challenges are due to security variables from vendor to vendor and a lack of basic standard practices across the board. None of this is new, but the cloud tends to amplify the issues by its very nature. This is not to say that moving to the cloud is unsafe, but to point out that some enterprise applications require deeper consideration when crafting a cloud strategy. It is understandable for CIOs to get anxious about moving as much as possible to the cloud. But there are a few specific questions, centered on security, that every CIO should consider when outlining a migration plan.

1. What is the size of your organization? It should be obvious that size does matter when it comes to security and the cloud. A smaller business can actually find it more secure to operate all systems in a common framework, while many medium to larger companies may use a mix of private cloud adaptations for most of their operations with public cloud outside of key systems.
2. What are your cloud environment needs? It is important to realize that the cloud environment you will adopt will be driven by the differing opportunities between private, public and hybrid clouds. While a private cloud may offer greater protection of the enterprise’s IP and create the ability for SLAs to be protected and maintained, the public cloud services offered with a public cloud may be more appropriate for your organization. A hybrid may offer greater capabilities for your business, but it is always a priority to explore the security capabilities to both sides of the cloud in any scenario.
3. Can you fulfill security regulations and requirements for your industry in the cloud? This is a vital question for just about any organization. There could be gaps between your industry regulations and the parameters that are available on the cloud. Can you define the regulations that your businesses is required to work within? What about the sensitivity of customer and company data? International regulation and standards requirements will need to be supported by the cloud for it to be effective. Can you apply your current encryption requirements to the cloud environment you are considering and can you manage that access? These are all vital security questions that must be part of the consideration process.
4. Does your cloud strategy include risk evaluation?It is vital that a risk-based assessment of your cloud migration be a part of your approach. The sensitivity level of all applications and information needs to be considered and provider controls as well as specific virtualization controls need to be part of the decision process. Here are a few elements to consider:
   • Cloud providers' transparency is very important to create trust. Whether in public clouds where visibility is low or in private clouds, clear parameters of responsibility of services will be vital.
   • How your data is handled, being protected, backed up and fully deleted when required will be important not only for your own protection but also in regards to regulatory requirements. Know what happens to your data in the cloud.
   • What is your governance model? Does it go beyond policies to include user access management and incident response? Look into the flow between cloud provider and your organization to ensure clear communication.
   • Can resources, data and access be tracked across the asset management system, including data classification? Does the data classification run separately or with the application?
   • Can you access and audit security data logging to ensure an ability to limit damage by always knowing who is doing what and when. Do you know the security protocols for how changes are logged and audited?
5. Which best practices are you adopting? Even with the relative newness of the cloud, there are places to go for guidance and best practice tools. The Cloud Security Alliance (CSA) is a good place to look for this information or any cloud providers who are members of CSA.

It is important as you continue to build more of your enterprise in the cloud that compliance questions posed both internally and externally are answerable before the questions are even asked. As you begin to build the instruments that will allow you to address risk management questions the best way to start is by asking those questions yourself. Due diligence and intelligent considerations of cloud computing security standards will make the move to the cloud a safer and smarter choice. Our newsletters and blogs are written to provide you with tools and information to meet your IT and cloud solution needs. We invite you to engage in our online community by following us on Twitter @GMOCloud and 'Liking' us on Facebook.