Whether you're using a cloud-based application or moving your whole infrastructure to the cloud, you should consider how this move affects your organization's security and compliance requirements.
Many organizations are moving parts or all of their applications to the cloud. When data is moved to the cloud, who's responsible to ensure all of the security requirements continue to be met? Is the cloud a less secure environment or more secure? Can all of your organization's regulatory and compliance requirements still be met if the data is moved to the cloud? These are the types of questions you'll want to ask prior to moving your applications to the cloud.
The key to a successful move to the cloud is planning and getting the right contract in place with the cloud service provider. Make sure all expectations are defined and agreed to prior to moving your data to the cloud. One key element is to determine whether your organization's security policy, regulatory requirements, and compliance requirements can be met. To determine this, list the type of data that's moving to the cloud—for example, credit card data, healthcare information, other PII (Personally Identifiable Information), company confidential information, or general information. Based on this analysis, determine the requirements that must be applied from your organization's security policy—for example, audit logs must be 1) generated and 2) retained for a minimum of one year. Then determine if there are any regulatory requirements, such as those that apply to healthcare information or credit card data (just because credit card processing is moved to the cloud, it does not automatically eliminate your organization from all PCI DSS requirements.) Finally, consider any legal requirements for this data. For example, the EU has strict requirements about where data can be located—as in the physical location of the data. Depending on your cloud provider, you may be in violation of this law if the cloud provider has data centers in certain countries.
Part of your investigation of the cloud provider is also understanding how they manage their systems from a security administration perspective. You may have a requirement that all administrative access to servers be over an encrypted session and that their activities be logged. Is this how the cloud provider operates?
Another security administration consideration is user account management and access. Will the cloud provider be able to create user accounts on a timely basis? More importantly, will the user access be cut off quickly enough to meet your requirements if an employee is released from the company?
When moving data to the cloud, people assume that the data is less secure. In some cases this is true; however, because they know they're going to be a target, most cloud providers have security experts as well as specialized equipment to detect and fend off attacks. Prior to moving data to the cloud, ask the provider what they have in place to defend against attacks.
Many types of cloud providers exist today. The key to using them to your business advantage is to choose the right type—public, private, specialized (such as those providing a specific application or specializing in managing specific types of data (such as healthcare information)), determining your data security requirements and getting a contract in place with the cloud provider that meets those requirements.
Listen to the webcast as Carol Woodbury discusses these issues and more.