Organizations of all types could probably learn a lot from a massive cloud computing security guide being prepared by the federal government.
The National Institute of Standards and Technology recently published a draft of the NIST Cloud Computing Security Reference Architecture and is now collecting public comments through July 12.
The goal of the lengthy document: to help government agencies select and use cloud computing services while minimizing the risk of sensitive data being compromised.
Of course, the same approaches can used by private organizations to improve cloud security.
Here are some of the most critical steps to making sure your company is protecting data that’s held in the cloud:
1. Assess the risks
The first step, according to the federal cloud security plan: Know the security requirements for each system that will be moved to the cloud.
Different types of data and applicants have different levels of acceptable risk. Therefore, companies must first look at the services they are planning to use and what data will need to be sent to the cloud.
For example, a cloud-based ERP system that contains a lot of sensitive data about the entire organization will have different security needs than something like an instant messaging system.
A good way to determine the risks associated with a cloud service is to come up with a list of every possible outcome that could occur if the system is breached. That will present an overview of how much the security of that system is worth.
2. List cloud security requirements
Then, once the organization knows what level of security is needed, it can make a list of the security features and controls that will be necessary for a cloud service to work.
A basic, common-sense rule to follow: A service in the cloud should get the same level of protection that it did while it was held on the company’s premises.
That means for every security control that was in place before, the same or an equivalent should exist when the data and applications are moved to the cloud.
While the specific needs will vary depending on the organization and the service, some examples of what to look for might include:
- Data encryption for information stored in the cloud
- Personnel security, such as background checks for the provider’s employees who will have access to data and strict policies for how data is handled
- Common IT security tools such as firewalls and antivirus programs
- Proper separation between tenants so one customer can’t access another’s information
- Network segregation to keep customers’ data separate from Internet-facing machines used by employees
- Physical security controls to keep unauthorized people away from the equipment hold customers’ data
- Full wiping of data fromstorage equipment when it’s deleted or moved
- Auditing, vulnerability testing and activity monitoring, with regular reports for customers
- Capabilities to archive and produce data for e-discovery
- Compliance with specific regulations for different industries and types of data, and
- An incident response plan, including requirements for reporting breaches to customers.
3. Determine the company’s own responsibilities
Improving cloud security goes beyond just making sure providers meet a list of requirements. Companies also have responsibilities of their own.
When listing security requirements, the company should also the security controls that must be in place on their end. Some examples might include:
- Effective control of access to cloud applications — i.e., making sure access is granted to only users who need it, enforcing strong passwords policies, etc.
- Negotiating agreements with cloud providers that contain security requirements and penalties if they’re not met
- Making sure services are configured in the most secure ways
- Providing security awareness training for users
- Monitoring traffic for suspicious activity — for example, data being downloaded by an employee who shouldn’t need it
- Formulating incident response plans for security breaches, system downtime and other issues, and
- Making sure sure no business units provision cloud services before the full security evaluation has been completed.
4. Follow up
Cloud security is an ongoing process. Once a cloud service is implemented, it’s important to monitor the system to make sure the security requirements continue to be met.
That might mean conducting periodic audits to make sure the provider is fulfilling its end of the bargain, as well making sure IT has enough oversight to make sure the internal requirements are being followed.