A few weeks ago we hosted a webinar on cloud compliance that was very well-received and offered up some great information about cloud adoption, regulations and compliance and a slew of other topics aimed at helping organizations understand what is involved when moving to the cloud. We’ve boiled down the information to bring you the nuts and bolts of what was discussed & the most important takeaways you should keep in mind to safely move to the cloud.
To Cloud or Not to Cloud?
Half of midsized companies are either pursuing cloud-based services as part of their business practices, or are in their near-term implementation. The biggest issue when determining whether to move to the cloud is data security.
Customer Trust
Cloud consumers and cloud providers have an intimate relationship in which cloud consumers are entrusting their data to the cloud provider. Customers expect their cloud provider to give them some assurance from a third party that they are actually doing the right things.
Mounting a Strong Defense with Information Security and Compliance
Cloud computing is very complex and companies must look at all areas of secure environments. Companies with a cloud infrastructure must protect and secure information using technology, firewalls and access controls for incident response, disaster recovery and business continuity.
Define an Information Security Policy
Many organizations don’t have a written formal security policy, which jeopardizes communication and planning with service providers. The Internet is full of standards and policy templates, including the ISO 27001 and a template from SANS.
Classify All Information Assets
After defining what information is being protected, you must define your assets, which outlines where your sensitive and critical information is and who (including your cloud service provider) needs have to have access to it.
Data Location and Regulations
Cloud consumers want to know exactly where their data is and don’t want it to cross borders without being notified. As a customer, you have to depend on the cloud provider to make sure they understand your needs for data location and notification. If you don’t have the policies in place for these controls, you cannot hold the service provider accountable.
Perform a Risk Assessment
For the last step involved when sending your data to the cloud, find out what are the business practices you need to continue to operate and look for threats. This should be done on a recurring basis and consulting services can help.
Trust and Verify
You must be able to trust and verify your service provider. In the late 90s , the financial community had an open organization called BITS. The organization looks to ensure that a service provider’s offerings are analyzed for their security controls and to make sure that you had a standard audit process. “Good” companies are doing SAS 70 or their SSAE 16 at a SOC level 2 that encompasses all security features. “Excellent” ones went through an ISO 27001 certification by the international community, though they are very rare.
Summary
These are some of things you need to know when moving your organization to the cloud including compliance and security within the cloud, defining an information security policy, defining your assets and how to verify and choose a cloud service provider.
For a full webcast replay of the webinar, check out the recording on our website here.
Posted by Felix Santos
Tags: cloud, compliance, disaster recovery, Security
