10 Tips to secure your cloud computing assets
- Details
- Published on Friday, 08 July 2011 19:30
Chances are that your organization already has adopted some form of cloud IT. It could be in the form of an internal private cloud, a hosted email package or miscellaneous outside services. The cloud is here to stay, and the fear and uncertainty associated with any new technology is distracting organizations from securely adopting this IT resource.
It's not hard to imagine how a newer technology could introduce more security woes; after all, we are constantly seeing news about the latest breaches across the media. However, if we look closely at recent events, the attacks and breaches which build such fear in our minds are often the result of a lack of focus on security fundamentals, not necessarily sophisticated attacks.
This is not to say that such attacks can't occur, but the reality is that attackers often focus on the easiest attack route and not the hardest to implement. A criminal will almost always enter a house when no one is home and the door is left open before breaking into a home with the door locked and lights on.
When moving IT to the cloud, organizations need to consider basic security practices analogous to locking the door on their homes. In this slide show is a common-sense set of 10 tips for this purpose, provided by Harold Moss, CTO of Cloud Security Strategy at IBM.
Identify the Foundational Controls
Foundational controls are core to an organization's security philosophy. They represent maybe 60 security controls (or less), which protect the assets your organization values most. Focusing on them will ensure that as your business embraces cloud technologies, your approach is consistent with the security controls.
Focus on the Workload
Security in the cloud—and an organization's confidence—directly correlate to workload. Each workload has unique considerations, such as regulatory factors and user dependencies. By focusing on the workload and not solely the cloud IT, you can implement a focused security program with the potential to offer more security than traditional implementations.
Build Consensus Early
All too often, cloud technology is adopted without buy-in from all parties. As a result, important security details may be omitted, which can lead to integration and usability challenges. Successful cloud security implementations require key stakeholders to be aware of and agree upon benefits and challenges.
Implement a Risk Mitigation Plan
Cloud adoption often involves a number of parties, both internal and external. Organizations should adopt a documented risk mitigation plan to allow administrators and staff to rapidly deal with issues in the cloud. This plan should include not only documentation of risk, and responses to those risks, but also education and training.
Don't Forget Image Management
Many clouds leverage virtualization capabilities. Organizations should implement a storage image management process, which ensures that only appropriate images are actively available. It’s also important that all deployed images are correctly identified and managed to prevent image sprawl.
Conduct a Security Evaluation
Clouds are complex. Prior to migrating to cloud technologies, organizations should first evaluate applications and infrastructure for vulnerabilities and ensure that all security controls are in place and operating properly. Ethical hacking is a secondary activity which organizations should use to check their cloud applications for common vulnerabilities.
Take Advantage of Security Services
New security services have entered the market that allow organizations to achieve best-of-breed security without the usual overhead. Areas such as intrusion prevention, access and identity management, and security event log management present opportunities for organizations to achieve security goals without putting a strain on existing resources.
Develop a Resiliency Program
As organizations adopt cloud-based technologies, they should also look at their resiliency needs. No technology is perfect and the same goes for the cloud. Make sure that workloads, which are critical to the business, can be rapidly restored in the event of a catastrophe or attack. Be careful to ensure that workloads can be readily restored with minimal impact on business continuity.
Actively Monitor Performance
Failing to properly monitor cloud implementations can result in performance, satisfaction and security issues. Implement an active monitoring program that identifies any threats to the success of the cloud implementation.
Follow a Cloud Lifecycle Model
Security in general is not a point-in-time statement, but more of an ongoing effort to keep the bad guys out while letting the good guys work. Organizations must be diligent in managing cloud technologies and in regularly reviewing security.
(eWeek)
