Among the benefits of cloud services are scalability with reduced capital expenditure, more efficient use of IT resources and the ability for an organization to focus on their core competency.
But security remains a barrier toward widespread adoption of the cloud due to concerns around data breaches and compliance. However, in most cases, cloud providers can achieve better security in a virtualized environment than enterprises can achieve internally, according to a recent NaviSite white paper called, “Seven Steps to Developing a Cloud Security Plan.”
Organizations need to take a strategic approach to security and continue to play an active role in security and risk management even after they choose a cloud service provider. NaviSite (News - Alert) outlined seven steps organizations should take when developing their cloud security plan. Below is an overview of those steps enterprises can take to gain the cost and business advantages of cloud services without compromising the security of enterprise applications:
Step 1: Review Your Business Goals – Any cloud security plan needs to start with a clear picture of what your business goals are. Security should focus on enabling technology, processes and people. Understanding the business objectives and providing long-term strategies to enable business growth, customer acquisition, and customer retention is essential to any successful security plan.
Step 2: Maintain a Risk Management Program – In addition to reducing the overall risk to the organization, a risk management program is also essential for prioritizing the utilization of resources and for providing the business with a long-term strategy.
Step 3: Create a Security Plan that Supports Your Business Goals – A solid security plan will also include compliance programs, technologies, and processes with very specific results. Goals should include a specific date for completion, verification of achievement, such as a service organization controls (SOC) report and a measurable expected result.
Step 4: Secure Corporate-Wide Support – Buy in of the plan from across the organization is key to ensuring a successful cloud security plan. Organizations need to ensure that the security plan is not only aligned with the goals of the organization, but also with the goals of the major departments that will be implementing it.
Step 5: Create Security Policies, Procedures and Standards – Create best practices to establish policies that align with business goals, develop procedures that are realistic and that will be acceptable to the organization, and wherever possible turn to industry standards to guide you.
Step 6: Audit and Review Often – Businesses need to review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organization to the security policies and procedures.
Step 7: Continuously Improve – While many businesses believe that once security policies are established, they do not need continual review. However, it’s critical to review your cloud computing security plan with senior executives and your cloud services provider at a minimum of once a year. Review and edit security policies and procedures, and actively report back to the organization the accomplishments of the security and compliance teams.
Using these guidelines as a framework for developing a cloud security plan can help organizations structure security and compliance programs to leverage the financial reward of managed cloud applications and services while meeting organizational security and compliance objectives.
Edited by Jamie Epstein