Enterprises can now outsource mission-critical, formerly on-premises applications to the public cloud. Does that mean IT and network security administrators must cede responsibility for data and network security? Not at all. No matter how much infrastructure and how many network services and business applications organizations shift to the cloud, ultimate accountability for the company's information and network remains with the enterprise. That's why a well-crafted cloud security policy is a must.
Unfortunately, despite the rise of cloud services, only 40 percent of enterprises have a formal, centralized cloud security policy, according to the Ponemon Institute's 2013 State of the Endpoint survey. This provides ample opportunity for administrators to step up to the task of locking down their companies' data and networks. I recently spoke to Scott Hazdra, principal security consultant for security service provider Neohapsis, about ways enterprises can more effectively secure their cloud deployments.
Critical items to consider when crafting a cloud security policy
Cloud security policy remains a struggle for companies both large and small, according to Hazdra. "Policies are often lashed together as needed after something bad happens – a breach, or some event with an employee – after which companies realize that, well, we didn't even tell anybody what we expected," he said. Ideally, companies should create their cloud policies in advance of deployments. Hazdra offered several items enterprises should consider as they do so.
Vital among those questions is whether your company already has a clear data classification policy. This becomes more critical the more sensitive or protected data your company holds, particularly in heavily regulated industries like health care and financial services. Data classification will help prevent the inadvertent uploading of information that needs to remain in your own data center. It can also help protect data traveling over any cloud-based network services you choose. Rackspace, for example, offers clients ways to control what kind of traffic traverses certain pathways within their virtual networks, but you need to first classify your traffic to make that useful.
Besides data classification, your company may also have other policies that you can apply to your cloud deployment. Acceptable use policy is one typical example. Will you allow users to access cloud-housed corporate data on their own devices? If so, do you have the infrastructure in place to manage those devices? Once you've identified areas where existing policies overlap your new cloud policy, check to see whether the cloud providers you're considering have policies that match yours – or don't. "If a cloud provider doesn't have any policy or controls around preventing things you don't want to happen, you have to consider whether they're still a good choice for you," Hazdra said.
Also consider where your company is willing to allow its data to live. The physical location of data has legal and privacy implications. Can cloud providers move your data out of the state? Out of the country? Can providers agree that your data will remain at a specific data center if needed? And if provider policies don't satisfy all of your enterprises' requirements, what data will your company need to keep on-premises? Again, clear data classification matters.
Finally, what security assurances do you need from cloud providers regarding the data you put the cloud? This is particularly important when it comes to SaaS, according to Hazdra, who said, "Software developers are always trying to improve the performance of their programs, and sometimes that conflicts with good security. Developers are sometimes allowed to turn security features off to reach the required performance level. Businesses need to decide up front what takes priority." You may indeed decide that a slight reduction in security is worth an increase in performance. What matters is that you clarify that priority and ensure that cloud providers' policies match your expectations.
Now that you're moving forward toward a complete cloud security policy, think about who your enterprise will authorize to enter into, or approve, agreements with cloud providers. "You might have professionals, like doctors, dentists, or attorneys, using the cloud for storage so that they can access their work files from home easily," Hazdra said. This makes life easier for the individual employee, but can also put company data at risk. Designate specific positions to set up cloud services for work use and specific consequences for policy violation.
Cloud security: Who's responsible?
Designating persons authorized to enter into cloud service agreements brings us to the question at the heart of cloud security discussions: who's ultimately responsible for the security of data in the cloud? Some share of the responsibility does lie with the cloud provider, Hazdra said, with more responsibility falling to SaaS providers and less responsibility to IaaS providers.
Ultimately, however, enterprises must take accountability for what happens to their information, no matter who else handles it. If you're looking at infrastructure providers, you must still "verify that the provider is doing what they promised to do, whether through audit or inspection or discussions with cloud provider staff about how things are accomplished," Hazdra said. As you move to SaaS, meanwhile, the onus remains on you to enforce acceptable use, privacy, encryption, and data mining policies. You must also still make sure that "the cloud provider is following their own policy around everything," he added.
The rise of the cloud will almost certainly change the roles of network and IT security admin, but the cloud will by no means eliminate them. As the times change, so must your organization's policies. Ask the right questions to make sure those policies stay airtight.
Jude Chao is executive editor of Enterprise Networking Planet. Follow her on Twitter @judechao.