The first step is to understand where your data is within your organization and decide whether or not it should be moved to the cloud. You can’t protect your data if you can’t accurately describe what it looks like and where it is. Then you must classify the data that flows through your networks so that you have a real-world map of all your critical information assets. This provides the insight to build policies to protect your data. These policies are then built into the security solutions so that only the data you want moves into the cloud, and sensitive and confidential data stays protected.
You should ask the same basic questions you do when dealing with internal security, such as: • Does my cloud environment allow individual user accounts for log-in so that I don’t have to share credentials with multiple people? • Does the cloud environment include management auditing to show who took what action and when? Without this type of auditing, many internal compliance requirements cannot be met. • Can I build a traditional multitiered network with firewalls and ACLs between each tier of the network? If not, am I comfortable with my database having less separation from the DMZ than I do in a traditional network structure? • Have I (or my vendor) performed network penetration testing and application vulnerability testing to ensure that my network and application are not vulnerable to common hacking attempts? • Does my cloud vendor provide network IDS? • Does access to my back-end environment require VPN connectivity, or is anyone on the Internet able to access it?
Someone just beginning to look into cloud security should get involved with organizations like the CSA and the Open Data Center Alliance (ODCA). Both are excellent organizations looking at the problem from different perspectives. The CSA has a certification program called the Certificate of Cloud Security Knowledge (CCSK). While a CCSK doesn’t make you an expert on cloud security, it does help you to learn about what the CSA and the European Network and Information Security Agency (ENISA) are focusing on in cloud security. The information provided by these organizations covers a lot of the important areas that customers will need to know about when they are ready to contract with a cloud provider. Also, it is beneficial to get involved with (or consider starting) a local chapter for one of these cloud organizations and attend some of the cloud-focused tracks at security conferences. This will enable networking with other professionals who are facing many of the same challenges and strategic decisions with cloud computing.
36 Intel IT Center Vendor Round Table | Cloud Security