10 things to consider when creating your first Cloud Security Policy

“Distrust and caution are the parents of security” – Benjamin Franklin

Organisations around the globe are gradually accelerating in the direction of adopting Cloud. Cloud computing, as most of us know, provides lower IT costs, particularly with pay-for-use model (such as Infrastructure-as-a-service (Iaas) and Software-as-a-service (SaaS)). Cloud allows organisation to benefit from reliable infrastructure architecture and reduces internal infrastructure complexity.

But with the benefits of adopting Cloud, it comes with some challenges too. Security and Governance, for years, have proved to be the major roadblock when it comes to the adoption of Cloud computing. Larger Cloud Service Providers (CSPs) may offer top-end technologies to their customers but that should not be the reason to trust them. There is always an uncertainty and lack of transparency from CSPs which have deter many organisations from adopting Cloud.

So in order to overcome this lack of transparency between the CSPs and organisation first step should be to develop an internal Cloud security policy, if an organisation does not have one in place. This Cloud security policy should assist the organisation in identifying the data or information which needs to migrate to Cloud and which should stay within the control of the organisation.

So 10 fundamental questions to consider when drafting a Cloud security policy:

1. Who in organisation is authorised to sign-off or approve data migration to Cloud?
2. Is there a proper data classification framework in place to identify which data can be migrated to Cloud and which cannot?
3. Are there any regulatory policies which you need to abide by when migrating particularly data to Cloud?
4. What is the data retention policy you need to follow when migrating to Cloud?
5. Who will be responsible or point of contact with the CSPs?
6. What service level agreements do we require when migrating data to Cloud?
7. What level of data encryption do we need when migrating data to Cloud?
8. How the backups will be managed for the data stored in Cloud?
9. What constitutes a security event or a breach?
10. What documentation is available from CSPs in relation to their security program, controls and policies?

These are just few of the examples which organisations should consider when developing a Cloud security policy. Once a policy is in place, it should be used as a reference point by various business owners who wants to leverage the benefits of Cloud computing. As organisation adopts and begins the use of Cloud computing, the Cloud policy document should be reviewed and refined based on their current experience of using Cloud, upcoming technology trends and services provided by various CSPs.