Security in the cloudsphere - Part 3
While taking the decision to move to cloud, it is important that you identify the business, regulatory, and security impacts of using a cloud provider. Over the next 5 sections, we shall outline the key concerns you should address prior to moving to the cloud.
- Access control
How do we know only the right people are accessing our data and services?
What are the security implications of moving our intellectual property to the cloud?
How do we securely activate, authenticate, authorize, and report on user access?
- Expectations from the cloud provider
Control access to sensitive data | Provision and deprovision user access | Audit and report user access and data use
2. Business continuity
How do we maintain control of the environments we migrate to the cloud?
- Expectations from the cloud provider
Ensure the viability of the provider and continuity of the consumer’s services | Provide business continuity and disaster recovery
3. Compliance
How does migrating to a cloud environment affect our compliance requirements?
What compliance factors apply to us and how do we address them?
- Expectations from the cloud provider
Maintain compliance with regulatory requirements across borders and jurisdictions | Document and audit processes and procedures for data access and protection
4. Data protection
How do we ensure our data is appropriately segregated from other cloud subscribers’ data?
How can we trust our cloud provider from a security perspective?
What are client expectations for security and what processes and controls do we need to meet them?
How do we maintain logical data segregation in live processing and backup storage environments?
- Expectations from the cloud provider
Prevent unauthorized data exposure, loss or corruption | Maintain data segregation in multi-tenant environment | Implement data classification scheme and handling processes for sensitive data | Securely dispose of data no longer required | Follow customer's Data Retention policy
5. Incident response
How do we manage incident response activities if our data is breached?
How do we work with our customers around their incident response and investigations?
- Expectations from the cloud provider
Detect and correct security events | Cooperate during investigations and incident response | Follow customer's policies regarding e-discovery
In the last instalment of this series, we would take a look at the important aspects of what the cloud provider should provide and what should be your responsibility towards ensuring these topics are covered in the agreement.
