Despite growing cloud adoption in the enterprise, security remains a concern. How cloud vendors—and customers—approach security is still developing, and best practices and policies are just emerging.
On the other hand, the rise of cloud solutions can help reshape the role of IT security teams. After all, one advantage of the cloud is that it drives the organization to take a more comprehensive, and effective, approach to risk governance.
Nonetheless, security consistently ranks among the top three concerns that business leaders express when asked why they’re reluctant to move critical data to the cloud. It’s imperative that you understand how your team should approach security when evaluating cloud options.
To help ensure you’re taking the right steps, make sure you’re implementing these four best practices:
It would be great to perform a direct audit of your IT vendors, examining every aspect of cloud security compliance against an industry standard. But direct auditing is rarely, if ever, allowed, and industry standards are still being drawn up. The next best thing is to rely on verified compliance, but against what standards?
Start by looking for a vendor that has proven compliance with ISO—that’s the big one. Drill down to discuss CSA recommendations, SAS 70 and other guidance that suits your specific use cases.
And most importantly, you or your chief security officer need to understand what is most important to you and your business when it comes to security and discuss it with the vendor’s CISO.
Certain types of sensitive data—HR files, healthcare records, payroll info, sensitive product plans—are at great risk if shared via solutions that are not sufficiently secure. The key is to risk-rank your data from highly critical to public, then think about where it should reside, how long it needs to be protected, and what protection schemes are appropriate. Consider the business value versus risk.
Many businesses find that the best way to avoid “point in time” risk assessment is to create an internal team specifically tasked with this responsibility. Companies that already have external and internal audit functions to meet regulatory requirements may incorporate cloud risk assessment into those processes.
This doesn’t have to be a new layer of bureaucracy—this internal IT security layer can provide proactive risk assessment and recommendations across the organization. Aim to automate these practices where possible, eliminating manual steps and/or repetitive tasks to enhance efficiency and accuracy.
Security is everyone’s concern—and everyone’s responsibility. This has always been the case, but the cloud only emphasizes this fact. The challenge is to make sure every employee understands the implications of allowing critical business data to be inadequately secured in a cloud context.
You can help by shifting the mindset from “controlling security” to “governing security and risk.” This means being proactive instead of reactive—putting governance processes in place to avoid problems before they ever arise.
The most recent issue of the Discover Performance newsletter (from which this post was adapted) has more insights and best practices about cloud security. Sign up today to receive the newsletter and get more articles that can help you turn IT performance into business success.