The easiest way in IT to stop a new technology or solution from being implemented is to play the security card.
As soon as someone mentions concerns around a new IT solution not being ‘secure', the project will immediately come to a halt. Since cloud infrastructure and cloud computing first entered conversations within the enterprise sector, concerns about the security of cloud quickly became the biggest barrier to adoption.
As with security for any other technology solution– past, present or future – creating a security strategy and plan must be one of the first considerations for enterprise organisations. While choosing a service provider that can enforce strong security procedures and measures in the cloud is an important step, enterprises need to continue to take an active role in their own security and risk management.
With that in mind, by following these seven steps any business can rely on a proven cost-effective methodology for securely leveraging cloud services and reap the cost and business benefits of the cloud, without compromising the security of enterprise applications.
Review your business goals: To develop an effective cloud security plan it is crucial you understand – and take into consideration – the organisation's current business goals and your goals for the future.
A robust security plan is not a one-size-fit all form of protection, so to develop a cloud security plan that aligns with your business goals and objectives you need to assess the organisation's current business processes, technologies and staff.
Maintain a risk management program: It would be naive to think that applications will never be breached, whether hosted or in a virtual managed environment. It is therefore important to develop and maintain a central risk management programme. It is only through a well-defined and carefully maintained risk management programme that you can provide an aggregated and holistic view of the potential risks to your company.
Create a security plan that supports your business goals: A cloud security plan should include goals with measurable results and be consistent with providing support for the growth and stability of the company. Compose a plan that includes compliance programmes, technologies and processes with a very specific results strategy.
Establish corporate wide support: A key element of a successful cloud security plan is the involvement and support from the entire organisation. Obtain the approval for your cloud computing security plan not only from executive management but also the general workforce. This support and approval will help to streamline adoption throughout the company.
Create security policies, procedures and standards: To ensure the entire organisation is focussed on achieving the same goals, establish a set of guidelines and ensure that all compliance measures are identified. By gaining insight from each department, you will more easily collate, create and communicate security policies and apply best practice so that all procedures and policies align with business goals. Bear in mind that they must be realistic and applicable to the entire organisation.
Audit and review often: Once established, it is important to review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organisation on the security policies and procedures.
By auditing and reviewing the results regularly, companies can implement a constant audit cycle that ensures the controls remain in place and that they are being followed. Similarly, if problems occur, they can be identified and remediated before the next audit cycle.
Continuously improve: A well-developed plan will definitely allow for continuous improvement of security and compliance. However, many companies believe once they have solid policies and procedures in place they don't need to revisit them.
In truth, both industry and business change over time and the technology available to support your security plan will evolve. As such it is important to review your cloud computing security plan annually at the least with senior management and your cloud services provider.
Enterprise security should not be taken lightly. However, it needn't be a major roadblock either. By following these guidelines, organisations can structure security and compliance programmes to take advantage of the economic benefits of managed cloud applications and services while simultaneously meeting security and compliance objectives.
David Grimes is CTO of NaviSite