Laying the foundational requirements for cloud security

Cloud operations are now integrated into all kinds of organizations as both standard and critical services. Yet this ubiquitous service consumption option comes with plenty of reasonable and rational security concerns, and responsible organizations must get out in front of them to handle them effectively.

But how? Kevin L. Jackson—CEO of CC Globalnet, a globally recognized cloud computing thought leader, and an (ISC)2 Certified Cloud Security Professional instructor—delves into the actions for keeping data safe in the cloud. The foundational element for achieving cloud data security, perhaps the one single secret to keeping cloud deployment secure, is to clearly document the organization’s overall cloud security requirements.

“To begin with, cloud security requires you to look at all aspects of the cloud, both single cloud and multiple cloud,” Kevin says.

He splits the braided issues of cloud security requirements into four distinct threads, all of which an organization can use to take direct action:

1. Examine the roles and responsibilities of the cloud service provider, the organization, and any third party that has access to the org’s data for compatibility.

“The key driver should be your business data management policies,” Kevin says. After all, when a company chooses to partner with (and rely on) a particular CSP, the organization ultimately agrees to manage its own data in accordance with that CSP’s policies and procedures—not the organization’s own. Third parties will also be bound by these policies if they are accessing and using the organization’s cloud-stored data.

“You need to understand and accept that fact,” he says. “This acceptance requires you to confirm that their data management security policies are compatible with your own.”

2. Evaluate the technical and organizational aspects of the chosen service and deployment models.

This action holds for all service models—infrastructure, platform, or SaaS—and deployment models—public, private, hybrid, or community cloud. Essentially, no matter what model an organization chooses, the onus for evaluating those models rests on the organization itself.

“Your team must evaluate available security controls and how they can be used to protect your data,” Kevin says. “This evaluation will help you determine which aspects of the service provider’s data security operations are critical to your organization’s performance and its ability to meet all performance goals.”

When he says “all performance goals,” he means all: revenue attainment, business goals, mission requirement, customer needs. Organizations also need to understand the data security and data privacy requirements within their local, regional, and national environments, including cross-border data flows. The CSP offers the platform, but the organization is responsible for how and whether that platform complies with its own responsibilities and needs.

3. Assess service availability and management options by CSP region.

It deserves its own section: all services may not be available in every region. Verify that the CSP’s service availability and management options are congruent with the organization’s environment and reach.

4. Question and understand service level agreement lapses.

This is an often-overlooked aspect of cloud security partnerships. “What happens if the cloud service provider fails to deliver in accordance with the agreed service level agreement?” Kevin asks. “What would your organization do if this should occur?”

These questions are worth diving into the rabbit hole. How would the organization detect an SLA lapse? In what ways would such a service failure impact customers? What type or degree of SLA breach would warrant moving to a different CSP? 

The results from each of these actions will lay the foundation of an organization’s cloud data security. In his Pluralsight webinar, Kevin builds on this foundation to illuminate the five critical actions organizations can take for securing their cloud operations.