Call us on 0330 332 7933

Journey to the cloud: 7 steps to security

You’ve decided you’re moving to cloud-based services, so how do you go about it? We have put together a step-by-step guide to help you identify the appropriate level of security for the services that you will need to have in place.

1. Know your businesses requirements

Understanding what you want from your move to the cloud is essential. Do you need to manage fluctuating demand? Perhaps you simply don’t want to manage IT internally anymore or you’ve got legacy equipment and you need to update it.

If you review what’s led you to make the changes in the first place, this will help you work out your requirements. Ask yourself whether your requirements are business critical or not. If your requirements are business critical you will have certain expectations. For example, if your CRM system goes down and as a result you have a call centre with 100 agents unable to work, costing your business money, this is something that needs to be avoided. However, if on the other hand, you were to lose instant messaging, which isn’t as vital to day-to-day business operations, this might not be high on your security priority list.

2. Understand your information

What sort of information do you want to store in the cloud and how confidential is it? You need to identify all the information that will be processed, stored or transported by the service and therefore understand the legal and regulatory implications, for example, the Data Protection Act for handling personal data.

You’ve got to understand what you’re putting out there and this takes you back to your requirements in terms of how available it must be, how reliable it must be, all the governance around it and the kind of data you have and what it’s telling you.

3. Determine relevant security principles and understand how they are implemented

Based on your business requirements and risk policy, you will need to determine which cloud security principles are most relevant for your organisation and this is something you should work through with your cloud services provider.

For example, one of these principles might be securing user management; where your cloud service provider makes tools available for you to securely manage its use of the service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of the customer’s resources, applications and data. Security isn’t just about attackers and misuse it can just as easily be about mistakes and human error.

Another principle might be operational security, which looks at operating and managing the service so that you impede, detect or prevent attacks, but ensure that this is done in a way that isn’t complicated, time consuming and expensive.

4. Understand the level of assurance offered

Different cloud service providers offer various levels of assurance; some just tell you what they’re doing, others provide a certificate which proves what they do and some provide evidence of regular testing to assure you that security measurements work. It’s for you to decide if this is enough reassurance. Ultimately do you need to get an independent third-party assessor in to give you their view on it? It’s all about understanding what your requirements are and what you’re going to put into this cloud service that needs to be secure.

5. Identify additional mitigations to apply

You have moved relevant workloads to the cloud, so what next? Note, the answer here should never be nothing. You should always have a plan B. At this stage, you need to consider any additional measures your organisation can apply to help reduce the risk to your applications and data, whether or not resulting from its handling by the cloud service.

You need to ensure that the service provider you are trusting with your precious information has a continuity plan and disaster recovery in place. You can’t rest on your laurels and think that these things might not happen to you, it’s not a question of if, it’s when and you need to make sure you’re ready and prepared.

6. Consider residual risks

Considering all the above points, if you still feel that there are some remaining risks, you need to decide whether you and your organisation can accept the potential outcome if they come to fruition.  If you can’t, you need to stop this process, start again and work out how to address these risks. However, if you decide to go ahead then don’t forget about the need for continuous risk awareness. The need for security never goes away. You need to make sure that it works, and continues to work at all times.

7. Continue to monitor and manage the risks

Regularly review the service and make sure it still meets business and security needs. Don’t just put this process in place and then forget about it and expect it to carry on working perfectly.  Things degrade and situations change and there are always innovative ways of attacking systems that crop up.

Make sure you keep reviewing how you are using cloud services and ask, am I still secure? If the cloud is something your organisation is going to depend on heavily then it needs to be robust and you need a recovery plan in place with a service provider that you trust.

If you’re at the stage in your cloud journey where you’re assessing security or you’re mindful that this is on your tick list of things to do before moving to the cloud, get in touch with us and let us talk you through the 7 steps of security.

 

Up next

Journey to the cloud: 4 steps to successful cloud adoption

As organisations increasingly explore the benefits of moving to the cloud, more questions and concerns arise, such as; how much they’re spending or want to spend, what resources there are in place to manage the cloud, whether they’re using the right provider…the list goes on. Building a cloud environment is not easy and it’s important that organisations develop a strategy to implement a successful cloud environment. We have put together 4 steps to successful cloud adoption to help you on your journey…

1. Assess – your workloads

Assessing workloads before moving to the cloud is key, it’s important to understand which workloads you want to move, the ones you don’t and why. Examples of workloads are; business applications, email servers, SaaS services, external/internal websites, firewalls and FTP servers. When it comes to assessing workloads, there are certain things that businesses like to keep in house and certain things that they must have in house, the interesting part is driving out where the crossover lies between the two.

Business application workloads (as opposed to infrastructure services) form the bulk of a company’s servers. Some of these workloads are independent while others are interlocked with add-on applications. It is essential to migrate all the add-on applications together, which are heavily dependent on the primary application.

2. Plan – what you’re going to do with these workloads

You’ve worked out what you’ve got and what its status is, the next step is to understand where you need to take it. If there’s a consideration about buying more premise-based equipment at this stage, you really need to question the reasoning for this. These days, businesses are gravitating towards a full move to the cloud, unless there’s a damn good reason against it.

However, it might be that certain workloads aren’t the right fit for the cloud. Let’s take firewalls for example, the questions you would need to ask here are:  how many have we got, where are they, how old are they, who are the manufacturers, what sort of condition are they in, how reliable are they, what’s the support situation, is there any reason for changing and if so what’s the reason – if, for example, they’re difficult to manage.

Having a strategy in place for all your essential systems and understanding where they currently are and where you want them to go is important, for example, whether workloads are moving to the private cloud or staying on premise or are you perhaps going to have a hybrid situation?

3. Decide – what service you want

Now it’s time to draw a line in terms of what you do and don’t want to do with your premises kit so you can work out what changes need to be made before you move to the cloud. If the overarching reason is that you want your IT resource to focus on the business-critical stuff, which is the data, the customer relationship stuff and customer reporting as opposed to operating systems, bits of electronics and power supplies. This helps you decide what sort of provider you want and then how you are going to use it, what you’re going to do with it and what sort of workload you’re going to put on it, because that determines what type of contract you want.

There are different ways that you can do this, it’s not a case of you either do cloud or you don’t do cloud, for example, you could perhaps go for something more specific: managed, maintained, bespoke or templated, short term, long term or an amalgamation of all of these, dependent on what your service provider offers.

4. Choose – a cloud provider

Choosing what service you want will help you decide what type of provider you need. It’s important to decide who you’re going to work with and what the criteria is going to be. It’s highly likely that it’s going to be a provider that’s going to come and sit down with you and offers a consultative approach, is UK-based, understands your market, is there to speak to you at all times and is accessible at all levels. If you’ve got a big issue and you want to talk to a senior manager then you can, it’s not a faceless operation that manages its customers via templated Q&A on its website.

If you recognise some of the above criteria as being important to you, then this is where we can help.  Intercity is an established UK provider of managed services to commercial businesses and the public sector. Our services make up part of the critical UK infrastructure, including life-critical emergency service. A consultative approach is key to how we engage with our customers, so we gain a thorough understanding of the issues they need to address and deliver cloud services which meet and in many cases exceed their expectations.

We are currently offering a complimentary cloud audit – why not take advantage of this and see how we can help you on your journey to the cloud…