You’ve decided you’re moving to cloud-based services, so how do you go about it? We have put together a step-by-step guide to help you identify the appropriate level of security for the services that you will need to have in place.
1. Know your businesses requirements
Understanding what you want from your move to the cloud is essential. Do you need to manage fluctuating demand? Perhaps you simply don’t want to manage IT internally anymore or you’ve got legacy equipment and you need to update it.
If you review what’s led you to make the changes in the first place, this will help you work out your requirements. Ask yourself whether your requirements are business critical or not. If your requirements are business critical you will have certain expectations. For example, if your CRM system goes down and as a result you have a call centre with 100 agents unable to work, costing your business money, this is something that needs to be avoided. However, if on the other hand, you were to lose instant messaging, which isn’t as vital to day-to-day business operations, this might not be high on your security priority list.
2. Understand your information
What sort of information do you want to store in the cloud and how confidential is it? You need to identify all the information that will be processed, stored or transported by the service and therefore understand the legal and regulatory implications, for example, the Data Protection Act for handling personal data.
You’ve got to understand what you’re putting out there and this takes you back to your requirements in terms of how available it must be, how reliable it must be, all the governance around it and the kind of data you have and what it’s telling you.
3. Determine relevant security principles and understand how they are implemented
Based on your business requirements and risk policy, you will need to determine which cloud security principles are most relevant for your organisation and this is something you should work through with your cloud services provider.
For example, one of these principles might be securing user management; where your cloud service provider makes tools available for you to securely manage its use of the service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of the customer’s resources, applications and data. Security isn’t just about attackers and misuse it can just as easily be about mistakes and human error.
Another principle might be operational security, which looks at operating and managing the service so that you impede, detect or prevent attacks, but ensure that this is done in a way that isn’t complicated, time consuming and expensive.
4. Understand the level of assurance offered
Different cloud service providers offer various levels of assurance; some just tell you what they’re doing, others provide a certificate which proves what they do and some provide evidence of regular testing to assure you that security measurements work. It’s for you to decide if this is enough reassurance. Ultimately do you need to get an independent third-party assessor in to give you their view on it? It’s all about understanding what your requirements are and what you’re going to put into this cloud service that needs to be secure.
5. Identify additional mitigations to apply
You have moved relevant workloads to the cloud, so what next? Note, the answer here should never be nothing. You should always have a plan B. At this stage, you need to consider any additional measures your organisation can apply to help reduce the risk to your applications and data, whether or not resulting from its handling by the cloud service.
You need to ensure that the service provider you are trusting with your precious information has a continuity plan and disaster recovery in place. You can’t rest on your laurels and think that these things might not happen to you, it’s not a question of if, it’s when and you need to make sure you’re ready and prepared.
6. Consider residual risks
Considering all the above points, if you still feel that there are some remaining risks, you need to decide whether you and your organisation can accept the potential outcome if they come to fruition. If you can’t, you need to stop this process, start again and work out how to address these risks. However, if you decide to go ahead then don’t forget about the need for continuous risk awareness. The need for security never goes away. You need to make sure that it works, and continues to work at all times.
7. Continue to monitor and manage the risks
Regularly review the service and make sure it still meets business and security needs. Don’t just put this process in place and then forget about it and expect it to carry on working perfectly. Things degrade and situations change and there are always innovative ways of attacking systems that crop up.
Make sure you keep reviewing how you are using cloud services and ask, am I still secure? If the cloud is something your organisation is going to depend on heavily then it needs to be robust and you need a recovery plan in place with a service provider that you trust.
If you’re at the stage in your cloud journey where you’re assessing security or you’re mindful that this is on your tick list of things to do before moving to the cloud, get in touch with us and let us talk you through the 7 steps of security.