As you begin to move your company away from a physical infrastructure and into the cloud, it’s important to make sure that proper security policies are in place. While you may have a general information security policy, don’t think that absolves your organisation from the need for a specific cloud security policy. The dangers that come along with using cloud software or infrastructure are markedly different than those of the typical security concerns encountered by most organisations.
The biggest risk for most cloud applications is a breach of the cloud provider’s security. There is no real way to create a policy averting this risk, so the ideal solution is to look at things from the perspective of risk management—all cloud providers need to be evaluated for risk, based on their history, the architecture they use, stated security measures in place, and the value or risk of data being stored on that cloud platform.
The second biggest risk for organisations is employee negligence and inappropriate cloud usage. Curbing this risk requires several steps. First is identifying a point person in your organisation, who will evaluate cloud services and approve or deny requests to use certain cloud providers. Next, employees need to be informed that they are not to use cloud services unless they have been vetted and approved by the point person. Finally, organisational data needs to be stratified by level of security it requires, so that cloud services can be evaluated for certain levels of security. For example, while one service may be perfectly fine to temporarily store or transport low–security information, it might not be secure enough for high–security information. Employees must be made aware that using cloud services is a major risk, and not to be done without authorisation.
All cloud policies should integrate a worst–case–scenario plan. This can include plenty of redundant backups in case the cloud service storing your data goes down. It should also include a communication plan to inform your clients and customers in the event of a security breach at your cloud service provider.
Cloud services can offer your business a lot of flexibility and significant savings, but unless they are approached in a methodical and cautious manner, they can result in significant risk. A good cloud service policy is the biggest step towards minimising this risk.
Chris Starsmeare, CEO Diversus Group