Yesterday I wrote about how the cloud can be a prime target for hackers. Today, I continue my conversation with David Canellos, CEO of cloud security company PerspecSys, to discuss what security issues companies should consider before and after their migration to the cloud.
I asked Canellos what steps a company should take before the migration to the cloud to keep data safe and secure. He said the first and possibly most important step is to learn about the options that are out there. He told me:
We have seen that since SaaS applications are so easy to purchase with a credit card, many IT organizations do not have a clear picture of how many seats of various cloud applications are truly being used within their enterprises. The next step is to determine what information is being stored and processed in these clouds and put the right data protection model in place to ensure sensitive and private information is being properly safeguarded.
In a similar fashion, he added, for new areas where cloud-based solutions are being considered, such as Customer Relationship Management (CRM) or Human Capital Management (HCM), CIOs should work closely with their security and legal teams to identify what legal and sector-specific compliance guidelines they need to follow in order to protect sensitive information.
CIOs also should research the market and industry to build out their own set of guidelines and best practices for their corporations. Canellos explained that these guidelines should include allocating certain types of information into sensitivity and privacy "classes" or "categories" and specifying policies on who should get access to certain types of information and how the information should be protected (encryption, tokenization, etc.).
From a policy perspective, data protection controls needs to be in place in both pre- and post-cloud environments. Technically they'll differ, of course. But data must be tracked and accounted for from storage to transmission to processing and back to storage. There can't be any gaps in accountability and access control and monitoring needs to be in place. This is harder in cloud environments, especially when you consider that some data require higher levels of security than others, and access to data from outside the enterprise-say from partners or suppliers-has to be accounted for, too.
Canellos added that a best practice that he is seeing, both in the cloud and in on-premise applications, is a segregation of data into categories based on sensitive and privacy filters and proactive data protection policies being put in place based on policies associated with each of these categories.
Protecting data isn't an easy job, and as Canellos makes clear, security in the cloud requires a lot of effort before migration ever happens. The cloud can be safe if you are willing to do the legwork that good security requires.