The first reason most IT professionals say they are interested in a private cloud solution rather than a public cloud solution is security. Ironically, diligent security is often the last item on the checklist for many organizations when building a private cloud solution. To help IT professionals secure their private cloud installations, Logicalis, an international IT solutions and managed services provider, has created a best practices approach to cloud security.
“Unless an organization is in a regulated industry that is required to provide proof of security – such as PCI, HIPAA, FISMA or ITAR – the level of security in many data centers today could be characterized as ‘not so much,’” laments Von Williams, director of information security for Logicalis.
“A security initiative needs to be a detailed, disciplined process, but it doesn’t have to be overwhelming,” says Williams. “But you do have to have a security policy to apply in the first place.” A best practices approach to upgrading or creating a security policy that is appropriate for most organizations focuses on five basic security components. These five steps form the path for a solid security policy: risk assessment, data ownership, data classification, auditing and monitoring, and incident response.
Williams suggests IT pros ask the following questions while developing their private cloud security policy to help defend their organizations from hackers as well as inadvertent access to confidential data.
Click through for five best practices IT professionals can use to help secure their private cloud installations, as identified by Logicalis.
This seems like an odd question; the answer would seem to be an automatic, “None.” However, considering this question and then developing corporate policies for security around the answers will help identify the security and privacy requirements necessary to ensure compliance with any applicable federal and state regulations as well as industry requirements. As companies develop risk management policies, it replaces ambiguity with certainty about questions regarding data security and privacy.
This question helps decide the “local data sheriffs” for an organization. Why is this necessary? Because each data owner, usually someone within a specific business unit, decides the classification of the data to be maintained and is then responsible for granting user access to the data.
Not all data is created equal. That is, not all data requires the same level of security. Typically, data is classified using three categories – private, confidential or public. Data can fall under more than one category – a spreadsheet with salary information might be private to the company and confidential so only HR employees and supervisors may view it. A data classification established by the data owner clears up any mystery about access.
This is generally accomplished with a security incident and event monitoring (SIEM) system that records successful and failed login attempts into key systems, configuration changes and system activities. A SIEM system can log correlation among various security systems and help reconstruct events that led to a security breach or incident.
Exactly what should be done in the case of a data security breach must be outlined in detail in a corporate incidence response policy. The stronger the security and controls applied, the fewer incidents requiring reaction. But the opposite is also true, requiring fast incident responses. A detailed policy makes a quick response easier.