Enterprise cloud computing has matured, moving beyond the “what” and the “how” to the “when.” Even so, security remains a major concern for organizations considering a move to the cloud. Fortunately, security services and tactics have also matured over the past few years, allowing more and more enterprises to migrate to the cloud.
A review of the enterprise security architecture is an absolute necessity in defining, monitoring and managing enterprise cloud deployments. This includes understanding the current security posture of IT assets, audit and compliance. It also forms the basis of creating security and compliance requirements for mainstream cloud adoption. In this slideshow, Madhavan Krishnan, of IT consulting firm Virtusa Corporation, has identified key security considerations that should be considered when transitioning to the cloud.
Cloud Security Checklist
Click through for seven security issues organizations should consider when deploying assets to the cloud, as identified by Madhavan Krishnan, Virtusa Corporation.
Data Residency Requirements
Organizations need to clearly identify and classify transactional and operational data residency requirements. This involves evaluating and evolving a cloud strategy that meets these requirements. Part of a thorough consideration has to be around cloud provider(s)’ capability to ensure compliance to data residency needs.
Industry and governmental standards such as HIPAA, EU Data Protection 2.0 regulations, PCI compliance and others require companies to adhere to strict standards when it comes to the handling of “sensitive” data, such as patient health records and user data. Thus, a cloud solution dealing with highly regulated data will need to include stringent design and governance to keep in line with regulations and legal mandates. Depending on the profile of the applications being considered for cloud migration, a detailed checklist of requirements should be developed and maintained to ensure compliance with laws and industry regulations.
Review Security Posture of IT Landscape
A thorough vulnerability assessment of cloud-deployed assets should be undertaken periodically to understand, assess and address potential vulnerabilities. IT assets are prone to new attacks and have to be constantly monitored for threats. Application penetration testing along with periodic vulnerability analysis is recommended. It is also recommended that tools monitoring vulnerabilities, such as those from SQL injections, be protected with technology solutions such as Web application firewalls (WAF) until the vulnerabilities are fixed.
Cloud Service Provider SLAs and Accountability
Clearly defined roles, responsibility and accountability of all parties involved are basic requirements for managing a cloud deployment. Organizations may want to consider a cloud services broker (CSB), typically a systems integrator (SI), who can help stitch together specialized services into an integrated service, providing a single point of accountability. Without this arrangement, cloud deployments with multiple niche technology vendors could end up becoming a complex maze of services to manage.
In a typical multi-tenant public cloud environment, virtual machines (VMs) can co-exist with a VM hosting another application. There is the potential threat of unintended intra-VM exposure. Security solutions should be designed to encrypt data so that it is secure at rest and while in transit.
Network Configurations and Potential Vulnerabilities
Since cloud services are used over the Internet, it is important to understand the network configuration and security configuration profiles of VMs, including the network traffic ports. Software-driven security configurations that manage network security are recommended to keep a close watch on network traffic for malware and threats.
Consistent User Management and Access Controls
Cloud-based infrastructures are accredited by industry standard organizations such as ISO to ensure consistent safeguards and protection to assets, data and users. Compliance to Cloud Data Center Security Standards ISO 27001 will ensure consistency of processes followed by a cloud vendor and its employees.
User management still remains a top concern in managing cloud deployments. Human interactions with systems happen at multiple levels despite increased automation. In both private and public clouds, administrators have privileges that can potentially provide them access to systems and user data. User management systems should typically include establishing identity and access controls. User and system activity audit logs are a key requirement to ensure traceability.