June 22, 2016

Developing Security Policies That Incorporate SaaS

By Jennifer Klostermann

Developing Security Policies

Implementing cloud computing services and technology means, to most, employing the latest solutions available, taking advantage of high-quality services that would be unaffordable in an on-premise situation, and benefiting from the skills and expertise required to ensure responsible compliance and absolute security. Although it is possible to find these complete solutions, business leaders should be aware that all cloud service providers are not alike. Notably, the development and execution of cloud security policies should be dealt with in-house as enterprises rely more and more on cloud storage, and data privacy and security concerns mount.

Implementing a Cloud Security Policy

Although security professionals often don’t advocate a move to the cloud, the benefits it provides for business transformation and performance, agility, and cost savings has made the action indubitable. However, most organizations aren’t moving all of their data to the public cloud, and connections with cloud services change repeatedly. When developing security policies, internal infrastructure is typically considered, but the security of cloud networks and storage should also be defined. Because cloud Service Providers aren’t always transparent around their own security, organizations need in-house cloud security policies which define the type of data that can move to the cloud, and tackle the associated risks. Defining who has decision-making capabilities around data transfers and who can access data across various applications is the first step of a cloud risk assessment.

When developing a cloud security policy, it’s important to have proper organizational support in place, ensuring it will be accepted and enforced by the entire business. Operators authorized to sign off cloud projects must be appointed, and an explicit approval and review of procurement workflow established. Once the framework is in place, address data type classifications and sensitivity, considering what can and cannot be done for data categories including customer and employee information, financial and accounting records, structured and unstructured data, etcetera. Finally, confirm your cloud security policy is compliant with internal policies, data security laws, privacy regulations, and Government directives. Specifically detailing these obligations can help align your cloud security policy with other controls.

Security Questions for Cloud Service Providers

Jamie-Tischart

Cloud service providers aren’t required to provide their clients with the minutiae of their security controls, and so businesses are forced to put a certain amount of faith in their chosen providers. Although SLAs and contracts provide some power, it’s difficult to make any changes to these documents. Of course, the larger and respected cloud providers will customarily have a better handle on security than the average organization; this, however, does not mean it should be left entirely in their hands.

Jamie Tischart, CTO for cloud/security as a service, Intel, proposes some significant questions organizations should be asking their cloud service providers. It’s important not to assume anything is or isn’t provided, and find out for yourself how your cloud service provider handles data security and privacy through in-depth reviews of terms and conditions, and additional discussions after that.

Before settling on a service, find out:

  • Who has access to my data, both physically and virtually?
  • Does the cloud service provider outsource any data storage?
  • How does the cloud service provider handle legal requests for data review?
  • How and when is data deleted?
  • How is my data isolated from the data of other customers?
  • What certifications or third-party audits are performed on the service?
  • How is data kept private?
  • For how long is data retained?
  • What data encryption protocols are employed?
  • Where is data stored?
  • Is data transmitted to other external or internal entities?
  • What is the backup frequency?
  • What is the recovery time from failure?

These questions provide a strong foundation, but be sure to ask for clarification should anything be vague or appear risky. Too many organizations are obliviously trusting of the experts they engage with; understanding security processes and requirements fosters a safer business environment that benefits us all.

By Jennifer Klostermann

Jennifer Klostermann

Jennifer Klostermann is an experienced writer with a Bachelor of Arts degree majoring in writing and performance arts. She has studied further in both the design and mechanical engineering fields, and worked in a variety of areas including market research, business and IT management, and engineering. An avid technophile, Jen is intrigued by all the latest innovations and trending advances, and is happiest immersed in technology.
Lex Hegt

How Can Organizations Effectively Monitor and Analyze Their Azure Billing Data?

Monitor and Analyze Azure Billing Data With the ever-increasing investments in Azure, many organizations struggle [...]
Read more
Frank Suglia

Forecasting Cloud Trends in 2024

The past few years have rapidly accelerated cloud adoption and impacted the overall IT landscape. [...]
Read more
Bright Data

10 Leading Proxy Services: Enhancing Your Online Security and Privacy

10 Leading Proxy Services In the realm of digital technology, proxies emerge as critical tools, [...]
Read more
Gary Bernstein

8 Benefits of Choosing VPS Hosting

Benefits of VPS Hosting Businesses are faced with several decisions when considering how to host [...]
Read more
Craig Lowell

Scaling Smart: Planning Strategically for Cloud Expansion

Scaling Strategically As cloud spending continues to surge, managing and forecasting costs has become a [...]
Read more
Randy

2024 Cloud Security Trends: Navigating the Evolving Landscape of Protection and Backup

2024 Cloud Security Trends Cloud protection and backup trends in 2024 are evolving rapidly, influenced [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.