Developing Security Policies That Incorporate SaaS

Developing Security Policies

Implementing cloud computing services and technology means, to most, employing the latest solutions available, taking advantage of high-quality services that would be unaffordable in an on-premise situation, and benefiting from the skills and expertise required to ensure responsible compliance and absolute security. Although it is possible to find these complete solutions, business leaders should be aware that all cloud service providers are not alike. Notably, the development and execution of cloud security policies should be dealt with in-house as enterprises rely more and more on cloud storage, and data privacy and security concerns mount.

Implementing a Cloud Security Policy

Although security professionals often don’t advocate a move to the cloud, the benefits it provides for business transformation and performance, agility, and cost savings has made the action indubitable. However, most organizations aren’t moving all of their data to the public cloud, and connections with cloud services change repeatedly. When developing security policies, internal infrastructure is typically considered, but the security of cloud networks and storage should also be defined. Because cloud Service Providers aren’t always transparent around their own security, organizations need in-house cloud security policies which define the type of data that can move to the cloud, and tackle the associated risks. Defining who has decision-making capabilities around data transfers and who can access data across various applications is the first step of a cloud risk assessment.

When developing a cloud security policy, it’s important to have proper organizational support in place, ensuring it will be accepted and enforced by the entire business. Operators authorized to sign off cloud projects must be appointed, and an explicit approval and review of procurement workflow established. Once the framework is in place, address data type classifications and sensitivity, considering what can and cannot be done for data categories including customer and employee information, financial and accounting records, structured and unstructured data, etcetera. Finally, confirm your cloud security policy is compliant with internal policies, data security laws, privacy regulations, and Government directives. Specifically detailing these obligations can help align your cloud security policy with other controls.

Security Questions for Cloud Service Providers

Jamie-Tischart

Cloud service providers aren’t required to provide their clients with the minutiae of their security controls, and so businesses are forced to put a certain amount of faith in their chosen providers. Although SLAs and contracts provide some power, it’s difficult to make any changes to these documents. Of course, the larger and respected cloud providers will customarily have a better handle on security than the average organization; this, however, does not mean it should be left entirely in their hands.

Jamie Tischart, CTO for cloud/security as a service, Intel, proposes some significant questions organizations should be asking their cloud service providers. It’s important not to assume anything is or isn’t provided, and find out for yourself how your cloud service provider handles data security and privacy through in-depth reviews of terms and conditions, and additional discussions after that.

Before settling on a service, find out:

  • Who has access to my data, both physically and virtually?
  • Does the cloud service provider outsource any data storage?
  • How does the cloud service provider handle legal requests for data review?
  • How and when is data deleted?
  • How is my data isolated from the data of other customers?
  • What certifications or third-party audits are performed on the service?
  • How is data kept private?
  • For how long is data retained?
  • What data encryption protocols are employed?
  • Where is data stored?
  • Is data transmitted to other external or internal entities?
  • What is the backup frequency?
  • What is the recovery time from failure?

These questions provide a strong foundation, but be sure to ask for clarification should anything be vague or appear risky. Too many organizations are obliviously trusting of the experts they engage with; understanding security processes and requirements fosters a safer business environment that benefits us all.

By Jennifer Klostermann

Jen Klostermann
The Fintech Landscape The Nitty Gritty Although the COVID-19 pandemic has highlighted its existence, most of us have been using fintech in some form or another for quite some time. It’s a big part of ...
Gary Bernstein
Managing Your Internal IT Your company's internal IT team is responsible for keeping things running smoothly, and they deserve all the support you can give them. Here are ten ways to make their lives easier ...
Dana Gardner
Low-code Development Has Entered a Maturity Spurt Closing the gap between the applications and services a company needs -- and the ones they can actually produce -- has long been a missing keystone for attaining ...
Derrek Schutman
Implementing Digital Capabilities Successfully Building robust digital capabilities can deliver huge benefits to Digital Service Providers (DSPs). A recent TMForum survey shows that building digital capabilities (including digitization of customer experience and operations), is the ...
David Dymko
Working with virtual machines and or Kubernetes A conversation with David Dymko, Director of Engineering for Cloud Native Development at Vultr.com If you work with virtual machines and or Kubernetes, and if you have some ...
  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.