Developing Security Policies That Incorporate SaaS

Developing Security Policies

Implementing cloud computing services and technology means, to most, employing the latest solutions available, taking advantage of high-quality services that would be unaffordable in an on-premise situation, and benefiting from the skills and expertise required to ensure responsible compliance and absolute security. Although it is possible to find these complete solutions, business leaders should be aware that all cloud service providers are not alike. Notably, the development and execution of cloud security policies should be dealt with in-house as enterprises rely more and more on cloud storage, and data privacy and security concerns mount.

Implementing a Cloud Security Policy

Although security professionals often don’t advocate a move to the cloud, the benefits it provides for business transformation and performance, agility, and cost savings has made the action indubitable. However, most organizations aren’t moving all of their data to the public cloud, and connections with cloud services change repeatedly. When developing security policies, internal infrastructure is typically considered, but the security of cloud networks and storage should also be defined. Because cloud Service Providers aren’t always transparent around their own security, organizations need in-house cloud security policies which define the type of data that can move to the cloud, and tackle the associated risks. Defining who has decision-making capabilities around data transfers and who can access data across various applications is the first step of a cloud risk assessment.

When developing a cloud security policy, it’s important to have proper organizational support in place, ensuring it will be accepted and enforced by the entire business. Operators authorized to sign off cloud projects must be appointed, and an explicit approval and review of procurement workflow established. Once the framework is in place, address data type classifications and sensitivity, considering what can and cannot be done for data categories including customer and employee information, financial and accounting records, structured and unstructured data, etcetera. Finally, confirm your cloud security policy is compliant with internal policies, data security laws, privacy regulations, and Government directives. Specifically detailing these obligations can help align your cloud security policy with other controls.

Security Questions for Cloud Service Providers

Jamie-Tischart

Cloud service providers aren’t required to provide their clients with the minutiae of their security controls, and so businesses are forced to put a certain amount of faith in their chosen providers. Although SLAs and contracts provide some power, it’s difficult to make any changes to these documents. Of course, the larger and respected cloud providers will customarily have a better handle on security than the average organization; this, however, does not mean it should be left entirely in their hands.

Jamie Tischart, CTO for cloud/security as a service, Intel, proposes some significant questions organizations should be asking their cloud service providers. It’s important not to assume anything is or isn’t provided, and find out for yourself how your cloud service provider handles data security and privacy through in-depth reviews of terms and conditions, and additional discussions after that.

Before settling on a service, find out:

  • Who has access to my data, both physically and virtually?
  • Does the cloud service provider outsource any data storage?
  • How does the cloud service provider handle legal requests for data review?
  • How and when is data deleted?
  • How is my data isolated from the data of other customers?
  • What certifications or third-party audits are performed on the service?
  • How is data kept private?
  • For how long is data retained?
  • What data encryption protocols are employed?
  • Where is data stored?
  • Is data transmitted to other external or internal entities?
  • What is the backup frequency?
  • What is the recovery time from failure?

These questions provide a strong foundation, but be sure to ask for clarification should anything be vague or appear risky. Too many organizations are obliviously trusting of the experts they engage with; understanding security processes and requirements fosters a safer business environment that benefits us all.

By Jennifer Klostermann

Mark Barrenechea

Security is Job 1: Machines vs. Machines

Digital is redefining cybercrime and cyberwarfare Cyberattacks today are multi-stage, hard to discover and highly targeted. Some security threats are accidental, stemming from unauthorized employee ...
Matt Holleran

Cloud marketplaces give startups a leg up – Part 2

Cloud Marketplaces In my last post, Cloud Platforms, Marketplaces, and Startups Part One, I examined the proliferation of partner ecosystems within the cloud software business, ...
Steve Prentice

Episode 5: How the Pandemic is Changing Business and the Cloud

An Interview with Ed Dryer of Steadfast With the global pandemic wreaking havoc on business and society, everything is changing. Ed Dryer, Senior Technology Strategist ...
Aruna Headshot

Top Four Predictions in 2020 for Unified Collaboration

Predictions in 2020 The year 2020 promises to usher in significant new developments in collaboration and communication. It’s part of an unending climb, moving higher ...
Trust Report

Profit-Driving Strategies for 2020, Backed by Data

Profit-Driving Strategies Since 2019 is coming to a close, the time has come for businesses to evaluate what they can do to propel profits in ...