Developing Security Policies That Incorporate SaaS

Developing Security Policies

Implementing cloud computing services and technology means, to most, employing the latest solutions available, taking advantage of high-quality services that would be unaffordable in an on-premise situation, and benefiting from the skills and expertise required to ensure responsible compliance and absolute security. Although it is possible to find these complete solutions, business leaders should be aware that all cloud service providers are not alike. Notably, the development and execution of cloud security policies should be dealt with in-house as enterprises rely more and more on cloud storage, and data privacy and security concerns mount.

Implementing a Cloud Security Policy

Although security professionals often don’t advocate a move to the cloud, the benefits it provides for business transformation and performance, agility, and cost savings has made the action indubitable. However, most organizations aren’t moving all of their data to the public cloud, and connections with cloud services change repeatedly. When developing security policies, internal infrastructure is typically considered, but the security of cloud networks and storage should also be defined. Because cloud Service Providers aren’t always transparent around their own security, organizations need in-house cloud security policies which define the type of data that can move to the cloud, and tackle the associated risks. Defining who has decision-making capabilities around data transfers and who can access data across various applications is the first step of a cloud risk assessment.

When developing a cloud security policy, it’s important to have proper organizational support in place, ensuring it will be accepted and enforced by the entire business. Operators authorized to sign off cloud projects must be appointed, and an explicit approval and review of procurement workflow established. Once the framework is in place, address data type classifications and sensitivity, considering what can and cannot be done for data categories including customer and employee information, financial and accounting records, structured and unstructured data, etcetera. Finally, confirm your cloud security policy is compliant with internal policies, data security laws, privacy regulations, and Government directives. Specifically detailing these obligations can help align your cloud security policy with other controls.

Security Questions for Cloud Service Providers

Jamie-Tischart

Cloud service providers aren’t required to provide their clients with the minutiae of their security controls, and so businesses are forced to put a certain amount of faith in their chosen providers. Although SLAs and contracts provide some power, it’s difficult to make any changes to these documents. Of course, the larger and respected cloud providers will customarily have a better handle on security than the average organization; this, however, does not mean it should be left entirely in their hands.

Jamie Tischart, CTO for cloud/security as a service, Intel, proposes some significant questions organizations should be asking their cloud service providers. It’s important not to assume anything is or isn’t provided, and find out for yourself how your cloud service provider handles data security and privacy through in-depth reviews of terms and conditions, and additional discussions after that.

Before settling on a service, find out:

  • Who has access to my data, both physically and virtually?
  • Does the cloud service provider outsource any data storage?
  • How does the cloud service provider handle legal requests for data review?
  • How and when is data deleted?
  • How is my data isolated from the data of other customers?
  • What certifications or third-party audits are performed on the service?
  • How is data kept private?
  • For how long is data retained?
  • What data encryption protocols are employed?
  • Where is data stored?
  • Is data transmitted to other external or internal entities?
  • What is the backup frequency?
  • What is the recovery time from failure?

These questions provide a strong foundation, but be sure to ask for clarification should anything be vague or appear risky. Too many organizations are obliviously trusting of the experts they engage with; understanding security processes and requirements fosters a safer business environment that benefits us all.

By Jennifer Klostermann

Ajoy Krishnamoorthy

The Business Benefits of Mobile Expense Reporting

Mobile Expense Reporting Benefits Digital business management applications have been a game changer: transforming the ways businesses oversee day-to-day operations, add value to the bottom line, and compete in competitive markets. Cloud technology coupled with ...
Scott Leatherman

Beware the Perils of Blind Cloud Provisioning

The COVID-19 Rush to the Cloud Results in Steep Costs and Chaos For many companies, their data center capacity was not built for the instant tsunami-sized jolt of increased load caused by the global pandemic ...
Torsten

Five Ways to Secure Access to Web Workloads

Secure Access to Cloud Workloads Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major reason why worldwide spending on public cloud services and infrastructure ...
Ronald van Loon

How Continued Learning Can Help Data Scientists Solve Industry-Specific Challenges

Data scientists are, first and foremost, problem solvers. But new problems can’t always be solved with old tricks.Currently organizations in every industry are experiencing overwhelming challenges, many of them emerging from shifts to digital, the ...
Dental Teeth Iot

The Revolutionary Transformation In Digital Dentistry

Transformation In Digital Dentistry 3D printing has taken the field of Dentistry by storm. This additive manufacturing technology has gained enormous popularity due to its many advantages, especially the ability to produce highly personalized prosthesis ...
Shells.com – Your Personal Cloud Computer

Shells.com – Your Personal Cloud Computer

Personal Cloud Computer Shells, a robust virtual desktop infrastructure, ensures better performance by enabling its users to incorporate a layer of virtualization between the control server and any device that they choose. This way, it ...