7 Steps to Developing a Cloud Security Plan

By David Grimes, Chief Technology Officer, NaviSite

In IT, the easiest way to stop a new technology or solution from being implemented is to raise a security red flag. As soon as someone mentions concerns around a new IT solution not being “secure” the project can come to a screeching halt. So as cloud infrastructure and cloud computing has begun to enter enterprise IT conversations, concerns around the security of cloud quickly became the biggest barrier to adoption.

Just like security for any other technology solution being used – past, present, or future – creating a security strategy and plan must be one of the first considerations for enterprise IT organizations. And while partnering with a service provider with strong security procedures and services in cloud computing is an important step, enterprises need to continue to take an active role in their own security and risk management. With that in mind, NaviSite has compiled 7 basic steps based on our experiences helping hundreds of companies secure enterprise resources. By following these steps any business can rely on a proven methodology for cost-effectively and securely leveraging cloud services and gain the cost and business advantages of cloud services without compromising the security of enterprise applications.

1. Review Your Business Goals: It is important that any cloud security plan begins with the basic understanding of your specific business goals. Security is not a one-size-fits all proposition and should focus on enabling – technologies, processes, and people. Additionally gaining executive input is not only essential to ensure that assets are protected with the proper safeguards, but also to ensure that all parties understand the strategic goals.
2. Maintain a Risk Management Program: Develop and maintain a risk management program centrally, and view it holistically. An effective cloud computing risk management program is important for reducing overall risk to the organization. It is also key for prioritizing the utilization of resources and for providing the business with a long-term strategy.
3. Create a Security Plan that Supports Your Business Goals: Develop goals with measurable results that are consistent with providing support for the growth and stability of the company. These goals should include – specification date for completion, verification of achievement, and a measurable expected result. Security professionals are encouraged to regularly conduct careful analysis to develop responsible programs and build in the necessary controls and auditing capabilities to mitigate threats and maintain a reasonable security program that protects organizational assets.
4. Establish Corporate Wide Support: Gain the approval of your cloud computing security plan from not only executive management but also the general workforce. Organizations need to establish levels of security that meet business goals and comply with regulatory requirements and risk management policies, but that can be centrally managed and conveniently implemented across the organization with minimal negative impact to productivity. Gaining this acceptance streamlines adoption throughout the organization.
5. Create Security Policies, Procedures With input from a variety of business units establish a set of guidelines to ensure that all compliance measures are identified. Cloud services are a major advantage for growing organizations that have not yet embedded established policies and procedures into the company. The enterprise can rely on the best practices the service provider has developed over years of experience in similar environments.
6. Audit and Review Often: Review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organization to the security policies and procedures. Understanding the auditing requirements for your business and the frequency of your audits is essential not only for ensuring compliance but also for maintaining best practices for securing enterprise resources.
7. Continuously Improve: Annually review your cloud computing security plan with senior management and your cloud services provider. Many companies believe that once they have solid policies and procedures in place they do not need to revisit them—but your industry and your business will change over time, and the technology available to support your security plan will evolve. Understanding the dynamic nature of your business and constantly evaluating your security requirements are the foundation for implementing a successful continuous improvement strategy.

Cloud computing provides compelling cost and strategic benefits, including: scalability with reduced capital expenditure; more efficient use of IT resources; and the ability for an organization to focus on their core competency. Many well established security technologies and procedures can be applied to cloud computing to provide enterprise-class security. The steps outlined above will help organizations structure security and compliance programs to take advantage of the economic advantages of managed cloud services while meeting organizational security and compliance objectives.

Properly managed cloud infrastructure provides better security than most enterprise data centers, applications, and IT infrastructure. It allows companies to more efficiently deploy scarce technical personnel. Obviously, enterprise security should not be taken lightly, including cloud security, but it also doesn’t have to be a major roadblock either. These seven steps are meant to serve as a framework to guide companies as they develop a secure cloud-computing plan. For the complete checklist of the above seven steps download the white paper titled 7 Steps to Developing a Cloud Security Plan.