After the previous article, I received many questions about ensuring security and compliance when using resources hosted with a public cloud services provider. To begin with, I will restate what I said previously. Just because your cloud services provider is secure and compliant does not mean your organization is.
To start with, approach to cloud security and compliance is very similar to on premise infrastructure security and compliance. The pitfalls are similar as well. It starts with being proactive instead of being reactive. Security and compliance is not a list of checkboxes to be filled out; it must be included as part of the overall business strategy. Just like any other business plan, a security and compliance plan needs to contain explanation of what the company does, what the risks are, an approach strategy broken down into tactical steps, outline of appropriate action items, and a timeframe for implementation.
What makes it more challenging with cloud is properly classifying data stored and processed in various service offerings hosting different workloads. When the infrastructure is in-house, it is comparatively easy to control resource encryption, access control features, monitoring, and audit. When in cloud, not so much as we are reliant on tools available from the provider to secure and encrypt our workloads.
Securing cloud workloads starts with identifying two questions:
1) What type of workloads is the organization using?
2) What data is on these workloads?
The workloads can be virtual servers hosted on the public platform, virtual servers hosted on dedicated platform, or SaaS and PaaS offerings, such as SharePoint Online.
From the security standpoint, the data types revolve around what information is contained, i.e. personal data, financial data, or company data that is eyes only/confidential.
Answers to these questions will drive what options are available to you and your compliance.
Please bear in mind that different vendors have different approaches as to the granularity of access they provide to the client. This is one of the reasons why what is being secured and how it will need to be secured must be reviewed at the early stages of the decision making process. It can narrow down the field of available vendors considerably.
As always, feel free to reach out with any questions, suggestions and requests