Creating Cloud Security Policies that Work

Image

Now that the ongoing worldwide trend toward “going digital” has been accelerated by COVID-19, taking extra precautions to protect your organization’s data, communications and information assets is more important than ever.

Of course, there are many traditional and emerging ways to protect and secure your business: 

• Employing cybersecurity analysts, auditors or specialists 
• Implementing a comprehensive communications archiving system 
• Considering cyber liability insurance   
• Building a culture of awareness and educating employees on common social engineering tactics used by criminals such as email phishing scams.

However, the chief focus of this discussion will be on protecting your organization by creating and implementing cloud security policies or by updating and fortifying existing ones.

This is essential because, as reported in CIO, nearly all enterprises (96%) use cloud computing in some capacity, with a strong majority (81%) now employing multi-cloud scenarios and strategies.

“Cloud security refers broadly to measures undertaken to protect digital assets and data stored online via cloud services providers,” says Investopedia, which notes that common threats to cloud security include “data breaches, data loss, account hijacking, service traffic hijacking, insecure application program interfaces (APIs), poor choice of cloud storage providers and shared technology that can compromise cloud security.”

Cloud Security Challenges & Concerns

The good news is that the major cloud computing providers (including the Big Three of Amazon, Google and Microsoft’s Azure) invest heavily in providing cloud security to their users. What is crucial to understand, however, is that even though cloud computing itself is considered to be relatively safe, significant risk does come into play in terms of how you, the user, implement safety protocols and precautions on your side of the cloud computing experience.

More on this in a moment, but first, here is a quick review from Cloud Security Alliance and Tripwire on some of the top cloud security challenges:

• Data breaches
• Inadequate change control
• Lack of cloud security architecture and strategy
• Hijacking of accounts
• Insider threats
• Abuse of cloud services
• Security architecture that can withstand cyber attacks
• Inadequate change control
• GDPR compliance
• Accountability
• Data ownership
• APIs

Why You Need a Cloud Security Policy

There are many complex explanations out there that aim to answer the question: Why do I need a cloud security policy? Here’s a simplified answer in four bullet points:   

• Businesses derive many benefits from cloud computing.
• However, doing so comes with certain vulnerabilities.
• Criminals are always looking to exploit those vulnerabilities.
• When they succeed, the result can be anywhere from annoying to disruptive to devastating.

Perhaps the most important reason to implement and update cloud security policies for your organization is connected to a central tenet of cloud security known as the “shared responsibility model.”

Operationally speaking, security is broken into two components:

• Security “of” the cloud
• Security “in” the cloud

Security “of” the cloud

Cloud service providers (CSPs) are responsible for this. As explained in this article on the shared responsibility model: “CSPs have the responsibility to ensure that their infrastructure is free from vulnerabilities. They’re also responsible for the physical security of the cloud service and ensuring that unauthorized physical access to the hardware or software is prevented, as well as disaster and incident response.” And doing so doesn’t come cheap. Microsoft reportedly spends over $1 billion each year on security protections, including research and development.  

Security “in” the cloud

This is your responsibility. OK, perhaps not you personally, but definitely your organization. According to an informative Wall Street Journal article, “Gartner Inc. estimates that up to 95% of cloud breaches occur due to human errors such as configuration mistakes, and the research firm expects this trend to continue.”

Connecting with a cloud security provider has many advantages, but can also be an extremely complex proposition. According to the article “Human Error Often the Culprit in Cloud Data Breaches,” Amazon Web Services has a 130-page instruction guide for how to operate Amazon Simple Storage Service (Amazon S3). The cloud user’s responsibility necessitates ongoing vigilance around password security, internal and external sharing of data, third-party access and much more. For many companies and organizations, cloud security also comes with regulatory requirements (for example: information access rules set forth HIPAA, GDPR, Sarbanes-Oxley, etc.).  

How to Create a Cloud Security Policy

For obvious reasons, creating a cloud security policy is an extremely complex undertaking. This is not a situation where you task the new guy in IT with whipping something together by end of day Friday. You’ll need to engage senior leadership, IT leadership and perhaps even outside consulting firepower to create a comprehensive policy that truly protects your organization from risk.

Here is an overview of some of the key elements of creating a cloud security policy from TechTarget:

• Seek approval from senior leadership to develop a cloud security policy.
• Establish a project plan and goals for the project.
• Select a team with the right people to draft the policy.
• Work with management while drafting the policy to make sure you are covering all the important issues.
• Consult with your legal team and human resources throughout the writing process. Make sure they review the policy and offer constructive feedback.
• Ask for an internal or IT review of the policy.
• Before submitting it for senior leadership approval, make sure everyone who should see the policy has read it and provided necessary feedback.
• Submit the policy to senior leadership and secure their approval.
• Once approved, distribute the policy to employees.
• Determine a review policy review process.
• Schedule annual reviews of the policy to ensure it’s up to date.

Global IT services provider PhoenixNAP offers a simplified look at several key aspects that must be addressed in a cloud security policy. These include:

• Data types that can and cannot move to the cloud
• How teams address the risks for each data type
• Who makes decisions about shifting workloads to the cloud
• Who is authorized to access or migrate the data
• Regulation terms and current compliance status
• Proper responses to threats, hacking attempts and data breaches
• Rules surrounding risk prioritization

Here are a couple of other helpful resources when it comes to developing an effective cloud security policy:

• “How to Create a Cloud Security Policy, Step by Step” — a helpful explainer piece from technology information provider TechTarget
• Essential Guide to Cloud Security — a comprehensive review of key terms and definitions, list of risks and threats, challenges, benefits, cloud security standards and best practices (plus a template) from Smartsheet

Cloud Security Policy | Top Takeaways

Digital Guardian provides a list of 50 cloud-based security tips. We’ve curated a few of the most useful ones to help with your cloud security policy journey:

• Limit and protect attack surfaces.
• Focus on your most sensitive data.
• Build ‘security-first’ into your overall cloud strategy.
• Know what's covered in your security solution.
• Provide training within your organization.
• Protect against employee mishaps, mistakes and misbehavior.
• Stay up to date on the latest security challenges.

Finally, being transparent about your rigorous cloud security policies and protocols can be important in providing added peace of mind to customers or other organizations with which you do business.

About the Author: Michelle Moore, Ph.D., is academic director and professor of practice for the University of San Diego’s innovative online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher and author with over two decades of private-sector and government experience as a cybersecurity expert.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.