Last year, the UK government’s Cabinet Office outlined what constitutes ‘Cloud security principles’ in a guidance document published on 14th August 2014.
These principles involve the protection of data in transit, asset protection such as customer data, a need to create some level of separation between customers in order to ensure that a compromised customer account won’t affect the service or the data of another customer, the need to develop a governance framework, and the screening of Managed Service Provider (MSP) or Cloud Service Provider (CSP) staff, to name a few areas.
Cloud security is such a burning issue because data is the gold and the oil of any modern organisation. Enterprises large and small need to think about how they can prevent hackers from compromising their Cloud services. Yet not all attacks occur from outside of an organisation. Sometimes they start from within an organisation or from within a service provider. But so long as a security audit is undertaken and Cloud security principles are put in place, a Cloud environment can be as secure and in many cases even more secure than your internal IT.
Cloud security compliance
There is no need for organisations to develop their own Cloud security principles from scratch as there are well documented best practices, such as the Cabinet Office’s guidance document. However, the level at which Cloud security needs to be applied varies according to the legal obligations and regulatory frameworks that apply to different vertical industries.
The key standard that most industrial sectors have to comply with is known as ISO 27001 (ISO/IEC 27001:2013): “Using this family of standards will help your organisation manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties”, says the International Standards Organisation’s website. There is also ISO/IEC 27002 (ISO/IEC 27018:2014) to consider.
Some of the standards aren’t restricted to Cloud security principles. The interconnectedness of Cloud computing means that they often concern an organisation’s entire IT system. So, yes, it’s vital to find a Managed Service Provider or a Cloud Service Provider that has all of the right cloud credentials, but the weakest link could be your own internal IT. It needs to meet the very same standards that MSPs and CSPs have to comply with.
Following best practice
As well as the International Standards Organisation (ISO) there are a number of entities that are working to help enterprises to develop and implement Cloud security best practices. For example, there is the Cloud Security Alliance (CSA) which publishes a top Cloud security threats report. National and international organisations like the CSA, and specific sector-related industry bodies, can help you to keep informed about the latest legal requirements and industry regulations. This will enable you to know what constitutes best practice, and how it should be applied.
Standard operating system
The starting point is a Standard Operating Environment (SOE). Organisations with a SOE have a repeatable process for implementing secure and optimised Linux system builds across their entire IT estate, whether in-house, physical, virtual, hybrid or Cloud.
An SOE needs a good management platform (SOEMP) to enforce good practice. Using SOEMP technologies such as Red Hat’s Satellite Server and Puppet, system administrators have the power to actively manage the SOE and ensure its security.
For many organisations the answer is to use a Managed Services Provider that follows Cloud security principles provided by ISO/IEC 27001:2013. A service provider will have access to the best management tools and will have staff very familiar with deploying them consistently and thoroughly. Most crucially, such a provider is removed from the everyday commercial pressures and career worries within the enterprise that sometimes conflict with best security practice.
- Ensure you’re using a Managed Services Provider.
- Check that you are following guidance provided by ISO/IEC 27001:2013 and other relevant standards and regulations to your industry.
- To keep data safe, you need the best management tools.
- Read the Cabinet Office’s document on cloud security principles as a blueprint for ensuring your cloud systems and Cloud services remain secure.
- Work with an MSP or a CSP to ensure that your own internal systems aren’t the weakest link in the Cloud security chain.