Creating your first cloud policy

While cloud-based services can help you reduce time to market, increase availability and ease management, challenges include loss of control, understanding risks and gaps in the cloud provider’s environment, and maintaining compliance with financial, healthcare and other regulations that apply to your business.

While cloud-based services can help you reduce time to market, increase availability and ease management, challenges include loss of control, understanding risks and gaps in the cloud provider’s environment, and maintaining compliance with financial, healthcare and other regulations that apply to your business.

To reduce the risk of putting information in the cloud, create a written policy based on answers to several key questions. The policy you create doesn’t have to be long-winded and account for every possibility you can imagine.  In fact, a well written and thoughtful policy document may only require a handful of pages to provide the information your staff needs to navigate what happens in the cloud.

An example of the section headings for your initial cloud policy might be:

• Goal \ Mission Statement

• Data Classification

• Scope

• Responsibilities

• Policy

The first questions to ask are what do you want to move to the cloud and why. The ‘what’ is typically a software application your company has created that your employees or customers use, data that your company gathers or creates, or some type of business function such as payroll, accounting, or human resource management.

The ‘why’ can range from lower CAPEX or OPEX , increased availability, better automation of business processes, or creation of a backup or disaster recovery. Use these answers to write a 1-2 sentence goal or mission-statement for your policy that defines your clear, compelling reasons for using a cloud.

After you have charted the ‘what’ and ‘why’ for the cloud, examine and classify the type and sensitivity of the data that will flow into and out of your applications. As you work through this classification process, talk to your developers, your HR staff, your accountants, your sales team or any other personnel that may have insight into or be a consumer of the particular application headed to the cloud. Seek to understand what type of data is expected to go in and what type of information will come out and create a classification policy that suits the level of detail you need.

For example, you may classify all your data as Protected, Sensitive or Public. You could state that putting Protected data into the cloud-based HR application requires Department Manager and Executive approval. Moving Sensitive data in might only require Department Manager approval and Public data requires no special approval.

If at any point the flow of data will contain personally identifiable information (PII), credit card numbers, data covered under HIPAA, confidential corporate data or any other sensitive or regulated data, you should include additional criteria when evaluating your cloud provider. The additional criteria will be specific to your data type, but the common thread is that you will need to review all of the documentation related to the cloud provider’s security program and controls.

Many cloud providers make claims about having PCI-compliant or HIPAA-compliant cloud architecture, but then leave little in the way of explanation about the controls they employ to create and maintain the security.

Some questions you may ask include:

• How and where they encrypt data at rest and data in motion

• How they manage encryption keys including the frequency of key rotation

• How do they vet employees who will have physical access to the network and compute infrastructure that hosts your application

• Do they undergo 3rd party audits to validate their controls

• What security features are and are not included in their boilerplate SLA

• What are their notification policies and procedures after a security event – and what constitutes security event

• Are backups of my data moved offsite and are they encrypted

• To what geographic locations is it possible for my data to move

• How do they securely delete or destroy my data when requested

Cloud providers that have difficulty answering these questions, are unwilling to put answers in writing or are evasive or unclear when answering may lack a reasonable security focus.

After gathering this information, start writing the scope of your cloud policy. Here you can detail acceptable cloud providers, applications, data or services that can be moved into the cloud, to whom this policy applies and what legal and contractual agreements will govern the policy. If you have an existing Acceptable Use Policy or Information Technology Policy you can communicate that those rules still apply.

Your objective in defining responsibilities is to clearly define who owns the various operational aspects of your cloud-based applications. Clarify who, either by name or role, owns the responsibility for performing certain necessary activities. For example, spell out the roles or parties that may:

• Sign a Service Level Agreement with a cloud provider

• Administer security or performance settings with the cloud provider

• Classify data

• Create or change cloud user and admin accounts

• Create or perform backups of cloud data

• Make changes to your Cloud Policy document

• Terminate an agreement with a cloud provider

Finally, create the policy statements themselves. One way to start is to think how you want your employees to use the cloud and write down the common sense ideas that come to mind. Concepts like not saving corporate or client data from the cloud to a personal computing device, not transmitting protected or sensitive data to or from the cloud without encryption, and not sharing your cloud user account password may seem obvious, but state them anyway.

If you already have an Acceptable Use Policy (AUP), you may borrow from that and adapt the statements to reflect the unique nature of using the cloud. If you have identified the cloud providers you are going to use, reference their AUP and use the same or similar language in your policy.

This accomplishes two goals by helping you create your policy and making sure your policy is in alignment with your cloud provider so as not to run afoul of their guidelines. Finally, look to what other organizations have published and what standards bodies like the Cloud Security Alliance (CSA), National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and other organizations that create cloud security policies and guidelines have written.

Once you have put down on paper this first basic cloud policy, pass it around to your peers, department heads and other people in your organization who might have some input. After all the feedback has been reviewed, complete a final policy, publish it and make sure everyone reads and accepts it.

As you begin your operations in the cloud, take what you learn and incorporate the refinements in future policy revisions on a regular basis. The better you define your cloud policy, the better everyone will understand how to leverage the cloud and reduce the risk to your organization.

Hazdra is a principal security consultant at Neohapsis, and a seasoned security professional with CISSP and CCSK certifications and extensive experience spanning nearly all areas of security. He has deep domain expertise securing virtualized environments and public & private clouds, and is an active member of the CSA SME council, as well as expertise and certifications in design, implementation and securing of datacenters, IP telephony and other security infrastructure and services.  Hazdra previously served as Chief Security Officer (CSO) of Canopy Financial, a PCI Type 1 Merchant and poster-child for having virtualized nearly 100% of its datacenter successfully, and was Sr. Security and Compliance Specialist at VMware.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies