Skip Links

Creating your first cloud policy

By Scott Hazdra, principal security consultant, Neohapsis, special to Network World
August 23, 2013 05:08 PM ET

Network World - While cloud-based services can help you reduce time to market, increase availability and ease management, challenges include loss of control, understanding risks and gaps in the cloud provider’s environment, and maintaining compliance with financial, healthcare and other regulations that apply to your business.

To reduce the risk of putting information in the cloud, create a written policy based on answers to several key questions. The policy you create doesn’t have to be long-winded and account for every possibility you can imagine.  In fact, a well written and thoughtful policy document may only require a handful of pages to provide the information your staff needs to navigate what happens in the cloud.

An example of the section headings for your initial cloud policy might be:
• Goal \ Mission Statement
• Data Classification
• Scope
• Responsibilities
• Policy

The first questions to ask are what do you want to move to the cloud and why. The ‘what’ is typically a software application your company has created that your employees or customers use, data that your company gathers or creates, or some type of business function such as payroll, accounting, or human resource management.

The ‘why’ can range from lower CAPEX or OPEX , increased availability, better automation of business processes, or creation of a backup or disaster recovery. Use these answers to write a 1-2 sentence goal or mission-statement for your policy that defines your clear, compelling reasons for using a cloud.

After you have charted the ‘what’ and ‘why’ for the cloud, examine and classify the type and sensitivity of the data that will flow into and out of your applications. As you work through this classification process, talk to your developers, your HR staff, your accountants, your sales team or any other personnel that may have insight into or be a consumer of the particular application headed to the cloud. Seek to understand what type of data is expected to go in and what type of information will come out and create a classification policy that suits the level of detail you need.

For example, you may classify all your data as Protected, Sensitive or Public. You could state that putting Protected data into the cloud-based HR application requires Department Manager and Executive approval. Moving Sensitive data in might only require Department Manager approval and Public data requires no special approval.

If at any point the flow of data will contain personally identifiable information (PII), credit card numbers, data covered under HIPAA, confidential corporate data or any other sensitive or regulated data, you should include additional criteria when evaluating your cloud provider. The additional criteria will be specific to your data type, but the common thread is that you will need to review all of the documentation related to the cloud provider’s security program and controls.

Many cloud providers make claims about having PCI-compliant or HIPAA-compliant cloud architecture, but then leave little in the way of explanation about the controls they employ to create and maintain the security.

Our Commenting Policies
Cloud computing disrupts the vendor landscape

 

Latest News
rssRss Feed
View more Latest News