Creating Cloud Security Policies that Work | The State of Security

There are many complex explanations out there that aim to answer the question: Why do I need a cloud security policy? Here’s a simplified answer in four bullet points:   

• Businesses derive many benefits from cloud computing.
• However, doing so comes with certain vulnerabilities.
• Criminals are always looking to exploit those vulnerabilities.
• When they succeed, the result can be anywhere from annoying to disruptive to devastating.

Perhaps the most important reason to implement and update cloud security policies for your organization is connected to a central tenet of cloud security known as the “shared responsibility model.”

Operationally speaking, security is broken into two components:

• Security “of” the cloud
• Security “in” the cloud

Security “of” the cloud

Cloud service providers (CSPs) are responsible for this. As explained in this article on the shared responsibility model: “CSPs have the responsibility to ensure that their infrastructure is free from vulnerabilities. They’re also responsible for the physical security of the cloud service and ensuring that unauthorized physical access to the hardware or software is prevented, as well as disaster and incident response.” And doing so doesn’t come cheap. Microsoft reportedly spends over $1 billion each year on security protections, including research and development.  

Security “in” the cloud

This is your responsibility. OK, perhaps not you personally, but definitely your organization. According to an informative Wall Street Journal article, “Gartner Inc. estimates that up to 95% of cloud breaches occur due to human errors such as configuration mistakes, and the research firm expects this trend to continue.”

Connecting with a cloud security provider has many advantages, but can also be an extremely complex proposition. According to the article “Human Error Often the Culprit in Cloud Data Breaches,” Amazon Web Services has a 130-page instruction guide for how to operate Amazon Simple Storage Service (Amazon S3). The cloud user’s responsibility necessitates ongoing vigilance around password security, internal and external sharing of data, third-party access and much more. For many companies and organizations, cloud security also comes with regulatory requirements (for example: information access rules set forth HIPAA, GDPR, Sarbanes-Oxley, etc.).  

How to Create a Cloud Security Policy

For obvious reasons, creating a cloud security policy is an extremely complex undertaking. This is not a situation where you task the new guy in IT with whipping something together by end of day Friday. You’ll need to engage senior leadership, IT leadership and perhaps even outside consulting firepower to create a comprehensive policy that truly protects your organization from risk.

Here is an overview of some of the key elements of creating a cloud security policy from TechTarget:

• Seek approval from senior leadership to develop a cloud security policy.
• Establish a project plan and goals for the project.
• Select a team with the right people to draft the policy.
• Work with management while drafting the policy to make sure you are covering all the important issues.
• Consult with your legal team and human resources throughout the writing process. Make sure they review the policy and offer constructive feedback.
• Ask for an internal or IT review of the policy.
• Before submitting it for senior leadership approval, make sure everyone who should see the policy has read it and provided necessary feedback.
• Submit the policy to senior leadership and secure their approval.
• Once approved, distribute the policy to employees.
• Determine a review policy review process.
• Schedule annual reviews of the policy to ensure it’s up to date.

Global IT services provider PhoenixNAP offers a simplified look at several key aspects that must be addressed in a cloud security policy. These include:

• Data types that can and cannot move to the cloud
• How teams address the risks for each data type
• Who makes decisions about shifting workloads to the cloud
• Who is authorized to access or migrate the data
• Regulation terms and current compliance status
• Proper responses to threats, hacking attempts and data breaches
• Rules surrounding risk prioritization

Here are a couple of other helpful resources when it comes to developing an effective cloud security policy:

Cloud Security Policy | Top Takeaways

Digital Guardian provides a list of 50 cloud-based security tips. We’ve curated a few of the most useful ones to help with your cloud security policy journey:

• Limit and protect attack surfaces.
• Focus on your most sensitive data.
• Build ‘security-first’ into your overall cloud strategy.
• Know what’s covered in your security solution.
• Provide training within your organization.
• Protect against employee mishaps, mistakes and misbehavior.
• Stay up to date on the latest security challenges.

Finally, being transparent about your rigorous cloud security policies and protocols can be important in providing added peace of mind to customers or other organizations with which you do business.

About the Author: Michelle Moore, Ph.D., is academic director and professor of practice for the University of San Diego’s innovative online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher and author with over two decades of private-sector and government experience as a cybersecurity expert.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.