Crafting a cloud security policy… are you asking the right questions?

Has your organization created a cloud security policy? Crafting one can be tricky. You have to be thinking about the right questions, and it’s a good idea to first determine what (and why) you’re moving certain information assets to the cloud. It’s also important to find a good fit in a cloud provider, one that understands your organization’s culture. Consulting with peers and reviewing existing cloud policies and standards is a helpful first step. And Neohapsis’ Scott Hazdra shares his advice about questions to ask:

  1. First, what do we want to put in the cloud? Data, applications, both? Based on this, you will be able to identify important criteria that will help lead you to determine the best cloud provider and also services required such as IaaS, PaaS or SaaS.
  2. Do we have a good data classification policy and procedure? And what type of data will we allow in the cloud– sensitive corporate data, data that should be privacy-protected per compliance regulations (PII, SSNs, etc.), day-to-day operational data? If you don’t already have a good data classification policy, create one so that you don’t end up inadvertently transmitting and storing the wrong data in a cloud environment.
  3. What existing policies do we have have may also apply to what we want to do in the cloud?
  4. What have others in our industry done that we can borrow from? This is a good way to learn what works, what doesn’t, and what unexpected issues can come up. Take a look at what standards bodies, like ISO, NIST or the CSA, have created as well to discover policy areas that you may not have considered.
  5. Who within our organization is allowed to enter into agreements with cloud providers? And who has the authority to negotiate SLA’s? Be certain to involve those with the proper authority and approval levels.
  6. Finally, if you have just created your policy, allow the stakeholders in your organization to weigh in and comment on it.

If you follow these guidelines, you’ll be better prepared when the first packet of data moves from your servers and into your provider’s trusted cloud!

For more information and advice, see the full article in SecurityWeek: