Crafting a cloud security policy… are you asking the right questions?

Has your organization created a cloud security policy? Crafting one can be tricky. You have to be thinking about the right questions, and it’s a good idea to first determine what (and why) you’re moving certain information assets to the cloud. It’s also important to find a good fit in a cloud provider, one that understands your organization’s culture. Consulting with peers and reviewing existing cloud policies and standards is a helpful first step. And Neohapsis’ Scott Hazdra shares his advice about questions to ask:

  1. First, what do we want to put in the cloud? Data, applications, both? Based on this, you will be able to identify important criteria that will help lead you to determine the best cloud provider and also services required such as IaaS, PaaS or SaaS.
  2. Do we have a good data classification policy and procedure? And what type of data will we allow in the cloud– sensitive corporate data, data that should be privacy-protected per compliance regulations (PII, SSNs, etc.), day-to-day operational data? If you don’t already have a good data classification policy, create one so that you don’t end up inadvertently transmitting and storing the wrong data in a cloud environment.
  3. What existing policies do we have have may also apply to what we want to do in the cloud?
  4. What have others in our industry done that we can borrow from? This is a good way to learn what works, what doesn’t, and what unexpected issues can come up. Take a look at what standards bodies, like ISO, NIST or the CSA, have created as well to discover policy areas that you may not have considered.
  5. Who within our organization is allowed to enter into agreements with cloud providers? And who has the authority to negotiate SLA’s? Be certain to involve those with the proper authority and approval levels.
  6. Finally, if you have just created your policy, allow the stakeholders in your organization to weigh in and comment on it.

If you follow these guidelines, you’ll be better prepared when the first packet of data moves from your servers and into your provider’s trusted cloud!

For more information and advice, see the full article in SecurityWeek:

Infographic: The Future of Security Monitoring

Twitter, Apple, Facebook, and Microsoft are all household corporate brands, and they have something in common: They have all suffered data breaches.

As attacks make headlines daily, industry influencers seem to all be calling for security monitoring and forensics tools as the “end all, be all” for solving these types of issues and preventing future incidents. But sadly, monitoring tools like SIEMs catch maybe 50% of threats, best case scenario. Gartner says 85% of organizations are failing at early breach detection. Even the recent Verizon Data Breach Investigations Report found 66% of breaches are taking months or longer to be detected. HyTrust agrees, and has found the same or similar numbers in informal polling. In fact, Eric Chiu, president and founder of HyTrust (, the cloud control company, says “Security monitoring tools such as SIEMs are broken — they’re slow, reactive and weak.”

It’s obvious a new approach is sorely needed. Chiu says Role-Based Monitoring (RBM) is the future of security monitoring, and shared the below infographic. Based on pre-defined user roles, RBM can detect and block threats in real-time. It alerts you when something outside the norm happens. For example, an attacker using an advanced persistent threat (APT) technique might hijack someone’s corporate “privilege” – in other words, their advantages, benefits, entitlements or rights based upon their role within the organization – in order to carry out their breach more effectively.

“RBM is the fastest, strongest and most certain method of identifying threats with 98% accuracy,” Chiu said. “It provides a deeper examination of the context, looking at what was done as well as who executed the action, what their job is, and what resources they’re allowed to manage.” This enables organizations to zero-in and separate appropriate administrative operations from malicious ones, Chiu explained.

RBM is useful especially in cloud environments where ‘super admins’ have ‘super access’ to everything, i.e. they can copy, if they wish, every virtual machine with sensitive data, or tamper with controls and potentially destroy the entire virtual datacenter.

“It’s time to rethink security in-line with emerging technologies and change the way we do business,” said Chiu.