Journey to the Cloud
The promise of cloud computing has piqued the interest of many IT executives. It has garnered many raving fans as well as skeptical critics, exhorting and scorning the promises and pitfalls of Cloud. In today’s enterprises, no matter which part of the world or what business you are, strive to do three things simultaneously, sustain existing products and services, improve them and introduce new ones which can be coined as “run, grow and transform”. All competitive differentiator really ties back to business logic, which is in applications. The faster that IT can catapult business to capture markets through flexibility, scalability of cloud computing, the more valuable IT will be viewed by its business counterparts.
Moving to the cloud does not just affect technology, it affects people, IT and operation. Staff will need to learn new skills. Development, quality assurance and release procedure will need to evolve. The transformation to cloud permeates every levels of the organization and thus executives are rightfully concerned about the transformation to Cloud despite the promises that Cloud brings.
Above all the concerns, security and compliance are never far away from the mind of executives. These have especially taken a heightened importance because the adoption of cloud based applications has extended the corporate business boundaries out from its’ traditional firewall perimeters. This, making the playing field for malicious attackers magnified several times , these have make executives feeling perturbed and uneasy.
To ease the transition, I have summarized a few key security questions that IT should address before taking the leap to cloud computing.
Policies and Standards
- Which of the policies and standards will need to change in a cloud environment
- How will the enforcement of the policies and standards be carried out? Both in an in-sourced and outsourced model?
- Are the policies and standards using standards/frameworks such as ISO and COBIT?
- How will the applications and data be secured in the cloud?
- Is the identity access management architecture appropriate?
- If you are developing the application in house. How should you update your design review process to cover cloud security specific requirement?
- If it is developed by 3rd party, how do you ensure the design review process are sound and rigorous code reviews process are enforced and adhered to?
- Do you or your cloud provider have a Penetration/Vulnerability/Denial of Service testing program to verify the critical application are secure?
- How do you or Cloud provider ensure that the network is secure as it extends to the cloud?
- How do you or Cloud provider ensure that the Cloud management infrastructure is secure ?
- How is the security in the cloud monitored?
- What level of logging is tracked and audited?
- How long are the audit trails being kept?
- Where are the data being kept?
- What are the security incident response protocols for the cloud environment?
- What are the interlocks between your cloud provider and your enterprise in case of security incidents?
- What are the SLAs?
Cloud is a dynamic environment in which technologies and business models continue to evolve and along it, security is in a similarly fluid state. The onerous thus lies with the tripartite of cloud providers, enterprise IT and the end users to ensure that the cloud environments are secured. It is critical that enterprises have a proper framework and a structured approach before embarking on this journey. No doubt, the journey to the cloud is thwarted with challenges and risks but the magnitude of rewards that Cloud brings to enterprises are just too enticing to be ignored.