- Hosted cloud environments, such as infrastructure as a service (IaaS) or platform as a service (PaaS), offer major IT and business benefits that organizations are looking to realize.
- Organizations may decide to migrate some part of their IT operations to a hosted cloud environment to realize any number of benefits.
Our Advice
Critical Insight
- Security remains a large impediment to realizing cloud benefits. Numerous concerns still exist around the ability for data privacy, confidentiality, and integrity to be maintained in a cloud environment.
- Even if adoption is agreed upon, it becomes hard to evaluate vendors that have strong security offerings and even harder to utilize security controls that are internally deployed in the cloud environment.
- Security Perception: Cloud can be secure although unique security threats and vulnerabilities create concerns for consumers.
- Balancing Act: Securing an IaaS or PaaS environment is a balancing act of determining whether the vendor or the consumer is responsible for meeting specific security requirements.
- Structured CSP Selection Process: Most security challenges and concerns can be minimized through our structured process (CAGI) of selecting the trusted CSP partner.
Impact and Result
- The business is adopting a hosted cloud environment and it must be secured, which includes:
- Ensuring business data cannot be leaked or stolen.
- Maintaining privacy of data and other information.
- Securing the network connection points.
- Determine a balancing act between yourself and your CSP—through contractual and configuration requirements, determine what security requirements your CSP can meet and cover the rest through internal deployment.
- This blueprint and associated tools are scalable for all types of organizations within various industry sectors.
Workshop: Ensure Cloud Security in IaaS and PaaS Environments
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Determine Your Hosted Cloud Risk Profile
The Purpose
- Identify rationale for adopting an IaaS/PaaS program to ensure security is not an impediment.
- Identify major changes to security obligations from the adoption of an IaaS/PaaS program.
- Determine the risk profile of the organization’s new IaaS/PaaS program.
Key Benefits Achieved
- Realized business benefits: Identify the business’s main rationale for adopting cloud and ensure this is not impeded.
- Understanding of your security scope: Assess the business processes being changed and respective changes to your security.
- Determination of your specific cloud security risk profile.
Activities
Outputs
Determine your organization’s rationale for cloud adoption and what that means for your security obligations.
- Determined what the organizational risk profile is for adopting IaaS/PaaS.
Evaluate all risk-based variables to determine your IaaS/PaaS cloud risk profile.
- IaaS/PaaS Risk Profile.
Analyze and document your hosted cloud risk profile.
Module 2: Determine Your Iaas/Paas Security Control Requirements
The Purpose
- Develop an understanding of how IaaS/PaaS security can be achieved.
- Determine and document all security control requirements of the organization.
Key Benefits Achieved
- Select a safe IaaS/PaaS vendor.
- Select an auditable IaaS/PaaS vendor.
- Select a transparent IaaS/PaaS vendor.
- Select a portable IaaS/PaaS vendor.
Activities
Outputs
Understand how consumers can evaluate vendors’ security capabilities.
Perform a cloud security requirement completeness assessment.
- Evaluated vendors’ security capability completeness based on your organization’s IaaS/PaaS risk profile.
Perform a cloud security auditability assessment.
- Evaluated vendors’ auditable levels of their certifications and security testing.
Perform a cloud security governability assessment.
- Evaluated vendors’ governability by assessing transparency.
Perform a cloud security interoperability assessment.
- Evaluated vendors’ portability by assessing their interoperability.
Module 3: Evaluate Your Cloud Vendors and Implement Your Security Controls
The Purpose
- Evaluate vendors’ ability to meet those internal control requirements as well as their ability to meet vendor specific control requirements.
- Build action plan/roadmap on how to secure their cloud environment.
- Implement the action plan.
Key Benefits Achieved
- Effectively communicate with potential CSPs.
- Ensure your requirements are understood and being met.
- Delegated responsibilities for meeting security requirements.
- Moved from a list of needs to an action plan.
- Communicate your security strategy.
Activities
Outputs
Understand the problems and components of cloud contracts.
Create your IaaS/PaaS SLA document.
- Created your security portion of your cloud SLA.
Determine communication lines.
- Entered into vendor selection and contract negotiations.
Perform due diligence on shortlisted vendors.
- Begun due diligence practices on vendor selection.
Identify potential obstacles and stakeholders.
- Allocated responsibility between the consumer and the CSP for meeting specific requirements.
Turn your security requirements into specific tasks and develop your implementation roadmap.
- Translated security requirements into actionable tasks that have then been prioritized and planned.
Develop a communication plan to ensure successful adoption and buy in.
- Developed a communication plan to gain senior buy in and ensure successful adoption of security controls.
Module 4: Build a Governance Program
The Purpose
- To develop processes so the member can maintain and measure their cloud environment security.
- Ongoing vendor governance.
- Ongoing internally deployed security control governance.
Key Benefits Achieved
- Ensure continued security and maintenance of privacy and integrity of your cloud environment.
Activities
Outputs
Build the organizational structure of your IaaS/PaaS Security Governance Program.
- A completed security governance program to track ongoing cloud security duties and responsibilities.
Define your escalation processes.
Build an IaaS/PaaS Security Governance Committee.
Document out your identity and access policies and procedures.
Develop your ongoing communication management practices.
Define information governance for data in this new environment.
Build a metrics program in order to objectively measure your project success.