Ensure Cloud Security in IaaS and PaaS Environments

Keep your information security risks manageable when leveraging the benefits of cloud computing.

Unlock

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Hosted cloud environments, such as infrastructure as a service (IaaS) or platform as a service (PaaS), offer major IT and business benefits that organizations are looking to realize.
  • Organizations may decide to migrate some part of their IT operations to a hosted cloud environment to realize any number of benefits.

Our Advice

Critical Insight

  • Security remains a large impediment to realizing cloud benefits. Numerous concerns still exist around the ability for data privacy, confidentiality, and integrity to be maintained in a cloud environment.
  • Even if adoption is agreed upon, it becomes hard to evaluate vendors that have strong security offerings and even harder to utilize security controls that are internally deployed in the cloud environment.
  • Security Perception: Cloud can be secure although unique security threats and vulnerabilities create concerns for consumers.
  • Balancing Act: Securing an IaaS or PaaS environment is a balancing act of determining whether the vendor or the consumer is responsible for meeting specific security requirements.
  • Structured CSP Selection Process: Most security challenges and concerns can be minimized through our structured process (CAGI) of selecting the trusted CSP partner. 

Impact and Result

  • The business is adopting a hosted cloud environment and it must be secured, which includes:
    • Ensuring business data cannot be leaked or stolen.
    • Maintaining privacy of data and other information.
    • Securing the network connection points.
    • Determine a balancing act between yourself and your CSP—through contractual and configuration requirements, determine what security requirements your CSP can meet and cover the rest through internal deployment.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors.

Contributors

  • Eric Chiu,Founder and President, HyTrust
  • John Lamboy, President and CEO, Cyber Defence Security and Intelligence (CDIS)
  • Michel Fosse, Consulting Services Manager, IBM
  • Paul Stillwell, Senior Security Consultant, Intrepita
  • Robert Hawk, Secure Networking Designed/Risk and Security Assessment SME, BC Hydro
  • Steven Woodward, CEO, Cloud Perspectives

Want to Participate in Our Research?

  • Analyst Interviews: Share your best practices, opinions, tools or templates with your peers.
  • Webinars: Interactive session to keep us focused on topics you want to tackle.
  • Upcoming Workshops: Accelerate your project with an onsite, expert analyst to facilitate a workshop for you. Contact us for more details.

Become a Participant


Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

  1. Determine your IaaS/PaaS risk profile

    Gain understanding of what the major implications of adopting an IaaS/PaaS program are and what this means for your organization’s security.

  2. Determine your IaaS/PaaS security control requirements

    Determine a customized list of security controls specific to your organization’s needs.

  3. Evaluate IaaS/PaaS vendors from a security perspective

    Determine which cloud vendors are most appropriate for your security needs.

  4. Implement your hosted IaaS/PaaS security controls

    Delegate responsibilities for meeting security requirements to create action-orientated items that can be communicated effectively with stakeholders to ensure proper implementation of security controls for your program.

  5. Build an IaaS/PaaS security governance program

    Ensure the continued maintenance and security of your IaaS/PaaS programs.

Guided Implementation icon Guided Implementation

This guided implementation is a four call advisory process.

  • Call #1: Determine your hosted cloud risk profile

    Info-Tech will work with you to identify your organization’s specific risk profile of hosted cloud environments. Various factors will be evaluated and the final result will be discussed.

  • Call #2: Determine your security control requirements

    Info-Tech will work with you to determine what security control requirements the organization will need based on its risk profile. Discuss and identify what control requirements should be met by the vendor or by your organization.

  • Call #3: Implement your hosted security controls

    Info-Tech will work with you to implement identified security controls by providing in-depth implementation steps for each security control.

  • Call #4: Build an IaaS/PaaS security governance program

    Info-Tech will work with you to develop processes so your organization can maintain and measure their cloud environment security.

Onsite Workshop

Module 1: Determine Your Hosted Cloud Risk Profile

The Purpose

  • Identify rationale for adopting an IaaS/PaaS program to ensure security is not an impediment.
  • Identify major changes to security obligations from the adoption of an IaaS/PaaS program.
  • Determine the risk profile of the organization’s new IaaS/PaaS program.   

Key Benefits Achieved

  • Realized business benefits: Identify the business’s main rationale for adopting cloud and ensure this is not impeded.
  • Understanding of your security scope: Assess the business processes being changed and respective changes to your security. 
  • Determination of your specific cloud security risk profile. 

Activities: Outputs:
1.1 Determine your organization’s rationale for cloud adoption and what that means for your security obligations.
  • Determined what the organizational risk profile is for adopting IaaS/PaaS.
1.2 Evaluate all risk-based variables to determine your IaaS/PaaS cloud risk profile.
  • IaaS/PaaS Risk Profile.
1.3 Analyze and document your hosted cloud risk profile.

Module 2: Determine Your Iaas/Paas Security Control Requirements

The Purpose

  • Develop an understanding of how IaaS/PaaS security can be achieved.
  • Determine and document all security control requirements of the organization. 

Key Benefits Achieved

  • Select a safe IaaS/PaaS vendor.
  • Select an auditable IaaS/PaaS vendor.
  • Select a transparent IaaS/PaaS vendor.
  • Select a portable IaaS/PaaS vendor. 

Activities: Outputs:
2.1 Understand how consumers can evaluate vendors’ security capabilities.
2.2 Perform a cloud security requirement completeness assessment.
  • Evaluated vendors’ security capability completeness based on your organization’s IaaS/PaaS risk profile.
2.3 Perform a cloud security auditability assessment.
  • Evaluated vendors’ auditable levels of their certifications and security testing.
2.4 Perform a cloud security governability assessment.
  • Evaluated vendors’ governability by assessing transparency.
2.5 Perform a cloud security interoperability assessment.
  • Evaluated vendors’ portability by assessing their interoperability.

Module 3: Evaluate Your Cloud Vendors and Implement Your Security Controls

The Purpose

  • Evaluate vendors’ ability to meet those internal control requirements as well as their ability to meet vendor specific control requirements.
  • Build action plan/roadmap on how to secure their cloud environment.
  • Implement the action plan. 

Key Benefits Achieved

  • Effectively communicate with potential CSPs.
  • Ensure your requirements are understood and being met.
  • Delegated responsibilities for meeting security requirements.
  • Moved from a list of needs to an action plan.
  • Communicate your security strategy. 

Activities: Outputs:
3.1 Understand the problems and components of cloud contracts.
3.2 Create your IaaS/PaaS SLA document.
  • Created your security portion of your cloud SLA.
3.3 Determine communication lines.
  • Entered into vendor selection and contract negotiations.
3.4 Perform due diligence on shortlisted vendors.
  • Begun due diligence practices on vendor selection.
3.5 Identify potential obstacles and stakeholders.
  • Allocated responsibility between the consumer and the CSP for meeting specific requirements.
3.6 Turn your security requirements into specific tasks and develop your implementation roadmap.
  • Translated security requirements into actionable tasks that have then been prioritized and planned.
3.7 Develop a communication plan to ensure successful adoption and buy in.
  • Developed a communication plan to gain senior buy in and ensure successful adoption of security controls.

Module 4: Build a Governance Program

The Purpose

  • To develop processes so the member can maintain and measure their cloud environment security.
  • Ongoing vendor governance.
  • Ongoing internally deployed security control governance.

Key Benefits Achieved

  •  Ensure continued security and maintenance of privacy and integrity of your cloud environment.

Activities: Outputs:
4.1 Build the organizational structure of your IaaS/PaaS Security Governance Program.
  • A completed security governance program to track ongoing cloud security duties and responsibilities.
4.2 Define your escalation processes.
4.3 Build an IaaS/PaaS Security Governance Committee.
4.4 Document out your identity and access policies and procedures.
4.5 Develop your ongoing communication management practices.
4.6 Define information governance for data in this new environment.
4.7 Build a metrics program in order to objectively measure your project success.

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now
GET HELP Contact Us
×
VL Methodology