Ensure Cloud Security in IaaS and PaaS Environments

Keep your information security risks manageable when leveraging the benefits of cloud computing.


Please note that the content on this page is retired. This content is not maintained and may contain information or links that are out of date.

Migrating data or systems to an insecure public IaaS or PaaS can result in:

  • Theft or loss of private or critical business data.
  • Compromise of your cloud environment.
  • Limited visibility into cloud operations.

Properly secured IaaS and PaaS can result in:

  • The maintenance of data confidentiality, integrity, and availability.
  • Effective IT spend.
  • Proper vendor selection for a successful relationship.

Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Module 1: Determine Your Hosted Cloud Risk Profile

The Purpose

  • Identify rationale for adopting an IaaS/PaaS program to ensure security is not an impediment.
  • Identify major changes to security obligations from the adoption of an IaaS/PaaS program.
  • Determine the risk profile of the organization’s new IaaS/PaaS program.   

Key Benefits Achieved

  • Realized business benefits: Identify the business’s main rationale for adopting cloud and ensure this is not impeded.
  • Understanding of your security scope: Assess the business processes being changed and respective changes to your security. 
  • Determination of your specific cloud security risk profile. 

Activities: Outputs:
1.1 Determine your organization’s rationale for cloud adoption and what that means for your security obligations.
  • Determined what the organizational risk profile is for adopting IaaS/PaaS.
1.2 Evaluate all risk-based variables to determine your IaaS/PaaS cloud risk profile.
  • IaaS/PaaS Risk Profile.
1.3 Analyze and document your hosted cloud risk profile.

Module 2: Determine Your Iaas/Paas Security Control Requirements

The Purpose

  • Develop an understanding of how IaaS/PaaS security can be achieved.
  • Determine and document all security control requirements of the organization. 

Key Benefits Achieved

  • Select a safe IaaS/PaaS vendor.
  • Select an auditable IaaS/PaaS vendor.
  • Select a transparent IaaS/PaaS vendor.
  • Select a portable IaaS/PaaS vendor. 

Activities: Outputs:
2.1 Understand how consumers can evaluate vendors’ security capabilities.
2.2 Perform a cloud security requirement completeness assessment.
  • Evaluated vendors’ security capability completeness based on your organization’s IaaS/PaaS risk profile.
2.3 Perform a cloud security auditability assessment.
  • Evaluated vendors’ auditable levels of their certifications and security testing.
2.4 Perform a cloud security governability assessment.
  • Evaluated vendors’ governability by assessing transparency.
2.5 Perform a cloud security interoperability assessment.
  • Evaluated vendors’ portability by assessing their interoperability.

Module 3: Evaluate Your Cloud Vendors and Implement Your Security Controls

The Purpose

  • Evaluate vendors’ ability to meet those internal control requirements as well as their ability to meet vendor specific control requirements.
  • Build action plan/roadmap on how to secure their cloud environment.
  • Implement the action plan. 

Key Benefits Achieved

  • Effectively communicate with potential CSPs.
  • Ensure your requirements are understood and being met.
  • Delegated responsibilities for meeting security requirements.
  • Moved from a list of needs to an action plan.
  • Communicate your security strategy. 

Activities: Outputs:
3.1 Understand the problems and components of cloud contracts.
3.2 Create your IaaS/PaaS SLA document.
  • Created your security portion of your cloud SLA.
3.3 Determine communication lines.
  • Entered into vendor selection and contract negotiations.
3.4 Perform due diligence on shortlisted vendors.
  • Begun due diligence practices on vendor selection.
3.5 Identify potential obstacles and stakeholders.
  • Allocated responsibility between the consumer and the CSP for meeting specific requirements.
3.6 Turn your security requirements into specific tasks and develop your implementation roadmap.
  • Translated security requirements into actionable tasks that have then been prioritized and planned.
3.7 Develop a communication plan to ensure successful adoption and buy in.
  • Developed a communication plan to gain senior buy in and ensure successful adoption of security controls.

Module 4: Build a Governance Program

The Purpose

  • To develop processes so the member can maintain and measure their cloud environment security.
  • Ongoing vendor governance.
  • Ongoing internally deployed security control governance.

Key Benefits Achieved

  •  Ensure continued security and maintenance of privacy and integrity of your cloud environment.

Activities: Outputs:
4.1 Build the organizational structure of your IaaS/PaaS Security Governance Program.
  • A completed security governance program to track ongoing cloud security duties and responsibilities.
4.2 Define your escalation processes.
4.3 Build an IaaS/PaaS Security Governance Committee.
4.4 Document out your identity and access policies and procedures.
4.5 Develop your ongoing communication management practices.
4.6 Define information governance for data in this new environment.
4.7 Build a metrics program in order to objectively measure your project success.
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019