The first reason most IT professionals say they are interested in a private cloud solution, rather than a public cloud solution, is security. Ironically, diligent security is often the last item on the checklist for many organizations when building a private cloud solution.
I’ve found that, unless an organization is in a regulated industry that is required to provide proof of security – such as PCI, HIPAA, FISMA or ITAR – the level of security in many data centers today could be characterized as “not so much.”
A security initiative needs to be a detailed, disciplined process, but it doesn’t have to be overwhelming. But you do have to have a security policy to apply in the first place. A best practices approach to upgrading or creating a security policy that is appropriate for most organizations focuses on five basic security components.
These five steps form the path for a solid security policy: Risk Assessment, Data Ownership, Data Classification, Auditing and Monitoring, and Incident Response.
While developing your private cloud security policy to help defend your organization from hackers, as well as inadvertent access to confidential data, try asking the following questions.
1. Risk Assessment: How much risk can the organization accept? This seems like an odd question; the answer would seem to be an automatic, “None.” However, considering this question and then developing corporate policies for security around the answers will help identify the security and privacy requirements necessary to ensure compliance with any applicable federal and state regulations as well as industry requirements. As your company develops risk management policies, it replaces ambiguity with certainty about questions regarding data security and privacy.
2. Data Ownership: Who owns the data? That question helps decide the “local data sheriffs” for an organization. Why is it necessary? Because each data owner, usually someone within a specific business unit, decides the classification of the data to be maintained and is then responsible for granting user access to the data.
3. Data Classification: How is the data classified? Not all data is created equal. That is, not all data requires the same level of security. Typically, data is classified using three categories – private, confidential or public. Data can fall under more than one category – a spreadsheet with salary information might be private to the company and confidential so only HR employees and supervisors may view it. A data classification established by the data owner clears up any mystery about access.
4. Auditing and Monitoring: How is the data watched? This is generally accomplished with a security incident and event monitoring (SIEM) system that records successful and failed login attempts into key systems, configuration changes and system activities. A SIEM system can log correlation among various security systems and help reconstruct events that led to a security breach or incident.
5. Incidence Response: What is the reaction to any data security breach? Exactly what to do in the case of a data security breach must be outlined in detail in a corporate incidence response policy. The stronger the security and controls applied, the fewer incidents requiring reaction. But the opposite is also true, requiring fast incident responses. A detailed policy makes a quick response easier.
Developing an appropriate security program for an organization in a conventional infrastructure that can then be extended to a private cloud environment adds another dimension to everything. The reality is that, until you have developed, implemented and tested a comprehensive security program for your organization, your data may not be any safer at home, let alone in the cloud.
- Protecting The Business From Cloud Application Security Risks
- The Massive SaaS Opportunities For VARs
- A Reseller's Guide: Recipe For Channel Partnership Success
- Cloud Connection: Seven Steps To Effective Public Cloud Services
- From CapEx To OpEx: Channel Strategy In The Federal Push To The Cloud
- A Reseller's Guide: Coming Out On Top In The Face Of Channel Conflict
- How To Create A Case For Disaster Recovery Plan
- How To Offset Your Customers' BYOD Risks
- How To Ease Client Anxiety About Private Cloud Deployments
- How An SMB Cloud Provider Can Create 'Swagger' In A Competitive Market
- A Reseller's Guide: Creating A Successful Solution Provider Event
- How to Prepare for the Future of the IT Solutions Industry
- How to Consolidate Data Protection Services for Greater Customer Value
- 10 Attributes to Support Revenue Marketing and Sales Success.
- How To Improve Efficiency: Upgrade Mountain Lion and iOS6
- How To Cash In On the Cloud Through Collaboration
- How To Sell Cloud Storage In Five Steps
- How To Protect High-Value Data Assets
- Moving Data to the Cloud: Options for SMBs and Small Enterprises
- How To Apply Big Data Security Analytics to Detect Advanced Threats and Breaches