How to Secure Private Clouds In Five Steps
The first reason most IT professionals say they are interested in a private cloud solution, rather than a public cloud solution, is security. Ironically, diligent security is often the last item on the checklist for many organizations when building a private cloud solution.
I’ve found that, unless an organization is in a regulated industry that is required to provide proof of security – such as PCI, HIPAA, FISMA or ITAR – the level of security in many data centers today could be characterized as “not so much.”
A security initiative needs to be a detailed, disciplined process, but it doesn’t have to be overwhelming. But you do have to have a security policy to apply in the first place. A best practices approach to upgrading or creating a security policy that is appropriate for most organizations focuses on five basic security components.
These five steps form the path for a solid security policy: Risk Assessment, Data Ownership, Data Classification, Auditing and Monitoring, and Incident Response.
While developing your private cloud security policy to help defend your organization from hackers, as well as inadvertent access to confidential data, try asking the following questions.
1. Risk Assessment: How much risk can the organization accept? This seems like an odd question; the answer would seem to be an automatic, “None.” However, considering this question and then developing corporate policies for security around the answers will help identify the security and privacy requirements necessary to ensure compliance with any applicable federal and state regulations as well as industry requirements. As your company develops risk management policies, it replaces ambiguity with certainty about questions regarding data security and privacy.
2. Data Ownership: Who owns the data? That question helps decide the “local data sheriffs” for an organization. Why is it necessary? Because each data owner, usually someone within a specific business unit, decides the classification of the data to be maintained and is then responsible for granting user access to the data.
3. Data Classification: How is the data classified? Not all data is created equal. That is, not all data requires the same level of security. Typically, data is classified using three categories – private, confidential or public. Data can fall under more than one category – a spreadsheet with salary information might be private to the company and confidential so only HR employees and supervisors may view it. A data classification established by the data owner clears up any mystery about access.
4. Auditing and Monitoring: How is the data watched? This is generally accomplished with a security incident and event monitoring (SIEM) system that records successful and failed login attempts into key systems, configuration changes and system activities. A SIEM system can log correlation among various security systems and help reconstruct events that led to a security breach or incident.
5. Incidence Response: What is the reaction to any data security breach? Exactly what to do in the case of a data security breach must be outlined in detail in a corporate incidence response policy. The stronger the security and controls applied, the fewer incidents requiring reaction. But the opposite is also true, requiring fast incident responses. A detailed policy makes a quick response easier.
Developing an appropriate security program for an organization in a conventional infrastructure that can then be extended to a private cloud environment adds another dimension to everything. The reality is that, until you have developed, implemented and tested a comprehensive security program for your organization, your data may not be any safer at home, let alone in the cloud.