David Grimes, CTO, NaviSite, says:

For most companies, data is their most valuable resource. Hosting data in a cloud environment gives companies strategic benefits such as scalability and lower infrastructure costs. But with these new benefits come different security risks, and these risks can often prevent companies from taking advantage of the benefits of cloud hosting.

The security risks of operating in the cloud can be largely mitigated by architecting and building the customer’s environment in a way that decreases these risks while still taking full advantage of the benefits the cloud has to offer.  Ultimately, building a cloud environment that has all the necessary security measures is a partnership and a shared responsibility between a cloud service provider and its customer. It’s important for cloud service providers to educate their customers and support their development of an internal process for building a secure environment.

At NaviSite, we believe there is no one-size-fits-all cloud platform, so we partner closely with our customers to build a customized cloud environment based on their specific business and compliance needs. With that experience, we’ve identified seven steps businesses should take when building their cloud environments.  These steps have been tested and refined through NaviSite’s experience helping hundreds of companies secure enterprise resources according to best practices.  

Review your business goals

A cloud security plan should begin with an understanding of a company’s specific business goals, existing architecture and any compliance requirements. Additional factors for consideration should include technology, building methodologies, and training to ensure the staff has the skills to develop a security plan that aligns with business goals. Companies can take advantage of SharedAssessments.org’s questionnaire to help define their security-related business goals.

Maintain a risk management program

Companies should build a well-defined risk management program that defines the level of risk a company is willing to accept. That process can include assessing the value of the assets, the loss expectancy probability, and then quantifying whether the organization is willing to accept the risk of loss.

Create a security plan that supports a business plan

The plan should include compliance programs, technologies, and processes, all with specific results. For example, a growing IT services company may pursue a data center compliance program, such as SSAE-16. The plan should include specific completion dates, verification of achievement such as a Service Organization Controls report, and measurable expected results.

Establish corporate-wide buy in

Companies need to ensure the security plan is not only aligned with organization goals, but also with the goals of the departments that will be implementing it.

Create security policies, procedures and standards

A set of guidelines is important to ensure compliance measures are identified and that the entire organization is working towards the same goals. Leverage industry best practices and existing business goals to ensure security policies address business requirements.

Audit and Review Often

It’s key to review the security plan on a regular basis, report on achievements of goals, and audit the organization’s compliance to the policies and procedures. A third-party audit, such as SSAE-16, can provide an impartial review of the controls and compliance.

Continuously Improve

A company should review its cloud security plan with senior executives and its cloud service provider at least once a year, and revise goals and objectives as needed. Following the review, a company should actively report back to the organization on the accomplishments of the security and compliance teams.

By following these steps organizations can structure security and compliance programs to take advantage of the economic advantages of managed cloud services while meeting organizational security and compliance objectives.