Securing your Cloud Infrastructure - A Journey not a Destination
So you have finally decided to utilize the cloud for solving your business/customer problems. While the journey has begun, the NEXT big question is - “How to align the security requirements of this cloud infrastructure with your business needs so that clients and stakeholders are assured of its confidentiality, integrity and availability?”
There are five aspects that need to be considered:
1. Information Security Policy for Cloud-hosted Infrastructure: Assess the security practices that the cloud provider follows, for example, ISO27001, PCI-DSS, HIPAA, SSAE16, etc. Keeping business requirements in mind, your information security team and cloud administration team, along with the cloud service provider should define cloud-specific security policies and procedures. Making them cloud-specific will help bring focus and also establish a method to measure and mitigate risks.
2. Security network architecture: Review off-the-shelf tools as a starting point for building your security network architecture. For example, build various secured zones to segregate your Web, Processing and Database Layers. This is similar to following the DMZ type approach and is supported by most providers.
Besides, most providers will provide you with options to further add firewalls of your choice so that you can enable Filtering and also IPS type features. Needless to say, the systems will need to be protected by cloud-specific anti-virus software. Follow the best practices for IP Addressing and DNS, based on what flexibility and services are given by the cloud-service provider.
3. Continuity & Scalability: Not a new word, but in the cloud world you will hear and get many more cost-effective options which can help build continuity and scale for your Infrastructure. For example, multiple availability zones for data centers, replication across geographies, auto-scaling and support for multiple IT automation frameworks.
4. Cloud Administration & Access Management: The next important aspect is to build a secured VPN tunnel to your core network. This is to ensure that only authorized teams have access to your cloud setup. This secured tunnel also helps in building an integration bridge between your cloud setup and internal systems. This step virtually makes your cloud infrastructure an extension of your physical, in-house datacenter. From an access management standpoint, consider using multifactor authentication and integration with the directory services of the organization.
5. Compliance: Benchmark against your information security standard, for example, ISO/IEC27001, to provide assurance to clients and customers on the cloud hosted infrastructure. Keep reviewing the effectiveness of your security implementation through regular audits, vulnerability/ penetration testing and risk management.
“Achieving information security is a journey not a destination”. As you keep scaling and securing your cloud, you must continue to explore encryption tools, build more layers of redundancy, disaster recovery, and so on to add more value to your customer.