Cloud evangelist and architect at Red Hat Richard Morrell talks Cloud security management best practice.

Article Image Security management best practice when migrating to Cloud

We live in a deeply insecure world. That’s what every analyst and journalist will tell you when it comes to shining light on the risks and issues facing information technology management as we go about our everyday computing activities. Month in, month out the positioning of the security management best practice for those undertaking a migration to Cloud gathers pace. CiSOs and IT directors are under constant pressure to ensure conformance and compliance for their networks, architecture and deployment plans, and publicised outages and leaks in data handling practices of organisations highlighted in the press are only adding to this.

Whilst to stand back and ignore these articles would be cavalier, we have to remember that they’re not far from the truth; security is one of the predominant risks and threats to any organisation of any size looking to even partially embrace Cloud based platforms or deployments.

For the small to medium size enterprise it becomes even more confusing.

Risk registers and security awareness have normally stopped at the convenient bastion of the perimeter of the network: the trusty firewall appliance or managed firewall. As the author of firewalls protecting tens of millions of networks worldwide over the last decade I’ve made a good living out of helping organisations of all sizes protect themselves from rogue hackers and opportunistic threat. However, it’s 2015 and we need to think differently and to arm ourselves to be able to understand how the migration beyond the network perimeter and also the harnessing of Cloud based technologies can influence our risk appetite when it comes to planning proactive security education within our camps to our developers and engineers, but also to our customers who may be consuming services we produce or make available.

Over the last six years I’ve worked proactively as a contributor and unpaid advisor to the Cloud Security Alliance (CSA) who are an international body made up of thousands of unpaid individuals from every business vertical across the globe. The CSA over that period of time has filled a hugely important vendor neutral gap to provide intrinsic security control documentation for every conceivable type of business, be it traditional bare metal or virtualised new world Cloud based, across every avenue of business from health to finance, insurance to broadcast media. Those controls, in the form of easy to follow security matrixes, have allowed those adopting them to both benefit from being steps ahead of ISO, PCI-DSS, BASEL and other governances, but more importantly to have proactively built out defence in depth.

The Cloud Control Matrixes are available as a free download from the CSA website and also I recommend for those looking to work with Cloud providers to look at their STAR certification programme for vendors of products and services which are audited to provide assured levels of security conformity in this new Cloud world. Being armed is essential; being smart is the core to the protection of the privacy, security and reputation of your company and its assets.