From flexibility to cost savings, there are many benefits to including public cloud in an IT strategy. However, cybersecurity is a critical, and often neglected, component of due diligence. Organizations would be wise to adhere to several best practices so they can ensure the security of the data and workloads they move to the public cloud.
As we established in an
earlier post, cybersecurity for workloads in the public cloud is largely a shared responsibility with the cloud service provider. The level of ownership for corporate IT teams will depend on the type of cloud platform (e.g. PaaS, IaaS, etc.). In addition, offerings of each cloud services provider vary to some degree.
So, where should an organization start? One of the most important steps for organizations pursuing the use of
cloud services is updating existing governance models. This is good practice even for companies without public cloud interest, as reviewing the governance model helps organizations identify and understand which data needs to be secured.
One criterion for review is the sensitivity of the information. For example: does the data include customer credit card, personal health, or employer data? Determining appropriate access and protection for such information also requires understanding any applicable regulations and compliance frameworks.
Another part of any governance model review should be deciding which workloads are most suitable for the public cloud, and which should be kept in a private cloud or on-premises system. These types of decisions should be guided by data and workload classification.
Good governance also means putting the right processes in place. Doing so can help mitigate issues like shadow IT, provide appropriate visibility of cloud resources, support risk management efforts, and allow for secure migrations.
Be sure to include key personnel as part of the governance model planning process: representatives from IT, security, legal, human resources, and the lines of business. Others who should be updated on progress include the CEO, CFO, COO, CIO, and CISO. When creating or updating governance models, the director of networking, SOC manager, security analysts, and network administrators may also like to be included.
Once you’ve finalized the governance model review, test and verify the model by ensuring that:
- Security controls are working as expected
- Protocols are being followed
- Migrated applications and workloads are behaving as they should
- User experience has not been impacted in a negative way
Another good practice: Provide cybersecurity training for employees that addresses unique public cloud considerations. Team members should understand that cybersecurity is everyone’s responsibility. All employees need to know what to look for or avoid to help protect data in the public cloud.
Lastly, deploying the right cybersecurity solutions is crucial. Organizations need to leverage smart tools to manage and control the cloud environment in much the same way that they manage and control their on-premises IT infrastructure. These tools should complement internal systems and built-in offerings from public cloud providers. During the due diligence process, companies should adequately compare public cloud providers and their respective security services — not all providers are alike.
As you begin moving workloads to the public cloud, assess the performance of the workloads to make sure they’re performing as expected and are meeting the company’s availability, quality, and user experience requirements.
Integrating public cloud into an IT strategy can provide a number of business benefits. By following these cybersecurity best practices, organizations can improve associated outcomes and overall experience with public cloud platforms.