3. Identify and Use the Right Third-Party Auditing Services.
When comes to security compliance, organizations need not simply take the CSP's word for it. Third-party auditing services can audit the actual, and consistent, application of security standards, processes and procedures at a CSP and compare them to the ones promised to the client.
SAS 70 Type II standards specify that these kinds of audits last for a minimum period of six months but could last longer. Moving a few applications to the public cloud and performing the audit over an extended period of time can give an organization the comfort level needed to move more sensitive applications and data to the cloud confidently.
4. Add Authentication Layers.
Most CSPs provide good authentication services for public cloud instances, but a product such as Halo NetSec from SaaS security vendor CloudPassage can help add an additional layer of authentication. Here's where you need to weigh the benefits of better public cloud security against the costs of increased network latency, possible performance degradation and additional points of failure.
5. Consider How Additional Security Will Affect Integration.
Default security with most leading CSPs is already strong. Adding public cloud security measures on top of that may affect overall application performance. It could also complicate your identity and access management efforts. These considerations are all the more crucial if you are working with mission-critical application that need to integrate with other business applications-end users will not be pleased if their applications are not available when they need them.
6. Put Security at the Forefront of Your SLA.
When you run a private cloud, you have (or should have) the tools to know when and where security breaches occur. How would a CSP customer ever come to know of these kinds of security breaches?
Public cloud security guarantees with CSPs are no good unless they are written as service level agreements in your contract-and, unless transparent monitoring and reporting functions are available to the cloud customer, the contract itself may be useless.
7. Insist on Transparent Security Processes.
The need for transparent and verifiable security processes, procedures and practices within your SLA goes far beyond potential data breaches. When you rent hosted servers, there is at least a physical facility, a rack and a set of physical servers you can visit. With public clouds, on the other hand, you may not know the exact physical whereabouts of your cloud instances, so all you can rely upon is the information that the CSP is making available to you. This is why transparency is critical.
8. Streamline Logging and Monitoring.
Exploring the monitoring and logging of physical cloud instances with CSPs is another key to ensuring public cloud security. Comparing one CSP's logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that's provided.
Sign up for CIO Asia eNewsletters.