Avoid being locked into a particular cloud service supplier/vendor
One of the greatest concerns for company managers in the migration phase is to avoid being locked to a particular cloud service provider. The problem is particularly concerning at the SaaS and PaaS levels.
For high management and IT staff, it is important to have an alternative strategy defined before the migration process will start.
Implement security and privacy requirements
Security and privacy are probably the most concerning issues for enterprises that decide to adopt a cloud infrastructure. Below are just a few questions that every IT security manager has in mind when he approaches the cloud computing paradigm.
- Confidential data are securely stored in the cloud?
- Which are the risks related to the exposure to the cyber threats?
- Can we trust the cloud service provider's personnel?
- Which is the level of security offered in the SLA?
- Which are the security mechanisms in place?
- Are we compliant with security standards? Which one?
Privacy is closely related to security. A huge amount of sensitive data and personally identifiable information (PII) are stored by enterprises into cloud architectures, and there is the need to preserve them from intentional cyber attacks and accidental incidents.
Cloud security diagram
An efficient approach for privacy and security issues is necessary to avoid loss of business caused by incidents (e.g. data breach) and non-compliance with government regulations.
Companies have to consider security and privacy issues according to the needs of the industry they work for. The key security constructs on the basis of which security policies must be analyzed are infrastructure, data, identity, and end-user devices.
To improve security and privacy of cloud architecture, companies that decide to move their workloads to the cloud have to:
- Decide which data migrate to the cloud and request the implementation of necessary measures to ensure integrity of the information and preserve its confidentiality. Let's imagine the source code of the core applications developed by a company that needs to be moved into the cloud; the software repository needs to be hardened against external attacks and their access must be regulated to prevent data leakage from insiders.
- Map company data for requesting security classification.
- Review the cloud providers' security/privacy measures (e.g. physical security, incident notifications) and make sure that they are documented in the cloud SLA.
- Identify sensitive data.
- Define/Review the authorization and authentication processes.
- Examine applicable regulations and carefully evaluate what needs to be done to meet them after a migration to cloud computing.
- Manage the risks of security or privacy violations, evaluating the impact on the company business for every task/activity moved to the cloud.
Sign up for CIO Asia eNewsletters.