Many cloud providers make claims about having PCI-compliant or HIPAA-compliant cloud architecture, but then leave little in the way of explanation about the controls they employ to create and maintain the security.
Some questions you may ask include:" How and where they encrypt data at rest and data in motion" How they manage encryption keys including the frequency of key rotation" How do they vet employees who will have physical access to the network and compute infrastructure that hosts your application" Do they undergo 3rd party audits to validate their controls" What security features are and are not included in their boilerplate SLA" What are their notification policies and procedures after a security event and what constitutes security event" Are backups of my data moved offsite and are they encrypted" To what geographic locations is it possible for my data to move" How do they securely delete or destroy my data when requested
Cloud providers that have difficulty answering these questions, are unwilling to put answers in writing or are evasive or unclear when answering may lack a reasonable security focus.
After gathering this information, start writing the scope of your cloud policy. Here you can detail acceptable cloud providers, applications, data or services that can be moved into the cloud, to whom this policy applies and what legal and contractual agreements will govern the policy. If you have an existing Acceptable Use Policy or Information Technology Policy you can communicate that those rules still apply.
Your objective in defining responsibilities is to clearly define who owns the various operational aspects of your cloud-based applications. Clarify who, either by name or role, owns the responsibility for performing certain necessary activities. For example, spell out the roles or parties that may:" Sign a Service Level Agreement with a cloud provider" Administer security or performance settings with the cloud provider" Classify data" Create or change cloud user and admin accounts" Create or perform backups of cloud data" Make changes to your Cloud Policy document" Terminate an agreement with a cloud provider
Finally, create the policy statements themselves. One way to start is to think how you want your employees to use the cloud and write down the common sense ideas that come to mind. Concepts like not saving corporate or client data from the cloud to a personal computing device, not transmitting protected or sensitive data to or from the cloud without encryption, and not sharing your cloud user account password may seem obvious, but state them anyway.
If you already have an Acceptable Use Policy (AUP), you may borrow from that and adapt the statements to reflect the unique nature of using the cloud. If you have identified the cloud providers you are going to use, reference their AUP and use the same or similar language in your policy.
Sign up for CIO Asia eNewsletters.