How to Secure the Enterprise Cloud for SMB and Beyond

December 31, 2015

By John Casaretto - Contributing Writer

The enterprise cloud is the most flexible solution for information technologies that has ever been created. There are countless tools, applications, and variations. When the narrative is focused on savings, efficiency, and enablement, the cloud always tells a compelling story of strategy and ultimate benefit. However, it is not unfair to look at the cloud as a threatened environment. There have been countless breaches that have impacted companies significantly over the years. Cloud security is a big concern and a big undertaking, however it doesn't have to be a barrier to cloud adoption.

Any security challenge is part technical in nature and part mindset. Which part comes first is up to the organization, but these are inseparable concepts. The problem with cloud security is that there are so many cloud products and offerings to secure. No one technology can address all the forms that cloud comes in. There are cloud-based file services, infrastructure as a service (IaaS), cloud-based applications, and many other ways to integrate cloud into the business. Fundamental principles make all the difference and can be easily integrated against any of the aforementioned cloud technologies.

  1. Every employee logs in with their own identity - Combined with roles-based administration and permissions, this is an important step in securing malicious and unintended insider threats.
  2. Lay out service expectations - This step is a bit of Information Technology 101, but the principle extends to the cloud. As a business, the security relationship between your organization and the cloud provider matters and should be explicitly composed in the event of a crisis.
  3. Emergency procedures and policies - A business' security team needs to have every element of a response plan laid out ahead of time, along with roles, communications, and escalation procedures. This applies even if the security team is an outside party.
  4. Administrative documentation - This basic principle dictates that instructions or the process for access to cloud providers, environments, and account information are clearly shared with administrative staff for remediation of issues.
  5. Account management - Accounts should constantly be reviewed for appropriate access throughout the internal and cloud environments. Unnecessary permission levels should be eliminated. When employees leave the company, a proper account retirement process should be in place as well.

Essentially, the organization should always keep its expectations for cloud services delivery on high. All of the agreements, processes, and remediation steps required to keep the business running should be treated as such - business-critical. That may sound like a given, but it does take a shift in mentality to achieve. This foundation will make the rest of a proper security plan come together well whether it is a small, medium-sized, or enterprise-level business.

Edited by Maurice Nagle