[ComputerWorld] Learning from disasters: Top 8 cloud security best practices

Recently, the personal accounts of several high profile individuals on a popular public cloud service were breached by hackers. Since then, there has been a lot of discussion regarding the security of cloud-based services. Cloud is the future, from personal to corporate use. But in order to unleash the vast potential cloud platforms can provide, companies need to ensure their systems are fully protected from all aspects.

Through our extensive experience and analysis of working with customers around the world, we have drawn several conclusions about how to best construct and manage cloud securely. Here are our eight best practices:

1. Management
The first line of defense to protecting against external threats is frequently updated security policies, guidelines and cloud security processes for both business and IT teams. Clearly defined security roles and responsibilities allocated by CIOs will ensure that security is implemented effectively. It's important not to forget existing security teams and procedures; these play a significant factor in enhancing cloud security.

2. Operation
Regarding operations, continuous training is vital as employees educated about cloud's security impact on their individual functions and roles are much less likely to leave their work stations vulnerable. In the event an intrusion has occurred, disaster recovery and business continuity plans help to minimize damage and downtime, which additionally requires that cloud environments be adequately maintained and updated by IT teams for auditing purposes.

3. Technology
As for technology, software is available that helps to manage data access controls and bolster system protection against security risks, such as DDoS attacks, and prevents unwarranted leakage and tampering of data. For example, Germany's University of Bonn installed specialist security software to enable universal access to user's customized computing environment and personal files. That means that locally saved files are guaranteed, as they are now stored centrally and secured by an automated backup that takes place every two hours.
What's more, verification technology provides authentication checks, management of security keys, and physical security protection such as access to a business' IT premises. In the event of a failure on part of the cloud, backup, recovery and archive tools and procedures ensure that data stored on a cloud system are available. Additionally, protective defenses can be installed across several system layers such as servers, core infrastructure, internal networks and network boundaries (where it connects to a cloud environment) for more robust security measures.

4. Data protection
Organizations adopting cloud services would benefit from understanding the implications of maintaining the confidentiality of personal or other sensitive business information. In particular, the physical location of data and its legal jurisdiction are key considerations as they affect data usage and access privileges for both people and devices. Businesses that understand and comply with regulatory frameworks under which they operate and assess cloud service providers based on these regulations provide a new layer of protection by developing secure contracts that reflect local laws.
This is particularly relevant for different businesses which have very specific functions and clients. A joint-approach can be taken to combine the expertise and resources of various teams including business units, compliance, security and architecture to define exactly what data needs protecting while still ensuring that this data can be accessed where and when necessary.

5. Type of cloud
The type of cloud (public, trusted, private or hybrid) has the most significant impact on the level of risk and, therefore, induces different levels of security and management considerations. For example, I Know IT, an Australian IT services business that supports legal, accounting and logistics industries, realized that public cloud services would not provide the necessary data, transaction security and autonomy needed by their clients, particularly law firms. While some general functions could be handled via public clouds, legal email and document management required a private cloud implementation with effective disaster recovery processes under local control.

6. Access-control approach
Organizations are best suited to adopt an access-control approach to data protection that incorporates in-house, outsourced and cloud systems and logging of all data access so that it can provide audit trails to enable the investigation of potential security breaches and unauthorized access.

7. Data integrity, audit and compliance
In addition, to ensure data integrity, and that cloud providers will not tamper with data companies can insist on security management compliance such as SOX, Basel III, ISO 27001, ISO 27002 and ISO/IEC 20000. Similarly, from an auditing and compliance perspective, it is also important to work with service providers and define service level agreement, conduct regular field tests for fail-safety and security exercises, develop formal frameworks for security testing, perform independent security audits and report on past service levels.

8. Trusted cloud partners
Finally, building a relationship with trusted cloud service providers helps organizations to boost security levels and technology innovation with ongoing studies on the state of their cloud architecture, security practices and compliance.

Journey to cloud security
Organizations new to cloud say security is their number one concern. Indeed, many perceive it as a significant barrier to adoption. But those further along the cloud journey have a different perspective.
While security is just as important for them, it is no longer a source of worry or apprehension but becomes another consideration in their risk management strategies and processes. Their experience informs future decisions about moving other services into cloud, thus helping them make ever further strides along their cloud path.
Albert Wong is general manager of Fujitsu Hong Kong's managed services division. Primarily, he oversees teams responsible for the successful delivery of a wide range of solutions to Fujitsu's clients, with a focus on outsourced IT systems and managed services including service centers, data center services, server and desktop management and ongoing maintenance.