News & Press Releases

Considerations in Creating a Cloud Security Policy

There are clear advantages for all businesses that adopt cloud technology. Achieving data mobility and transparency is an effective way to boost productivity, improve compliance and make collaboration easier.

Adopting any cloud-based enterprise resource planning (ERP) or cloud-governance platform requires the right security policies. Here’s what to know.

Why Your Business Needs a Cloud Security Policy

Owners may underappreciate the threat surface of their organization and the risk profile of small and medium-sized businesses (SMBs) in general. An estimated 70% of organizations operating in the cloud have suffered from a successful data breach or cyberattack.

Ubiquitous computing and data-gathering mean every department and workflow may involve communication with the cloud. The information in transit might include equipment telemetry, payment information, intellectual property, sensitive business forecasts, compliance documents and more.

Enterprises that don’t take steps to secure their cloud properties with a security policy run substantially higher risks of:

  • Data breaches
  • Ransomware and malware
  • Distributed denial of service (DDoS) attacks
  • Hijacked corporate accounts
  • Threats from insiders and former associates
  • Difficulty maintaining legal compliance
  • Accidental cloud misconfigurations

This is why every business requires a strong, future-proof cloud security policy. Microsoft is one of the biggest providers of business IT and cloud products, and it spends $1 billion every year on protecting those services.

Businesses of all sizes require a similar commitment to employee and client protection baked into their culture and budget.

Tips for Creating Your Cloud Security Policy

Creating a robust and effective cloud security policy becomes less opaque if you break it down into discrete steps. Here are some of the most important fundamentals of the process.

Adapt or Borrow

Your company probably already has some information security policies in place. Your team could probably lift relevant passages from existing guidance documents.

If you don’t, the internet makes it easy to find strong examples of cloud and IT security policies, such as those employed by higher-learning institutions. Loyola University in Chicago provides public documents describing a range of responsibilities its faculty and students can rely on them to abide by:

  • Secure data-deletion processes
  • Information-classification procedures
  • Proper use of peer-to-peer (P2P) file-sharing
  • Vulnerability disclosure and risk planning
  • Vendor VPN policies
  • Data-privacy policies, including GDPR compliance
  • Rules for what information may or may not be moved to the cloud

You can also refer to the Center for Internet Security (CIS) for an expansive collection of policy resources. CIS Benchmarks have over 100 configuration guidelines for security best practices that are created and affirmed by cybersecurity experts around the world.

Your finished document should include clear language on process ownership, including which parties have the authorization to migrate data and workflows to cloud environments.

To see what this looks like in practice, begin by reviewing Google’s guidelines for permissions and roles related to its Cloud Transfer Service. Manipulating workflows, operations, and pools requires clearly defined roles, each with its own distinctive capabilities. These include creating jobs and workflows, pausing jobs, reading vs. manipulating resources, and observing other boundaries related to identity access management (IAM).

Oracle provides its own resources on establishing cloud security protocols based on roles and task ownership. For example, an individual on the financial team requires permission to access the company’s monetization cloud – but somebody across departments may not. Siloing digital resources, and access to them, helps eliminate lateral-movement attacks and the chance of somebody damaging data they shouldn’t have had access to in the first place.

Vet Partners and Products

The adoption of cloud governance and cloud-based ERP products requires due diligence from your IT and purchasing team. Cloud-services providers must provide secure and safe products that add value without compromising safety.

Unfortunately, laws requiring specific cybersecurity and privacy protections currently resemble a patchwork even within countries. For example, the legal expectations for businesses in California are not yet typical in the rest of the regulation-averse U.S. where data privacy is concerned. Navigating this can be complicated, but there are some essentials to keep in mind. Ask yourself:

  • Do you conduct business in a region where stricter-than-average cybersecurity and data security laws apply to residents and companies doing business there, such as California (CCPA) or the United Kingdom (GDPR)?
  • Are your potential technology partners new startups, which may have more flexibility in their cloud policies but less customer experience, or established players, which may have infrequently updated security policies but more relevant experience and credentials?
  • When was the last time the vendor updated its privacy and protection policies? What is its approach and usual timeline for making changes?

Industry-specific guidance may also apply, so look for policy examples within your niche. For instance, a company operating a fleet of trucks may be required by law to use electronic logging devices. Still, the rules may differ across their territory or lack specifics about how rigorous data protection standards must be. Be sure any products you use will fulfill any legal requirements.

Make it a top stipulation in your cloud security policy to only choose entities that hold themselves to the highest current standards where data governance is concerned.

Choose Your Team and Technologies

Select a knowledgeable team to write up your organization’s cloud security policy. This team should be cross-functional so that the resulting policies reflect the culture and needs of each department.

Members should combine IT knowledge with strong communication skills, and include roles such as cloud security architects, information security officers, analysts, administrators, members of HR, and others. Strong communication comes in handy for collaborating with stakeholders on the language used and discussing the process’s results and necessity with the rest of the company.

Remain in contact with HR and your legal team while drafting the policy. These groups will render valuable feedback and perspectives on the bases to cover.

Have plans to publish and distribute the finished policy to all employees. This might include supporting documents like how-tos and FAQs. Determine an interval for reviewing the process and adapting it as circumstances and requirements change — such as quarterly or annually.

It’s also worth exploring how technology can make developing and enforcing cloud security policies easier. First, it’s recommended that your cloud adoption team explores vendors that offer policy-as-code solutions. This is where cloud security policies exist as “high-level” executable code instead of written statements or platitudes. Rather than manually reviewing whether a product complies with security standards, which is time-consuming and error-prone, policy-as-code ensures compliance by enforcing security policies automatically.

Some Key Takeaways

Migrating to or operating in the cloud requires adaptation and observation of security fundamentals, but it doesn’t have to be intimidating. Using the Cloud Security Maturity Model (CSMM), you can establish where you currently stand with cloud security and make decisions on how best to move forward.

Recall these key takeaways when planning a cloud security policy:

  • In today’s data-driven world, security measures are always necessary.
  • Adapt and modify existing security policies rather than building your own from scratch.
  • Work with vendors and partners who have innovative technology and reliable security practices of their own that can work with your unique needs and challenges.
  • Build your security policy using a knowledgeable, cross-functional team.
  • Make security training a high priority for all associates.

Standards, expectations and risk factors evolve regularly, so make sure your organization is ready to meet those challenges and has a policy to provide guidance.

Keep reading about how policy-as-code can provide a secure foundation for your cloud security policy here: Security as code is the future to governing risk

Suggested Reading

Secberus has just announced a significant milestone: the graduation of Cloudflare configuration governance from Beta to General Availability (GA). This...
And it’s all thanks to SAP who isn’t even a partner or customer (yet)….   Jeroen Thoden van Velzen‘s blog...
The Secberus cloud governance platform just graduated Okta configuration governance from Beta to GA. Users can now connect Okta to...

We don’t send a lot of emails, but when we do, it’s definitely worth it.

Sign up for our newsletter below.