The cloud has been a great democratizer. Before the cloud option, business applications such as CRM and marketing intelligence were the exclusive domain of businesses who could fork out in the six-seven figures. The cloud has made it possible for small and medium sized businesses to get the same capabilities at a fraction of the cost. It isnt all sunshine and rainbows. Handling precious company data on the cloud is a hairy proposition. The penalty for leakage is severe. There are four key considerations when securing data. These are equally valid whether accessing the application through the private or the public cloud.
- Data classification: Some data fields may be more sensitive than others. You also need to categorize data by need, access-level and encryption requirements (whether data fields should be encrypted during transit and/or rest, or not). Depending on business needs, it may also be necessary to keep data physically and/or logically segregated to prevent contamination or accidental access.
- Access control: Policies and technical controls should be in place to regulate access, manipulation and movement of data. These controls vary depending on the access profile – viz. end-user, data analyst, application programmer.
- Monitoring and incident logging: The data infrastructure should be monitored for threats and be subjected to penetration tests. Changes to the environment should be logged and reviewed on periodic basis.
- Third party audits: Despite their best intentions, organizations can develop collective myopia if not tested. The value of third party audits cannot be overstated. The audit reports can be standardized per industry guidelines. For instance the American Institute of Certified Public Accountants (AICPA) hasService Organization Controls (SOC) reporting standards that are recommended for service organizations such as data centers and SaaS service providers. This does not come cheap and I admit to having hesitated before approving the audit. But it IS important. We cannot afford to lay a weak foundation. That’s the engineer in me speaking :-).
The list above is neither prescriptive nor exhaustive. However, I believe these guidelines are axiomatic. I wanted to condense the security environment to the key entities and the relationships (see the outline I had sketched out). For instance I skipped physical security and HR security practices but feel they are covered loosely under access control. Furthermore, if upon review you feel your business is missing one or more of the listed pillars, it is a security hole and a matter of concern. For an in depth study on the subject, consider reviewing the SOC reporting standards linked above.