This series examines security in the cloud, showing how companies can mitigate cloud computing security issues and risks.
A layer of cloud security that cannot be overlooked is that of access. In many ways, this is the most challenging level of security, because it has to do with people: people who have foibles, who make errors, and who — occasionally — act with malice. When addressing the topic of access, the first area to examine is identity and access management (IAM). The company and vendor should be sure to establish:
- How identity and access management is monitored.
- Who has access — both from the vendor side and the client side.
- What the policy controls are.
Application and patch management follows hard on the heels of identity and access management. Again, the company and vendor must agree on:
- Who has access to make changes in the environment.
- Who has responsibility to make changes.
- What the process is for patch and release.
- How interdependencies between applications will be managed and protected.
It is not sufficient simply to have procedures in place to guard cloud access. The vendor must log and document all the transactions that take place within the environment, and match those transactions against known threats. This not only offers an additional level of protection against errors or attacks in real-time, but also may be necessary for to fulfill various compliance and regulatory requirements, and to provide documentation if the company is audited.
To conclude, it is important to recognize that risk cannot be 100% eliminated. However, it can be significantly reduced to a level that is acceptable by examining all the aspects noted in this series on security in the cloud.
Other articles in this series: