The way cloud security is delivered will depend on the individual cloud provider or the cloud security solutions in place.
According to companies like Fortinet, for those using a combination of cloud and on-premises tools, taking control of a security plan is critical. You’ll want to have at least one standard and one advanced plan for each security technology, then apply one plan to all of your cloud devices. If your security management system isn’t cloud-based, you can’t be sure what’s going to work for you. If your organization uses both on-premises and cloud-based security solutions, then you need to be aware of differences in cloud and on-premises tools, such as Microsoft SysInternals’ own Sysinternals Security Advisory 7057, and John Tual’s security Best Practices. For more information on this topic, check out John’s guide and notes on controlling cloud security.
Beyond security at the perimeter, your organization will need to consider a security policy for your application processes. While different processes are related, you don’t want to treat all processes, cloud and on-premises, as if they’re the same. Some security problems might manifest themselves in the code that is executed in a cloud-based process, while other problems might occur outside the code. For example, in Windows Azure services, data can be stored in a variety of places. Cloud-based services might not allow data stored in Azure to be stored outside the Microsoft cloud if it violates an existing privacy policy. This means if you want data stored in your on-premises environment to be stored in Azure, then it needs to be placed in a policy that allows for this. However, if you are using Azure in a hybrid deployment, where the on-premises and cloud environments run the same Windows operating system, you will have to find a way to separate security policies to make sure each entity has the protection it needs.
Finally, if your security strategy includes data protection, it is critical that the security processes in place prevent data leakage. If you plan to use a third-party data protection technology, then make sure that your solution can provide data protection. Data protection doesn’t have to be painful. If you plan to keep your own internal data protected, then consider using a solution that can maintain an audit trail that helps you determine who can access the data and to whom it should be stored. You may want to consider cloud-based protection, so that you can learn about security issues as they occur and make sure the protection is in place. You should also invest in high quality colocation to secure your servers. These processes help to determine what you are likely to need to replace, upgrade or remove, which helps your business decide what is in your best interest.
