Connect with us

Hi, what are you looking for?


Cloud Security

Ten Questions Every Business Should Ask Before Developing a Cloud Security Policy

Scott Hazdra, principal security consultant for Neohapsis, has posed some interesting questions organizations need to ask when developing a cloud security policy. Given the growing need to protect data, cloud security policy development is a crucial first step in the process, but it isn’t as easy as it seems.

Scott Hazdra, principal security consultant for Neohapsis, has posed some interesting questions organizations need to ask when developing a cloud security policy. Given the growing need to protect data, cloud security policy development is a crucial first step in the process, but it isn’t as easy as it seems.

Earlier this year, a survey by Ponemon Institute showed that 36% of the businesses surveyed didn’t have a centralized cloud security policy in place; and 45% said they didn’t enforce employee use of private clouds. The problem is that those types of contrasts can lead to improper (or worse – malicious) cloud usage and potentially catastrophic security or regulatory incidents. 

“Crafting a good cloud security policy involves thinking of the right questions and answering those questions about what and why you are moving assets to the cloud, finding a good fit in a provider and understanding your organization’s culture,” Hazdra said.

With that said, SecurityWeek is presenting his entire list unedited, because while for some the logic is rather common, for others the thought process is completely unknown.

1. What do we want to put in the cloud – data, applications or both? Based on this, you will be able to identify criteria to determine the best cloud provider and service required such as IaaS, PaaS or SaaS.

2. Do we have a good data classification policy and procedure and what type of data will we allow in the cloud – sensitive corporate data, protected data such as PII, SSNs or HIPAA related, day-to-day operational data? If you don’t have a good data classification policy, create that too so you aren’t inadvertently transmitting and storing data in a cloud that you don’t want there.

3. What existing policy does our company have that also applies to what we want to do in the cloud?

4. What have others in our industry done and what can we borrow? Calling up a peer who’s already ventured into the cloud and has experience with the good, the bad and the unexpected can really help you craft your policy. Checking out what a standards body, like ISO, NIST or the CSA, has created is also a great idea for discovering policy areas you may not have considered.

Advertisement. Scroll to continue reading.

5. Who within our organization is allowed to enter into agreements with cloud providers? Who has authority to negotiate SLA’s? Who can set up an application in or move data to the cloud and with whom should it be approved beforehand?

6. Where can my data or application be physically located? Where your data lives and where it could be moved to have legal and privacy implications.

7. What is our exit strategy and policy for removing data or application from this cloud provider? Having a clear exit strategy before you start prevents you from potentially large operational costs or downtime later.

8. If we choose to put sensitive or protected data in the cloud, how well does the cloud provider’s security policies and procedures align with our organizations? Ensuring your cloud provider’s security program maturity is as advanced or more advanced than yours is a good sign.

9. For applications in the cloud, who within our organization is allowed to modify settings on the cloud that affect performance? Define who, when and under what circumstances changes can be made.

10. How should we manage administrative privileges to the cloud provider? For example, do you allow application developers to make changes to security settings in the cloud to improve performance?

“Consulting with your peers and reviewing existing cloud policies and standards is a mandatory exercise. Lastly, take your newly created policy and allow the different stakeholders in your organization to comment. If you follow these guidelines, the better prepared you’ll be when that first packet of data moves from your servers out into your provider’s trusted cloud,” Hazdra added.

The bottom line is that business leaders must understand and protect the data that is most valuable to the organization. Policy isn’t easy, nor is it fun; but policy creation such as this is an essential step to creating a framework of layers that defend against the threats that represent the largest amount of risk to the business.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.