4. What are the risks and threats of your cloud strategy? Taking a risk-based approach is critically important - CIOs need to look at the sensitivity level of information and applications, and make sure decisions are made based on provider controls and specific virtualisation controls offered. Consider:
+ Trust related to transparency of cloud providers - highly important in public clouds where visibility is low, as well as private clouds where you need to be aware of controls. Draw boundaries of who is responsible for what services.
+ Data concerns - ensure you know that your data is being protected, fully deleted, properly backed up and existing in the correct geography for regulatory requirements.
+ Governance model - ensure that your governance model is not just governance for policies but user access management and incident response and that there is a good flow between the cloud provider and your organisation.
+ Asset management system - look at a system that can track resources, data and access. Ensure data classification runs with the application.
+ Security data logging and auditing - in order to limit damage, make sure you have the ability to know who does what and when, and that any changes are logged and audited sufficiently.
5. Are you using best practice? As adoption of cloud computing increases, there will be a growing pool of specific reference models and guidance. Review best practice and tools, and talk to the Cloud Security Alliance (CSA) or cloud providers that are members of CSA.
If you're looking at creating a cloud environment, it is important that you start building in the instruments to be able to answer compliance questions and risk management questions that will be posed internally from within the organisation and externally from partners, auditors and regulators. The easiest place to start is to first ask yourself these questions.
In this pre-standards era of cloud computing, CIOs need to be smart when thinking about cloud computing and ensure all due diligence is made before taking the plunge.
Patrick Eijkenboom is an Australian consultant enterprise software company NetIQ which specialises in managing security and compliance,identity and access, and performance and availability.
Sign up for MIS Asia eNewsletters.