Cloud Security Policies are crucial to implementing an effective data security strategy.
They typically act as the connectors that hold many aspects of data security together across both technical and nontechnical components.
The failure to implement and utilize policies in cloud-based (or non-cloud-based) environments would likely result in disparate parts or isolation of activities, effectively operating as standalone or one-offs and leading to multiple duplication and limited standardization.
From an organizational perspective, policies are nothing new. They have long been providing guiding decisions and principles to ensure that actions and decisions achieve the desired and rational outcomes.
From a cloud computing angle, the use of policies can go a long way toward determining the security posture of cloud services, as can standardizing practices to guide implementation.
What are the Organizational Policies?
Organizational policies form the basis of functional policies that can reduce the likelihood of the following:
- Financial loss
- The irretrievable loss of data
- Reputational damage
- Regulatory and legal consequences
- Misuse and abuse of systems and resources
What are the Functional Policies?
As highlighted in prior sections of this blog, particularly for organizations that have a well-engrained and fully operational ISMS, the following are typically utilized.
(These are typical functional Cloud Security Policies this list is not all-encompassing.)
- Software security policy
- Segregation of duties policy
What are the top 7 Cloud Computing Policies?
The listed organizational policies define acceptable, desired, and required criteria for users to follow and adhere to.
Throughout a number of these, specified criteria or actions must be drawn out, concerning any associated standards and processes, which typically list finite levels of information.
As part of the review of cloud services, either during the development of the cloud strategy or during vendor reviews and discussions, the details and requirements should be expanded to compare or assess the required criteria (as per existing policies).
This also helps determine the provider’s ability to meet or exceed relevant requirements.
Following are some policy examples:
- Password policies: If the organization’s policy requires an eight-digit password comprised of numbers, uppercase, and lowercase characters, and special characters, is this true for the CSP?
- Remote access: Where two-factor authentication may be required for access of network resources by users and third parties, is this true for the CSP?
- Encryption: If minimum encryption strength and relevant algorithms are required (such as a minimum of AES 256-bit), is this met by the CSP or potential solution? Where keys are required to be changed every three months, is this true for the CSP?
- Third-party access: Can all third-party access (including the CSP) be logged and traced for the use of cloud-based services or resources?
- Segregation of duties: Where appropriate, are controls required for the segregation of key roles and functions, and can these be enforced and maintained on cloud based environments?
- Incident management: Where required actions and steps are undertaken, particularly regarding communications and relevant decision-makers, how can these be fulfilled when cloud-based services are in scope?
- Data backup: Is data backup included and in line with backup requirements listed in relevant policies? When data integrity is affected or becomes corrupt, will the information be available and in a position to be restored, particularly on shared platforms, storage, and infrastructure?
What is a Policy Bridging in Cloud computing?
When cloud-based services cannot fulfill the elements listed in the previous section, there needs to be an agreed-upon list or set of mitigation controls or techniques.
You should not revise the policies to reduce or lower the requirements if at all possible.
All changes and variations to policy should be explicitly listed and accepted by all relevant risk and business stakeholders.