the largest issue I find is that few in the enterprise
understand the true security requirements. Typically,
they have notions about the legal and compliance
issues around the protection of corporate and govern-
ment data that are not based in reality.
Things that need to be reviewed in detail include any
laws or regulations that require compliance, and thus
what technology is mandated (e.g., encryption levels or
location of data). Moreover, existing internal policies
around the protection of data, including the existing
approaches for evaluating risk, must be identified.
These should be written down and approved by lead-
ership so everything is clear and well understood.
Step 2: Consider Identity-Based
Security.
The best approach to cloud computing security
requires that we deal with all assets, including humans,
servers, databases, data, processes, services, etc., as
identities. These identities can then be managed, in
terms of access to resources, and as resources them-
selves. The application of identity-based security to
cloud computing is quickly emerging. The most suc-
cessful and useful cloud security systems are able to
manage fine-grained identities to control when and
how they interact.
Step 3: Create a Plan.
Many consider security to be one of those things that
gets added in the final hours of deployment or migra-
tion. The reality is that approaching security in general
– and cloud specifically – requires that a master secu-
rity plan emerge using the requirements we’ve gath-
ered in Step 1. Keep in mind, security is systemic to
cloud computing. It’s a part of every step in the plan.
This drives down to the actual solutions, including
solution patterns and candidate technology that
should be evaluated as a potential fit. Many in IT
approach security technology with a bias toward their
favorite or existing solutions. Don’t lock yourself into a
technology until you’ve understood the requirements,
and tested the technology.
Step 4: Select the Right Security
Technology.
Goes without saying, right? However, most of those
who implement security technologies never test it
before the implementation. Many take the vendor or
cloud provider’s word for things, which is a huge
mistake.
POC testing is mandatory. You should go into deploy-
ment with no questions unanswered.
62 | THE DOPPLER | FALL 2017