The Doppler Quarterly Fall 2017 - Page 64

the largest issue I find is that few in the enterprise understand the true security requirements. Typically, they have notions about the legal and compliance issues around the protection of corporate and govern- ment data that are not based in reality. Things that need to be reviewed in detail include any laws or regulations that require compliance, and thus what technology is mandated (e.g., encryption levels or location of data). Moreover, existing internal policies around the protection of data, including the existing approaches for evaluating risk, must be identified. These should be written down and approved by lead- ership so everything is clear and well understood. Step 2: Consider Identity-Based Security. The best approach to cloud computing security requires that we deal with all assets, including humans, servers, databases, data, processes, services, etc., as identities. These identities can then be managed, in terms of access to resources, and as resources them- selves. The application of identity-based security to cloud computing is quickly emerging. The most suc- cessful and useful cloud security systems are able to manage fine-grained identities to control when and how they interact. Step 3: Create a Plan. Many consider security to be one of those things that gets added in the final hours of deployment or migra- tion. The reality is that approaching security in general – and cloud specifically – requires that a master secu- rity plan emerge using the requirements we’ve gath- ered in Step 1. Keep in mind, security is systemic to cloud computing. It’s a part of every step in the plan. This drives down to the actual solutions, including solution patterns and candidate technology that should be evaluated as a potential fit. Many in IT approach security technology with a bias toward their favorite or existing solutions. Don’t lock yourself into a technology until you’ve understood the requirements, and tested the technology. Step 4: Select the Right Security Technology. Goes without saying, right? However, most of those who implement security technologies never test it before the implementation. Many take the vendor or cloud provider’s word for things, which is a huge mistake. POC testing is mandatory. You should go into deploy- ment with no questions unanswered. 62 | THE DOPPLER | FALL 2017