The Doppler Quarterly Special Edition 2019 | Page 82
issue I find is that few in the enterprise understand the true
security requirements. Typically, they have notions about the
legal and compliance issues around the protection of corpo-
rate and government data that are not based in reality.
Things that need to be reviewed in detail include any laws or
regulations that require compliance, and thus what technol-
ogy is mandated (e.g., encryption levels or location of data).
Moreover, existing internal policies around the protection of
data, including the existing approaches for evaluating risk,
must be identified. These should be written down and
approved by leadership so everything is clear and well
understood.
Step 2: Consider identity-based
security.
The best approach to cloud computing security requires that
we deal with all assets, including humans, servers, databases,
data, processes, services, etc., as identities. These identities
can then be managed, in terms of access to resources, and as
resources themselves. The application of identity-based
security to cloud computing is quickly emerging. The most
successful and useful cloud security systems are able to man-
age fine-grained identities to control when and how they
interact.
Step 3: Create a plan.
Many consider security to be one of those things that gets
added in the final hours of deployment or migration. The
reality is that approaching security in general – and cloud
specifically – requires that a master security plan emerge
using the requirements we’ve gathered in Step 1. Keep in
mind, security is systemic to cloud computing. It’s a part of
every step in the plan.
This drives down to the actual solutions, including solution
patterns and candidate technology that should be evaluated
as a potential fit. Many in IT approach security technology
with a bias toward their favorite or existing solutions. Don’t
lock yourself into a technology until you’ve understood the
requirements, and tested the technology.
Keep in mind, security
is systemic to cloud
computing. It’s a part of
every step in the plan.
Step 4: Select the right security
technology.
Goes without saying, right? However, most of those who
implement security technologies never test it before the
implementation. Many take the vendor or cloud provider’s
word for things, which is a huge mistake.
POC testing is mandatory. You should go into deployment
with no questions unanswered.
80 | THE DOPPLER | SPECIAL EDITION 2019