Cloud security planning should be part of strategy from beginning

What are you doing about cloud security planning? I say planning because, in a survey of attendees at the recent SearchCompliance.com Making the Case for the Cloud virtual seminar, more than half of the IT professionals responding said they don’t have a cloud strategy in place — though 100% said they would within the next year.

The point is that a cloud security strategy should be part of a cloud plan from the beginning. How that plan gets formulated is up for grabs, however. Responding to an instant poll taken during one seminar session on cloud incident response, 45% said their cloud security plan consists of reliance on SAS 70 Type II audit reports; another 32% said they rely on service contracts and lawyers to sort out the details; and 23% answered that they “can’t get management on board” for any security plan.

That’s pretty shocking. Even overlooking the 23% who are throwing up their hands, the other two options are not much better, certainly not by themselves. The SAS 70 standard was not designed with cloud security in mind.

According to IT security consultant Kevin Beaver, the speaker in the incident response session, SAS 70 had its place but is being phased out. “But it’s not that simple,” he said. “The bottom line is, you have to dig in deep; you can’t just assume that if everything checks out in the SAS 70 Type II audit report, everything must be fine. Because that is not the case, based on what I am seeing in my security work.”

First steps for cloud security planning? Get a good lawyer, a good security consultant and your CEO, and put them in a room together. Order lunch. And get down to business.