Whether you are about to start your cloud journey or have used cloud services for some time, it will be an advantage to follow a strategy. Use the provided template in this article to make your own strategy for securing the cloud. The provided example is taken from the healthcare industry.
Supporting the business
According to Gartner, 99% of cloud security failures is the customers fault. Cloud misconfiguration is considered a high risk to deployments in the cloud and has already led to exposure of billions of data records. Having a structured approach to security architecture will lower the risk considerably and this is the primary motivation for creating a cloud security strategy.
The cloud security strategy must align with the goals of the business and the general cloud strategy. Many organizations include the security objectives and goals into the overall cloud strategy. In the template included in this article, you will find both business and security objectives combined to illustrate the importance of security objectives in the cloud strategy.
My example cloud security strategy template is anonymized but actively used in my work as a security architect in the Norwegian health sector. References to legal obligations are adapted to an international audience with focus on US and EU regulations.
Communicate the strategy to stakeholders
The cloud security strategy has no value unless it has support from board members and management. The strategy must be communicated and understood not only at the executive level but also among architects, project managers, security staff, developers and operations team members. Make your presentation short and concrete to get your message across.
Focus on the why, how and what. Start with the motivation: why the strategy is important? Here you can highlight the threats cloud misconfigurations can pose to the business. Present the strategy objectives and explain why they are important and how cloud security can be a business enabler for your company.
How you will fulfill your strategy is the next thing you must highlight in your presentation. List the goals in the strategy and describe how they will contribute to the company bottom line or corporate goals.
You must end the presentation by clearly stating what you need to accomplish the strategy goals. Summarize your needs in terms of a project plan with resources and timelines. Resources always boil down to money, and timelines should give a realistic picture of how long you believe it will take to accomplish the goals.
The strategy template has a chapter covering external drivers important to the cloud security strategy. These drivers can be anything with influence on the strategy. The template examples are:
- Legal obligations – how the business is regulated (HIPAA, GDPR, etc.)
- Data protection – how to protect the company assets (PHI, other regulated data)
- Changes in the IT industry – how is the industry evolving and how does this affect the ability to compete with other companies
- Cybersecurity resilience – the company’s ability to detect and respond to cybersecurity attacks
Impact on the organization
The organization will always be impacted by changes to processes and technology. Implementing strategy goals will have an organizational dimension. Cloud operations will require new roles and competencies that many companies have not established. A Cloud Center of Excellence (CCOE) can be a good approach for developing the organization.
Conduct a risk analysis in your organization using your internal methodology. Make sure all stakeholders are invited. Insert the risk elements with the highest risk score in the strategy document along with relevant mitigation strategies. Mitigation strategies should be reflected in the goals section under security initiatives.
A set of guiding principles is useful for everyone involved in cloud service delivery. These principles will set direction for how the company utilize cloud services to support the business and how security is integrated in the cloud adoption process.
The template examples lists the following principles:
- Application migration – how to handle existing applications as candidates for cloud migrations
- Security architecture – principles will form the basis for the overall security architecture
- Cloud service models – The prioritized use of the cloud service delivery models (IaaS, PaaS and SaaS)
- Cloud provider selection – preferred cloud service provider
- Hybrid networking – the scope and strategy for connecting on-premises networks to the cloud
- Data classification – principles for using data classification in the cloud
The goals for your cloud security strategy is all about how you want to execute your strategy. This is often done by creating a roadmap. The individual goals can be split into implementation projects that are part of a program. The following goals are examples in the template:
- Target cloud security architecture – holistic architecture for security covering all cloud services
- Cloud foundation – processes, organizational model and requirements for cloud operation
- Security initiatives – what needs to be done preparing the security organization for cloud operations
- Communication platform – goals for a communication platform project
- Research and analysis – framework for data protection and security architecture for research
- Development environments – initiatives for starting cloud development in the company
- Clinical solutions – the health sectors goals for improved patient communication
Using the cloud security strategy template
Use the template to fulfill the needs of your company. Customize the structure and contents based on your specific context.