Cloud computing has revolutionized the way businesses operate, and it is growing exponentially.

The main advantages provided by this technology include cost optimization where there is no need for a capital expenditure upfront anymore and costs being further reduced by using economies of scale where a large number of organizations are sharing service providers’ underlying resources and hence sharing towards the total expenditure.

DevOps Connect:DevSecOps @ RSAC 2022

Also, businesses are not having to guess about their capacities and can make their services globally available in minutes. They are focusing more on their priorities rather than worrying about maintaining data centers.

What are some of the security considerations an organization should make before embarking on migration to cloud?

Considering there is a business requirement, the foremost consideration is that organizations should have a sound in-house information security program in place supported with policies, procedures, standards, guidelines, and regulatory and compliance requirements.

Then we must take into account the data classification and data protection regulations that shall dictate the roadmap to migration.

Based on the above two security-related factors, we determine which processes, systems and data can be migrated and what service model will best suit our needs for each of the selected application/resources in line with our security program.

The next important step is choosing the Cloud Service Provider (CSP). From a security point-of-view; this will include a comprehensive survey of contracts, terms and conditions, and SLAs. The main factors to consider include: security standards claimed, data ownership, shared responsibilities, non-disclosure agreements, dispute handling, and auditing/pen test requirements.

Finally, when a particular CSP is chosen that is in-line with our security programs, we need to revise our programs like risk management, configuration/change management, vulnerability management, business continuity and disaster recovery plans, incident handling, security assessments, security awareness and training, and forensics (Read more...)