Join David Linthicum for an in-depth discussion in this video Cloud security planning, part of Learning Cloud Computing: Core Concepts.
- [Instructor] It's been my experience that security is the most important aspect of any cloud project. Unsecure clouds will fail quickly. Make sure you understand the security options, including certain security models, technology, and tools. Being proactive is the best defense, as we covered in the past videos. Make sure that you focus on monitoring and taking corrective action. It's the most important aspect of cloud security. Cloud security requires that we understand the very basics, such as being reactive to the ultimate security solution where you can be more predictive, or spot issues before they become real problems. Using this maturity to understand the differences between the basic layer tools and integrated tools, then being proactive and predictive. Note that just after using the integrated tools that we reach minimum viable cloud security, which is good enough. Most enterprises however set the objective to be predictive and thus more secure. Deal with the basics first. This means that we'll set a foundation of security that provides the minimal amount of security we need. It's important that this is the foundation else we might focus too much on the proactive and predictive stuff and could be vulnerable at the primitive level. Understand that the maturity model presented in the last slide is progressive, in other words, take it in orderly fashion. Be proactive, meaning that the heart of any good cloud security architecture and technology is the ability to spot issues before they become problems. By the time a hacker has accessed your data, it's too late. But you can easily see how they progressed to the point and stop the attack before it becomes an issue. Drive standardization needed to achieve business benefits while encouraging adaptability, flexibility, and innovation. This means that we should leverage security standards, and there are many, but should do so with productivity in mind. If using a standard, not required by law means that we're making the end users less productive then perhaps we should not be using that standard. Provide clarity and security policies, standards, processes, roles, and accountabilities. Security is as much about people issues as it is technology issues and thus we need to focus on what roles and processes exist. For example it's the job of the DBA, database administrator, to report strange activity on the database to the security administrators, so that the issue can be looked in to. If anybody takes the position that it's not their job, chances are clear indications of a breach will go unnoticed. Measure and communicate results, drive continual improvement, build on existing capabilities. This means that we're looking to improve and thus there is a sound feedback loop that exists to allow cloud security admins to improve cloud security ongoing. In some instances this could be moving to a new level of encryption for data at flight or at rest that's more secure and easier to manage.
- Types of clouds: SaaS, IaaS, and PaaS
- Identifying the data and applications to move to the cloud
- Migration planning
- Selecting a cloud provider
- Cloud security
- Cloud operations
- Approaching management and monitoring