Your business may already use an extensive cloud environment—or maybe you’re just evaluating your options for spinning up a single cloud server. Either way, this guide is your sanity check for aligning the security policies in place for your on-premise and cloud technology to protect data (and your company) from internal and external threats. Synchronized policies not only strengthen the security of data, but they also effectively enable your organization to maintain operations and prepare for regulatory audits.
1. Perform a cloud vendor audit
Do your homework to ensure you comprehend the many options available for cloud deployment and determine the best fit with your organization’s needs. You can undertake this task with a knowledgeable internal team or work with an industry consultant for guidance. Remember that cloud vendors market their ease of onboarding over their security capabilities. Security is ultimately your responsibility. You’ll want to dig into the details of how information is protected, so you don’t get stuck with weak functionality. Finally, make sure you identify more than one suitable vendor as a contingency in case your preferred vendor isn’t approved by your organization.
2. Understand your procurement policies
Talk to your procurement department to get a handle on whether you can rely on a single cloud vendor or need to follow a dual deployment policy. Many organizations require more than one vendor for redundancy and failover capabilities.
3. Complete an internal security audit
Carry out an internal audit to unearth the security policies you currently have in place for both on-premise and cloud servers. Note discrepancies and assess technology barriers. For example, you need to know whether there are overlapping namespaces including ID ranges for user accounts.
4. Assess the types of information being stored
Meet with those in charge of each critical line of business to pin point the types of information to be saved in the cloud and how data is expected to be moved to an on-premise environment. Evaluating security needs is also important across each area so you can grasp the sensitivity of information such as credit card data, personal employee details, financial or health records, passwords, business plans, etc.
5. Prepare for regulatory audits
Think through the audit process as it applies to your business. Talk to administrative staff to find out how much effort it is for them to support these disruptive activities. Determine what tools they currently use, and where gaps may reside. Understand each of the regulations your business needs to demonstrate compliance with, such as Sarbanes-Oxley (SOX), GDPR, HIPAA, PCI DSS, and others. Highlight which areas of the business may have more than one compliance regime to follow. For example, you may need to comply with SOX in North America and GDPR in Europe.
6. Standardize security policies, including user access
Whether you have a hybrid or on-premise environment, it’s important to make sure you have a solution that works seamlessly across both technology stacks. Relying only on a cloud vendor’s default security settings is a mistake, because they may not be strong enough to meet your needs or may not be compatible with your on-premise equipment. Identify which technology solutions, such as identity and access management, you will put in place to address your security requirements.
7. Map out the project’s timeline and potential for disruption
Once you develop your game plane and the associated dates, determine the likelihood everyday processes will be disrupted during the update period. Some areas of your business may not be able to tolerate even 10 minutes of downtime. Establish contingency plans to lay out the actions your team will take in the event problems arise.
8. Plan a test run
While some organizations can forego a test run, most require a detailed testing plan to make sure all parts of the technology infrastructure are working seamlessly before the actual go-live. The last thing you want is to have an unsuccessful migration that affects your ability to maintain business operations—or worse, those of your customers or key suppliers. Establish rollback scenarios that allow you to back out of the new environment easily, giving you time to evaluate what went wrong and how you can fix the problem.