Anda di halaman 1dari 15


7 Steps to Developing
a Cloud Security Plan
Executive Summary:
7 Steps to Developing
a Cloud Security Plan
Designing and implementing an enterprise security plan can be a daunting task for any
business. To help facilitate this endeavor NaviSite has developed a manageable process and
checklist that can be used by enterprise security, compliance, and IT professionals as a
framework for crafting a successful cloud computing security plan. It defines seven steps
sequentiallythat have been tested and refined through NaviSites experiences helping
hundreds of companies secure enterprise resources according to best practices. This plan
enables organizations to gain the economic advantages of secure and compliant managed
cloud services.
Table of Contents







PROCEDURES, AND STANDARDS ......................11





Cloud computing provides compelling By following these steps the enterprise
cost and strategic benefits, including: can rely on a proven methodology for
scalability with reduced capital cost-effectively and securely leveraging
expenditure; more efficient use of IT cloud services. NaviSite takes pride in
resources; and the ability for an ensuring its enterprise customers
organization to focus on their core services are secure and reliable but
THERE ARE SEVEN competency. Many well established encourages all businessesno matter
TANGIBLE STEPS security technologies and procedures what provider they are partnering with
can be applied to cloud computing to to take an active role in being sure their
ENTERPRISES CAN provide enterprise-class security. In specific security and compliance
TAKE TO GAIN THE many cases the cloud provider can requirements are met.
achieve better security in a virtualized
environment than enterprises can
ADVANTAGES OF achieve internally.
Selecting a service provider with strong
WITHOUT security procedures and services in
COMPROMISING THE cloud computing can be a strategic
move, but enterprise organizations need
SECURITY OF to continue to take an active role in
ENTERPRISE security and risk management. Working
together, the cloud provider and the
APPLICATIONS. enterprise can ensure that existing
security practices are being
complemented and that enterprise
resources are protected according to
industry best practices.

Cloud infrastructure services enable

improved efficiencies for IT, allowing
companies to reduce capital expenses
even as resource demand increases.
They also provide companies a
competitive edge through greater
scalability and flexibility to address
business opportunities. Concerns around
the security of cloud infrastructure have
been viewed as a barrier to adoption, but
there are seven tangible steps
enterprises can take to gain the cost and
business advantages of cloud services
without compromising the security of
enterprise applications.

Secure cloud services plan breaks down into the following seven steps:

FIGURE 1: 7 STEPS. Review Your Business Goals

Continuously Maintain a Risk
Improve Management Program

Audit and Create a Security
Review Often Plan that Supports
Your Business Goals

Create Security Secure Corporate-
Policies, Procedures, Wide Support
and Standards

By following these steps organizations can structure security and compliance

programs to take advantage of the economic advantages of managed cloud services
while meeting organizational security and compliance objectives.

Step 1:

It is important that any cloud security The broader the input the more likely the
plan begins with the basic understanding final security plan will truly align with, and
of your specific business goals. Security support corporate goals. Executive input
is not a one-size-fits-all scenario and is not only essential to ensure that
should focus on enabling: assets are protected with the proper
safeguards, but also to ensure that all
parties understand the strategic goals.
authorization, managing and
ONE-SIZE-FITS-ALL For example, if a company plans to
monitoring, and reporting and auditing
double in size within a few years,
SCENARIO technologies should be leveraged to
security infrastructure needs to be
protect, monitor, and report on access
designed to support scalability.
to information resources
CASE IN POINT: At NaviSite, we often
PROCESSES: Methodologies should
see customers faced with the challenge
be established that define clear
of making major security and technology
processes for everything from
changes to address evolving corporate
provisioning and account
goals. For example, a customer that
establishment through incident
hosts multiple merchant sites had a
management, problem management,
Payment Card Industry (PCI)-compliant
change control, and acceptable use
application, but when it was acquired, its
policies so that processes govern
parent company required stricter controls
access to information
that conformed to the enterprise-wide
PEOPLE: Organizations need access PCI program. The acquired company
to the proper skill sets and expertise to came to us with a small company
develop security plans that align with perspective, while the new parent
business goals company wanted to enforce even tighter
Too often, organizations view internal security across its divisions.
security and compliance teams as We worked with them to realign and
inhibitors to advancing the goals of the bolster the goals of the acquired
business. Understanding the business companys security and compliance
objectives and providing long-term programs with the corporate goals of the
strategies to enable business growth, parent company. By reviewing the
customer acquisition, and customer business goals with the stakeholders
retention is essential to any successful from the parent company, the newly
security plan. acquired company, and our security
The best way to do this is to develop team, we were able to identify and
cloud security policies based on cross- document the objectives for the new
departmental input. A successful security compliance program and ensure that
program includes contribution from all they were aligned with the over-arching
stakeholders to ensure that policies are PCI program.
aligned and procedures are practical and

Step 2:

It is nave to think that your applications will If you have a well-developed risk
never be breached, whether they are management program in place, then you
hosted in your data center or in a managed have identified your critical assets and
data center. Every organization needs to established appropriate levels of
develop and maintain a risk management protection. By moving some or all of your
program, and it should be done centrally business applications to the cloud, you
AN EFFECTIVE CLOUD and viewed holistically. gain the additional benefits of your
providers business continuity planning and
COMPUTING RISK An effective cloud computing risk protection from unthinkable events, such
management program is important for as natural disasters. Seamless failover to a
MANAGEMENT reducing the overall risk to the redundant data center thousands of miles
PROGRAM IS organization. It is also essential for away provides shareholders with increased
prioritizing the utilization of resources and comfort in knowing their business is
IMPORTANT FOR for providing the business with a long-term protected and secure.
REDUCING THE strategy. If a growing organization can
identify and reduce the risk of new At NaviSite, we continue to see disaster
OVERALL RISK TO THE products, technologies, processes, people, recovery and business continuity initiatives
ORGANIZATION. and vendors, it can better focus on gaining increased corporate focus as a
revenue growth and improved profitability. direct result of the migration of ERP
applications to the cloud. For example, a
It is only through a well-defined and publicly traded company outsourced its
carefully maintained risk management financial applications to NaviSite. However
program that you can provide an they did not have a business continuity and
aggregated view of the risk that a company disaster recovery (BCDR) plan.
is willing to accept. The generalized view is
that you assess the value of the asset, As we worked with them on their risk
assess the loss expectancy probability, management program - identifying risks,
and then quantify whether the organization evaluating the value of the assets, and
is willing to accept the risk of loss or looking at annualized loss expectancies to
whether steps should be taken to mitigate build out the level of assurance they
the chances of that loss. Security needed - they realized the economic
professionals are encouraged to regularly argument and value for enabling seamless
conduct careful analysis to develop failover to a redundant site across the
responsible programs and build in the country.
necessary controls and auditing
capabilities to mitigate threats and maintain Management went back to the Board of
a reasonable security program that Directors and quickly received approval.
protects organizational assets, given The company now has a solid disaster
budgetary resources. recovery program in place with annual
testing to ensure business continuity. They
The cloud computing risk assessment did not initially understand the risk its
policy requires buy-in from the very top. shareholders were incurring until it
This program should be audited, and developed a formal risk management
policies defined that explicitly state who program, and by quantifying that risk the
can accept risk on behalf of the company was able to take appropriate
organization. steps to mitigate and protect itself
adequately while ensuring business

Step 3:

Your cloud computing security plan company's Internal Control on Financial

should include goals with measurable Reporting (ICFR). Companies have to
results that are consistent with providing assure that the data is valid and has not
support for the growth and stability of the been altered. It is primarily the
company. The plan should include responsibility of the IT group to ensure
compliance programs, technologies, and SOX compliance.
MANY OF THE NEEDS processes with very specific results. For
TO CHANGE SECURITY example, a growing IT services company Many of the needs to change security
may pursue a data center compliance plans are not a result of corporate
PLANS ARE NOT A program, such as SSAE 16 (the strategies but evolutions of compliance
RESULT OF successor to the SAS 70 standard) a requirements. For example, at NaviSite,
service management framework which we help clients maintain compliance with
CORPORATE the Health Insurance Portability and
requires in-depth audits of control
STRATEGIES BUT activities that include: security Accountability Act of 1996 (HIPAA). The
monitoring, change management, Health Information Technology for
problem management, backup controls, Economic and Clinical Health Act
COMPLIANCE physical and environmental safeguards, (HITECH) addresses the privacy and
REQUIREMENTS. and logical access. Goals should security concerns associated with the
include: electronic transmission of health
information and it extends the privacy
Specific date for completion and security provisions of HIPAA. By
partnering with cloud providers,
Verification of achievement, such as a organizations are more nimble and can
Service Organization Controls (SOC) more easily modify their security plans to
report support evolving corporate strategies or
regulatory requirements.
Measurable expected result, such as a
reduction in reported incidents by five
percent, improvement of risk mitigation
by reduction of Annualized Loss
Expectancy (ALE) by ten percent, or
successful passing of customer audits
increasing by twenty percent

The security plan in many ways

becomes a natural extension of the
previous two steps. For example, if a
U.S. company is planning for an IPO,
becoming compliant with the Sarbanes-
Oxley Act (SOX) requirement is
essential. Section 404 of SOX explicitly
requires management and the external
auditor to report on the adequacy of the

Step 4:

A key element of a successful cloud For example, we have worked with

computing security plan is the manufacturing companies that were
involvement and support of the plan building highly sensitive products. In one
across the organization. Many security company, the security team designed a
departments build out vast arrays of security plan that was so restrictive the
policies that are difficult to implement plant had to ignore the mandated
GAINING ACCEPTANCE across the organization. Prioritizing controls to function productively. This led
ON SECURITY POLICY these policies and ensuring that they are to the failure of the third-party audit and
not in conflict with other policies from ultimately a recall of the product
AND PROCEDURE different departments is essential for manufactured with the circumvented
AHEAD OF TIME establishing support and acceptance. controls. We also worked with an
insurance company that developed an
STREAMLINES A given security policy may not rely on application for estimating the cost of
ADOPTION the latest technology or provide the most insurance that secured the data sources
secure results, but balancing ease of used by the application; they wrote
deployment and organizational security policies such that they restricted
ORGANIZATION. acceptance with security is a necessary internal departments from viewing critical
tradeoff. Organizations need to establish data needed to perform their jobs.
levels of security that meet business
goals and comply with regulatory Companies need to ensure that the
requirements and risk management security plan is not only aligned with the
policies, but that can be centrally goals of the organization, but also with
managed and conveniently implemented the goals of the major departments that
across the organization with minimal will be implementing it. Gaining this
negative impact to productivity. acceptance streamlines adoption
Recognize that it is impossible to throughout the organization.
completely eliminate risk, but it is
prudent to mitigate it in a reasonable

At NaviSite, we have found that the key

is to take time to gain a solid
understanding of how a company
develops its products and services and
delivers them to its customers. The
majority of your time spent building
support for security policies should not
be spent in writing those policies, but
instead should be spent in learning how
the business truly functions so that
security can better contribute to its
success, and not be viewed as a
hindrance or a daily obstacle.

Step 5:

A set of guidelines is important to ensure to address business requirements. Read

that all compliance measures are everything you can and apply best
identified and the entire organization is practices to creating policies that align
driving toward achievement of the same with business goals, develop procedures
goals. For example, for a healthcare that are realistic and that will be
provider, it may be important to provide acceptable to the organization, and
HIPAA- and HITECH-compliant health wherever possible turn to industry
care services to new and existing standards to guide you.
patients. In order to do so, the
organization must build security policies Cloud services are a major advantage
that define the constraints in the handling for growing organizations that have not
of Protected Health Information (PHI), yet embedded established policies and
procedures that define the process of procedures into the company. The
acquiring PHI, and guidelines that enterprise can rely on the best practices
encourage the general adoption of best the service provider has developed over
practices. years of experience in similar
When you are audited for SOX, PCI Data
Security Standard (DSS), or any other As with many enterprise cloud service
relevant compliance standard that affects providers, including NaviSite, change
your business, the auditor will look at management is a clearly defined process
existing policies, how you have governed by well-established guidelines.
implemented them, and whether they are Each change must be approved by the
being followed throughout your proper personnel, and then implemented
organization. Every company audited in a quality assurance environment.
wants to make sure it passes the audit, Once it is tested and approved through a
and if you have completed all the user acceptance procedure, it is
previous steps outlined in this process, it introduced to the end-user community in
will make it easier for you to create the least intrusive manner possible with
security guidelines that can be a clearly defined back-out procedure in
consistently enforced. place in case there are unforeseen
problems or issues with user adoption.
New clients often ask, Whats the
easiest way to create security policies, By turning to high-performance cloud
procedures, and standards, and the computing, the enterprise can
answer is simpleturn to best practices. dramatically reduce the learning curve
When it comes to establishing security for developing security policies,
guidelines, it is much easier, more procedures, and standards.
practical and productive to edit than it is Organizations can accelerate the
to create. Assuming you have gone adoption of best practices for protecting
through the previous four steps, security enterprise resources by adopting proven
and compliance teams have had to security methodologies.
establish many of the policies necessary

Step 6:

It is important to review the security plan our compliances with Section 404 of the
on a regular basis, report on Sarbanes-Oxley Act. By auditing and
achievements of goals, and audit the reviewing the results regularly,
compliance of the organization to the companies can implement a constant
security policies and procedures. If it is audit cycle that ensures that the controls
part of your overall business plan, a remain in place and that that they are
third-party audit can provide an impartial being followed. If problems occur, they
review of the controls and report on can be identified and remediated before
compliance to established programs, the next audit cycle.
such as SSAE 16, PCI DSS, or Safe
Harbor. Some industries mandate audits,
and U.S. publicly traded companies have
to conduct internal audits every quarter
when they release financial statements.
Understanding the auditing
requirements for your business and the
frequency of your audits is essential not
only for ensuring compliance with
relevant requirements but also for
maintaining best practices for securing
enterprise resources.

For example, SSAE 16 Audits are

conducted every six months but at
NaviSite we conduct internal audits
AUDIT AND REVIEW every three months to ensure ongoing
compliance and provide assurance that
our data centers and our support
infrastructure remain current with SSAE
16 requirements. The SSAE 16 Audit is
aligned with our security goals because it
assures customers that our processes,
procedures, and controls have been
formally reviewed. It also demonstrates

Step 7:

A well-developed security plan will allow before your next audit. Continuous
for the continuous improvement of improvement is the key to your security
security and compliance. At a minimum, plan. Understanding the dynamic nature
annually review your cloud computing of your business and constantly
security plan with senior executives and evaluating security requirements are the
your cloud services provider, and revise foundation for implementing a successful
goals and objectives as needed. Review continuous improvement strategy.
and edit security policies and
procedures, and actively report back to
the organization the accomplishments of
the security and compliance teams.

Many companies believe that once they

have solid policies and procedures in
place they do not need to revisit them
but your industry and your business will
change over time, and the technology
available to support your security plan
will evolve. Just ten years ago remote
workers had limited access to enterprise
applications, but rapid advances in VPN
technology and massive demand for
secure remote access have driven most
companies to develop policies and
procedures to support a mobile
workforce. And the technology to support
these policies and procedures are
enabling businesses to provide the
CONTINUOUS flexibility for employees to work from
virtually anywhere.
CHECKLIST Review all of your generally accepted
security policies at least annually. At
NaviSite, we review our security policies
on an even more frequent basis. An
annual review is designed into some
compliance policies; if thats the case for
your business consider reviewing your
security policies every six months so you
have the time to evaluate your current
policies, update them when needed and
change procedures when necessary

Properly managed cloud infrastructure ABOUT NAVISITE
provides better security than most
enterprise data centers, applications, For more information about secure cloud
and IT infrastructure. It allows companies computing services from NaviSite,
to more efficiently deploy scarce please visit or send an
technical personnel. Use this proven e-mail to us at or
process and the summary checklist call us at 1.888.298.8222 to discuss your
provided in Appendix A as an easy guide secure cloud computing requirements.
to structuring your cloud computing
security plan.

Selecting a stable cloud service provider

with world-class data centers, enterprise
cloud computing infrastructure,
application expertise, and a proven
security methodology will help the
enterprise reap the financial rewards of
cloud computing while implementing a
security framework optimized for the
requirements of cloud architectures.

These seven steps are meant to serve

as a framework to guide companies as
they develop a secure cloud-computing
plan. By following these guidelines,
organizations can structure security and
compliance programs to take advantage
of the financial benefits of managed
cloud applications and services while
meeting organizational security and
compliance objectives.


Appendix A:

By following these seven steps to developing a secure outsourcing plan developed by NaviSite, the enterprise can rely
on a proven methodology for cost-effectively and securely outsourcing IT services.

STEP 1: REVIEW YOUR BUSINESS GOALS Consider seamless failover to a redundant data center
and disaster recovery planning integral to risk
Understand your business goals and direction
Develop cloud security policies based on cross-
departmental input that includes insights from senior STEP 3: CREATE A SECURITY PLAN THAT SUPPORTS
management and all of the stakeholders YOUR BUSINESS GOALS

Ensure that all security policies are aligned with strategic Develop goals with measurable results that are
goals, and that the procedures are practical and consistent with providing support for the growth and
pragmatic stability of the company

Include compliance programs, technologies, and

processes with specific metrics
Develop and maintain a risk management program
Work with your cloud service provider to ensure that your
centrally, and view it holistically
security plan is nimble enough to support evolving
Carefully define exactly who is authorized to accept risk corporate strategies or regulatory requirements
on behalf of the enterprise
Implement a well-defined and carefully maintained risk
Gain the approval of your cloud computing security plan
management program so you can provide an aggregated
from not only executive management but also the
view of the risk that a company is willing to accept
general workforce
Ensure that security professionals regularly conduct
Make sure security policies are not in conflict with other
careful analysis to develop responsible programs and
policies from different departments, and that they are not
build in the necessary controls and auditing capabilities
too time-consuming
to mitigate risks and protect organizational assets
Establish levels of security that can be centrally
Gain executive-level buy-in to the cloud computing risk
managed and conveniently implemented across the
assessment policy, and for publicly traded companies,
gain Board-level approval if necessary

Appendix A, Page 1
Appendix A:

STEP 5: CREATE SECURITY POLICIES, PROCEDURES, Understand the auditing requirements for your business
AND STANDARDS and the frequency of your audits not only for ensuring
compliance with relevant requirements but also so you
Establish a set of guidelines to ensure that all compliance
can implement best practices for securing enterprise
measures are identified
Make sure that compliance requirements are reflected in
Audit and review the results regularly to ensure that the
your policies and procedures
controls remain in place and that that they are being
Ensure that auditors can clearly review your policies and followed
how you have implemented so they can that they are
If an audit reveals any potential security or compliance
being followed.
problems, ensure they are remediated before the next
Design a comprehensive, layered approach based on a audit cycle
security framework to address common regulatory
requirements. This will make it easier to adopt and STEP 7: CONTINUOUSLY IMPROVE
maintain security procedures that can be audited so you
Annually review your cloud computing security plan with
can achieve your security and compliance goals. senior management and your cloud services provider
Turn to this 7-step plan as the foundation for your internal Re-establish goals
audits. If you dont have these steps in place, you wont
Review and edit security policies and procedures
have a structure that auditors can easily follow
Actively report back to the organization the
Read everything you can and apply best practices to
accomplishments of the security and compliance teams
creating policies that align with business goals.
Develop procedures that are realistic and that will be These steps should be implemented sequentially, and it is
acceptable to the organization an iterative process based on best practices and focused
on continuous improvement.
By following these guidelines, organizations can structure
Review the security plan on a regular basis, report on
security and compliance programs to take advantage of the
achievements of goals, and audit the compliance of the
economic advantages of managed cloud applications and
organization to the security policies and procedures
services while meeting organizational security and
If it is part of your overall business plan, turn to a third- compliance objectives
party audit to provide an impartial review of the controls
and report on compliance to established programs

Appendix A, Page 2