3 Strategies to Confidently Build Security and Compliance in the Cloud

The challenge many businesses face concerning security and compliance in the cloud is nervousness about getting it wrong. Upfront planning and organization can ease those concerns.

Your browser doesn’t support HTML5 audio

When putting your business into the cloud, one of the most important discussions you’ll have will be around risk — particularly around security and compliance.

How can you make sure you’re having the right conversations about the cloud? One strategy is to embrace these issues from the start.

“Most organizations that we come across these days have really moved away from that mentality that security is an afterthought or a bolt-on to a project at the end,” said Jeff Falcon, cybersecurity practice lead for CDW, in a roundtable discussion.

He said many organizations have come to realize that security must be an important element of organizational culture.

“Bringing that culture together … working together collaboratively is really one of the areas that we want to talk about in security.” he said.

Here are three other considerations for balancing risk and compliance with your cloud ambitions:

1. Don’t let the idea of security scare you.

Often, security is discussed as a complex process achieved over a long period of time. That kind of thinking can make the process of building security into an organization seem more cumbersome than it needs to be, the roundtable speakers emphasized.

“You need to weave it in, in such a methodology so that it's simply generational, and it's simply the way that things are done,” Aaron Ansari, vice president for Cloud One – Conformity at Trend Micro. He added that it must not be seen as a roadblock with the potential “to slow down the velocity of the development and release process.”

Mark Nunnikhoven, Trend Micro’s vice president of cloud research, says that the sense of alarm that security messaging has been met with in the past has done a disservice to those simply looking to do it right, as has the idea that security is a problem to be solved.

“At the end of the day, it really just boils down to: Security is a set of processes and tools that help you make sure that whatever you're trying to build does what you want it to, and only that — nothing else,” he said.

2. Understand the importance of compliance up front.

Compliance can often be a frustration when it comes to cloud management, but it’s still something that shouldn’t be taken lightly.

Ansari characterized compliance as “the hammer or the enforcement arm of a federal organization or a governing body” that ensures steps are being taken to follow the rules. He recommended that businesses take compliance considerations seriously.

“No organization wants to go through the cheese grater that happens when you have to go through a compliance violation,” he said. “Your business never comes out the same on the other side. And the risk that’s tied to is simply too great.”

3. Build your cloud with compliance in mind.

In terms of the cloud, Falcon recommends building a cloud center of excellence or thought leadership team to help ensure that compliance concerns are being considered on the front end.

“It can come back and really hurt an organization if they don’t set that up properly the first time,” he said.

Nunnikhoven recommended that, when building a compliance strategy, automation tools such as posture management should be used as a way to help manage compliance over time. Then, when audits do happen, the organization is not trying to put together evidence of compliance after the fact.

“I've seen it with teams around the world: Everybody freaks out on Friday afternoon that the auditor is coming on Monday. And so, they scramble all weekend trying to build out this lovely report for the auditor to be like, ‘Oh, look, we're in compliance,’” he said. “All that worry and burden is taken away because you've automated it into your system.”

Insiders can watch the full roundtable discussion on cloud risk and security here.

More On Cloud Security, Compliance, Security,