What does the team know about the cloud provider under consideration? Master the provider’s security offerings and their best practices in terms of access control, architecture, and design. Significant strides have been made in cloud GRC practices over the past few years. Align the team with these security practices. For example, does the responsibility for all data protection fall to the user?
What’s the status of the company’s external security perimeter? How does the company currently protect its production workloads and production data center from outside attacks? Once the team secures the perimeter, it can plan to compartmentalize data for the cloud. Does the company have a set of internal firewalls protecting its databases? In the cloud, the team might have a database-as-a-service that would require a different means of protection. This information will help build this security “compartmentalization architecture.”
How will the company authenticate and authorize access? If the company uses a third-party cloud service provider, how will it remotely access the multiple levels of privileges and authorization? How will the team connect the right level of access to the right level of authentication to allow remote access? The company must ensure its admins have the right access while, say, company accountants have access to the proper financial system of record – and nothing else.
Once data goes to the cloud, how will the company back it up? How will the company adapt its business continuity and disaster recovery plan? As it stands, the company may have a plan that when the data center in Phoenix goes down, it recovers to the data center in Reno. How does this get translated to a cloud environment? This may involve multiple providers and geographic regions. The team must assess which workloads need back-up and where.