Cloud computing can be more secure than traditional IT. Cloud providers and new Cloud server technologies employ and deliver security well beyond the means of any small to medium business.
Extend organizational practices pertaining to the policies, procedures, and standards used for application development and service provisioning in the Cloud, as well as the design, implementation, testing, and monitoring of deployed or engaged services.
Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, and electronic discovery requirements.
Incorporate mechanisms into the contract that allow visibility into the security and privacy controls and processes employed by the Cloud provider, and their performance over time.
Understand the underlying technologies the Cloud provider uses to provision services, including the implications of the technical controls involved on the security and privacy of the system, with respect to the full lifecycle of the system and for all system components.
Identity and Access Management
Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions.
Understand virtualization and other software isolation techniques that the Cloud provider employs, and assess the risks involved.
Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned.
Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed and that all operations can be eventually reinstituted in a timely and organized manner.
Understand and negotiate the contract provisions and procedures for incident response required by the organization.