Fotolia

Best practices for cloud security: Be cognizant of what's in the cloud

In this Ask the Expert, Booz Allen Hamilton's Anil Markose offers the cloud security best practices organizations need to protect their cloud information.

When implementing best practices for cloud security, it is imperative that organizations view the cloud as an extension of their own environment, according to Anil Markose, senior vice president at Booz Allen Hamilton.

Markose spoke with SearchCIO at the recent RSA conference and in this Ask the Expert describes his top three best practices for cloud security. He explains that it is very important for organizations to know what data they are storing in the cloud and stresses the need to negotiate an effective cloud service contract.

Editor's note: This interview has been edited for brevity and clarity.

What best practices for cloud security should companies adopt?

Anil Markose: First is understanding what is in the cloud. Some organizations don't even realize that an application that they thought was on premises is actually a SaaS application. They don't understand that the back end is in the cloud already. There should be some level of governance around what is going into the cloud and what your cloud presence is. The one big key around that is that the old days of shadow IT are happening all over again because the business now can go directly to AWS and open up an environment and buy whatever service they want. It's almost like the internal IT organizations are competing with an external vendor for the same services. It is really about understanding what exposure you have in the cloud.

Anil Markose, senior vice president, Booz Allen HamiltonAnil Markose

Once you know that, the second is you have to understand what data is going into the cloud. I'd say in most cases an organization cannot tell you how much of their environment is in the cloud. If you don't know what's in the cloud, you definitely don't know what data is in there. Now you have a secondary problem: Do you have a regulatory compliance issue? Do you have a potential data breach issue that you don't even know about because sensitive information that requires reporting is actually not under your control anymore?

You should provide the same level of control, security and visibility in the cloud as you would on prem.
Anil Markosesenior vice president, Booz Allen Hamilton

And then number three is, when you go into those types of situations are the contracts set up correctly? Do you have the right risk management in place? If something bad were to occur, who's liable for that? Nine out of 10 times that company is definitely liable for it. But they have absolutely no control over how they're going to fix the situation, or they're at the mercy of that cloud provider or the SaaS provider. And so it is things like: Can you get cyber insurance? Can you get different things put in the contract to kind of hedge your risks around it?

Also, when we talk about the attack surface most organizations will still look at it as their SOC is worried about the enterprise IT, and then they have this secondary program that does cloud security stuff. Why would we treat the cloud differently than an on-premises environment? It's just an extension of the attack surface.

It is important to think about the cloud as an extension of your environment. You should provide the same level of control, security and visibility in the cloud as you would on prem.

Dig Deeper on Digital transformation