Cloud Computing Security Policy for SNPO-MC - Essay Example

Cloud Computing Security Policy for SNPO-MC Cloud Computing Security Policy for SNPO-MC Purpose The policy outlines the security practices and processes for using cloud services in the daily operations, data manipulation and storage and use of applications at SNPO-MC organization. Scope The policy will be used by managers, executive, staff and as a guide to negotiating terms with cloud providers. Definitions Employees of the organization are people who work in the organization. Executives who are on the loan are referred to as loaned staff members, and they usually telework for the group on specific days of the week. Volunteers regularly telework from their homes a few days of the week. Cloud Computing Services Platform as a Service The cloud vendor shall provide computing platform where SNPO-MC will develop applications and deploy applications. The service shall be implemented with security protocols both from the vendor and SNPO-MC. Infrastructure as a Service The cloud vendor shall provide servers to host the companies website, emails, remote access and software applications and file servers. It shall also include networking equipment and VPN configurations. Software as a Service The cloud vendor shall host some software that will be used by both the employees, teleworkers and volunteers in processing and submission of data for the databases. The cloud provider shall implement a hybrid cloud where a private cloud dedicated to providing services to SNPO-MC, and it shall also allow employees of SNPO-MC to access its public cloud for other services. The private network shall be hosted off the premises of SNPO-MC but will be managed by both the cloud vendor and IT staff from SNPO-MC. The shall effect cloud bursting between the public and private cloud. Policy Statement Overview Cloud computing services comprise of an infrastructure, resources and applications that SNPO-MC can access over the Internet. Large companies like Microsoft, Google, Amazon provide these resources so that they can be readily and cheaply available to people. Most of the cloud services provide support for communication, data storage, data analysis, data processing, project management, and scheduling. Cloud services will be very easy for the staff and executives of SNPO-MC to use since they are readily accessible to workstations, tablets, smartphones and laptops via the Internet. Despite the numerous advantages of the cloud, security is a primary concern especially on the public cloud where unauthorized access of organizations data can compromise the operations of an organization and bring a lot of losses. Standards SNPO-MC should verify before entering into an agreement with the cloud vendor that it complies with standards from Federal Information Processing (FIPS) and NIST Special Publications (SP). The standards include: FIPS 199 FIPS 200 SP 800-53, Appendix J SP 800-61, Revision 1 SP 800-122 Cloud Security Considerations Procuring and Licensing Cloud Services A chief IT manager shall be appointed and will be responsible for all cloud service negotiations with cloud vendors. The IT manager will overview the implementation of all security policies that involve both the general staff and the executive. The IT manager in consultancy with the company lawyer will monitor compliance with SNPO-MC cloud policies with the required government standards. No individual department or manager in SNPO-MC shall be allowed to procure cloud services for the daily operations of the organization. Ownership of content Data and information stored in the cloud databases are owned by the creator of the data. In this case SNPO-MC organization. The cloud provider shall not in any case alter, reproduce or reuse the data publicly for their use. The cloud provider will only be allowed to modify the data so that it can fit their database data format or in order to optimize its efficiency in the cloud database. The cloud provider will not be allowed to acquire intellectual property rights or to license and the laws agreed with SNPO-MC will not be subject to amendment over the period it is offering services to SNPO-MC. The cloud provider and SNPO-MC should sign an agreement to this effect before the cloud services are rolled out. Several data asset catalogs will be created to define access levels by the level of staff in SNPO-MC. Top financial managers from the accounting department will be given read, write and modify capabilities to the data from their department. Catalogs for executive, departments, general staff in either New Jersey and San Francisco will be defined, and all will have a differing access level. The access levels will be for both local databases and cloud databases. Privacy and confidentiality Identity and access management of the cloud services will be managed by Identity Federation. Identity federation will require the cloud provider to share security attributes and digital identities across both domains. It will require a single sign-on into the cloud services and infrastructure. Identity federation for SNPO-MC will be implemented through Security Assertion Markup Language (SAML). The SAML standards will implement authentication to the cloud services. Authentication request failed login, and successful login information will be shared between the provider and SNPO-MC. Five access control levels will be set with consultation with the cloud provider. The access levels will be based on the level of management, location and type of staff a person is. An executive access level will be given extra privileges to the resources provided by the cloud vendor. The identity and roles for each executive will be defined depending on the department they come from. IT Manager access level. The tasks for the IT manager will mainly involve maintenance of the cloud resources for the employees of SNPO-MC. The manager will be given complete access to log reports and authority to alter rules for other employees but in consultancy with the cloud vendor and top management of SNPO-MC. New Jersey access level will define the roles of employees in New Jersey. Employees in this location will only be given access to resources and software that allow manipulation and processing of day to day data for submission into the cloud. Los Angeles Access Level will have the same access level as those of New Jersey. A voluntary Employees access level will allow employees who work from home access to resources. Their roles will be defined according to what department they are volunteering for. Enforcement The cloud vendor must implement security standards before rolling out the service in accordance with the policies by SNPO-MC and standards created by the USA government. The policies are bound to be reviewed after a period of one and a half years with consultancy with the cloud vendor. Penalties for violations of policy The cloud vendor will be subject to prosecution in a court of law if it violates any signed agreements with SNPO-MC. The violations that arise from the vendor in terms of data ownership or resources it provides may lead to penalty fines and or termination of the contract it has signed with SNPO-MC. Employees who violate the policies assigned to them will be stripped of their cloud privileges depending on the extent of violations they have committed. Severe violations may lead to termination of the employment which will be done in consultancy with the executive management of SNPO-MC. Use by Customer service Use by public relations and corporate communications. Shareholders will have access to a website hosted by cloud vendor on behalf of the organization. Use for advertising and e-commerce No cloud services will handle any e-commerce processes due to the high level of security needed to handle the transactions. The cloud vendor shall at no time use the resources dedicated to SNPO-MC for creating advertisements that benefit itself or use data owned by SNPO-MC to create custom ads. Cloud advertisements for SNPO-MC will be handled through the public cloud. Use by teleworkers Employees who work at home will have a single point of entry into the cloud services. The equipment they will be using to access the cloud resources will have to be registered with the organization. Login authentication has to be approved before they can access the services. The cloud vendor will have to provide an appropriate key encryption protocol for the login details. The cloud vendor shall provide and configure a VPN for the teleworking employees to access the cloud services securely. The vendor should create PVPN for three locations, the primary SNPO-MC site, New Jersey and Los Angeles sites. Review requirements (when, by whom) The security policies will be reviewed after a year and a half with consultancy with the cloud vendor. The review will be headed by the IT manager of SNPO-MC with at least three members from SNPO-MC IT department, an executive officer, a third party consultant and representatives from the cloud vendor. Content management and generation An employee will be allocated storage space of 5 GB, an email address personalized according to the organizations name. The storage space will only be used to store documents associated with the company work and might not at any time be used by employees to store personal data. Reference Wayne Jansen, Timothy Grance (2014). NIST: Guidelines on Security and Privacy in Public Cloud Computing .NIST. New York. Mell, P., & Grance, T. (2011). The NIST Definition of Cloud Computing (Draft): Recommendations of the National Institute. Gaithersburg: National Institute of Standards and Technology. http://csrc.nist.gov/publications/drafts/800‐145/Draft‐SP‐800‐145_cloud‐definition.pdf Read More