Cloud Computing Security Policy - Term Paper Example

Cloud Computing Security Policy Affiliation You have been tasked with researching requirements for a Cloud Computing Security Policy and then developing a draft policy for the non-profit organization, SNPO-MC. Introduction Cloud computing is referred to as model that enables on-demand and convenient access to a shared pool of configurable computing resources. The computing resources can be rapidly released and provisioned with minimal service provider interaction and management effort. There exist subscriber terms of service for a cloud, and they are determined by legally binding agreements that are contained in a service agreement and a service level agreement. The service agreement specifies the rules of the legal contract between the provider and the subscriber. The service level agreement states about the technical performance promises that are made by the provider and is inclusive of remedies in case of performance failures (Takai, 2012). Purpose and Scope The purpose of this document is to provide recommendations for cloud computing security policy decision-makers that include the management, executives and cloud computing security providers. The report also seeks to explain the cloud computing technology and security policy around it. Requirements for a Cloud Computing Security Policy The mandatory requirements of the cloud computing security policy in organizations include confidentiality, integrity, and availability. SNPO-MC should ensure that security information is confidential and accessible authorized individuals only. The integrity of information involves safeguarding the accuracy, completeness and processing methods of the available information. The cloud computing security policy is also based on availability; therefore, SNPO-MC must ensure that only the authorized personnel have access to information and the associated assets when required. The mandatory requirement for cloud computing security policy is that the management and executives of an organization must provide a clear direction on information security and cloud computing security. It can be done through the development and implementation of a cloud computing security policy that serves as part of the management security plan. However, the implementation of the policy must adhere to the scope, objectives and approach that is favorable to the management of cloud computing security issues. The policy must also be endorsed by the management and executives. The cloud computing security policy should also identify information security roles and responsibilities that must also be evaluated and reviewed in line with the changes of information and business risks. Data integration is a vital requirement in the policy that must be included since it helps circumvent any associated protective security measure and explain the consequences for breaching of the policy. The cloud computing security policy should also be communicated on an ongoing basis and should be accessible to all organization employees. For third party access organizations should establish a framework that will provide coordination and direction for the management of the security policy. The organizations are to ensure that necessary requirements for cloud computing security are documented when the organizations are entering into outsourcing contracts or making arrangements with consultants and contractors. The cloud computing security policy mandates organizations to ensure that they have appropriate permissions from the third parties before they can access any information belonging to the third parties. Draft Policy for Non-profit Organizations- SNPO-MC Who Speaks with Authority For the Firm? SNPO-MC is subscribers to the cloud computing security services, and they should, therefore, ensure that they have a department or individuals within SNPO-MC to handle cloud computing security issues with the providers. Who Monitors and Manages Compliance with Laws and Regulations? SNPO-MC’s cloud computing security providers should monitor and manage the laws and regulations of cloud computing security. The managers and executives’ role at SNPO-MC is to discuss with the providers on the security measures being undertaken to ensure that cloud computing information is secure. Ownership of Content SNPO-MC and authorized third parties are the only rightful owners of cloud computing information, and they should be the only individuals permitted to access the content. Although these two parties can claim ownership of the content, it is important that the cloud computing security policy permits only a few individuals to access the original content in the cloud space and then divide it with employees of the organization (Krutz & Vines, 2010). Privacy and Confidentiality SNPO-MC should solely operate its cloud infrastructure. The management of the cloud infrastructure can be undertaken by the third parties or the management itself. The cloud infrastructure can also exist on or off SNPO-MC’s premises since that does not expose its security. However, cloud computing information should only be accessible to authorized individuals to limit any chances of information security being compromised. Cloud computing information belonging to third parties should only be accessed once permission seems from the third parties. Enforcement Employees of SNPO-MC should be the individuals to enforce cloud computing. On loan staff who include the executive and other staff do not have adequate time in the organization to enforce the security policy of the organization and, therefore, this role should be delegated to the permanent employees to enforce the cloud computing security policy. Penalties for Violations of Policy Providers maintain the compliance of the laws and regulations of the security policy. They also have access to the cloud computing information, and they are obliged by law not to sell, license or even disclose subscriber data. The providers monitor the subscriber actions on the cloud and have access to subscriber software that assists them in monitoring. Violations of the security policy should be enforced by the providers since they have access to information about the party that violates the policy (Krutz & Vines, 2010). Use by Sales and Marketing The cloud computing security policy is a good marketing tool for SNPO-MC. However, the sales and marketing staff should be allowed to access limited information on the cloud that they can use to convince clients. Use of Customer Service Customer service should not be allowed to have the full control and access to cloud computing information. Providers should improvise a mechanism whereby customer service has a separate customer cloud that will help them undertake their responsibilities. Use by Public Relations and Corporate Communications A public cloud that allows contains information of the general public, shareholders and customers should be used improvised to ease the role of public relations and corporate communications staff(Krutz & Vines, 2010). The public cloud should accessible to shareholders, the general public and customers through platforms such as the internet. However, only subscribers of the onsite community cloud of SNPO-MC should be allowed to access it. Use for Advertising and E-commerce The providers have to offer a location restriction policy to SNPO-MC that is configured to only account for specific location and access to only access information used by advertising and e-commerce site and personnel. Use by Teleworkers Loaned and volunteer staff members are to access cloud information that helps them perform their roles and responsibilities. The information accessible to them should not compromise SNPO-MC’s cloud security policy. Review Requirements The security and reliability of cloud computing information will depend on communication links between SNPO-MC and the providers. There need to be constant communication links to ensure that providers have adequate control of the cloud and that they constantly monitor access to different clouds belonging to SNPO-MC. Use of Content and Services Monitoring Tools Cloud computing security providers are tasked with the role of putting in place content and services monitoring tools. The providers must make sure that only certain individuals have access to the different clouds belonging to SNPO-MC. Content Generation and Management Executives and managers are to handle content generation and management. Their permission is needed to before any content can be generated from the organization’s cloud. Management of content generation ensures that there is control of the staff and other individuals who access SNPO-MC’s cloud (Grance, Stevens & Myers, 2008). Recommendations SNPO-MC should identify the specific resources that are suitable to enable them migrate data into and out of clouds. The specific resources that the management and executives of SNPO-MC should consider the systems that are run in virtualized environments, email and data repositories such as shared documents. SNPO-MC management should also develop a plan for interacting with cloud data once it is resident in the cloud. SNPO-MC should determine whether the provider is implementing controls properly and ensure that controls are documented. Processes should be put in place by SNPO-MC management to compartmentalize the tele-worker job responsibilities. The processes should also differentiate the job responsibilities of SNPO-MC administrators from the responsibilities of the providers. SNPO-MC should also pursue legal requests for preservation of data, e-Discovery and content privacy(Santos, Gummadi & Rodrigues, 2009). References Krutz, R. L., & Vines, R. D. (2010). Cloud Security: A comprehensive guide to secure cloud computing. John Wiley & Sons. Grance, T., Stevens, M., & Myers, M. (2008). Guide to selecting information technology security products. Network Security. Takai, T. M. (2012). Cloud computing strategy. Department of Defense Washington dc chief information officer. Santos, N., Gummadi, K. P., & Rodrigues, R. (2009, June). Towards trusted cloud computing. In Proceedings of the 2009 conference on Hot topics in cloud computing (pp. 3-3). Read More