Cloud PPM Security Best Practices
Cloud computing for PPM or any other business-critical enterprise application does present some valid challenges and concerns for CIOs globally. IT leadership consistently ranks it highest among their list of objections and concerns. For example, a study of European CIO's that was published earlier this year by Citi Research listed "security/data privacy" as by far the biggest concern with 43% citing it as a concern. The next biggest issue, "no suitable cloud applications," was cited by only 18% of respondents. Further, a global study conducted by Ovum Research in 2011 is consistent with this finding. It shows security being listed most frequently as one of the top 3 concerns with 359 out of 530 total respondents listing it as such compared to 246 for the next biggest concern, "governance/control."
Nevertheless, organizations have deployed mission-critical applications in the cloud for years such as CRM, ERP, HR, document management and PPM and the growth is accelerating. It is clear that we are now in the midst of a transition to cloud-based computing as the primary model for data center workloads. According to "Independent Analyst Shipment Data, Cisco Analysis." by 2014, over 50% of all workloads will be processed in the cloud; traditional computing will be in the minority. This of course is being driven on the supplier side by dramatic increases in processing power, storage and bandwidth at falling unit costs that are tilting industry economics further in favour of cloud computing architectures. And, on the demand side this is being driven by a number of proven customer benefits in the areas of ease and speed of deployment, ease of administration/operations, ease of access and use, and flexible subscription/annual pricing models which can accelerate ROI and reduce investment risks.
So, what can you do to take advanatage of these benefits while minimizing any security related risks? Here is a checklist of cloud security best practices you can leverage to mitigate risks and allay CIO concerns:
1. Ensure you do a thorough due diligence review of the vendor's security posture. This should cover various control areas including organizational security, asset classification and control, personnel security, physical security, communications security, operations and incident management, SDLC security, business continuity and disaster recovery, and any regulatory compliance.
2. Ensure vendor can produce an industry-standard audit report and/or a list of successful customer security audits. Most customer-driven audits are not publishable due to non-disclosure agreements, but if the vendor can share the controls that were audited, that can boost confidence.
3. Ensure vendor does periodic security testing using both internal resources as well as an external third party.
4. Ensure that the vendor's datacenter facilities hold up to a similar scrutiny.
5. Insist on performing your own security audit, either using your security team or an external security vendor, if the evidence provided by the vendor is not sufficient to cover your risks.
6. Insist on resolutions to the key threats identified by the due diligence work prior to production deployment committing sensitive data.
7. Ultimately, ensure compliance with any legal or regulatory requirements that are actually relevant to the business, process, or activity being undertaken using the SaaS offering.
8. Follow-up with annual compliance reviews.