It’s extremely important that you provide protection for the entire application stack running on virtual machines – throughout the system, network and application levels. Relatively few security vendors today support cloud deployments well, so it’s important to ask the right questions beyond “can you deploy in the cloud?” How they deploy and whether they support cloud-specific use cases is much more important.
One of the biggest mistakes we see IT security teams make is to fail to prioritize the most important business or operational requirements in designing the security requirements for a given application deployment. A simple example – if your application team has a requirement for auto-scaling, then this must become the ground-floor requirement for your security toolkit as well. Otherwise, cloud deployment will move forward, but security will be left behind, which happens all too often.
How should organizations tackle security risk management when considering cloud service providers?
One of the first steps is choosing a cloud provider that offers the style of service that fits your business. For some businesses who prefer control and have the expertise to manage their own environment, cloud providers like Amazon or Azure have security partners with the capability to extend their own services dynamically for customers of those cloud providers. For businesses that need better support and an ability to outsource management of the entire application environment, a cloud provider with deep roots in managed hosting, such as Rackspace or Datapipe, might be a better choice. There are security options available in each of these cloud environments, but even the best security capabilities are ineffective if you can’t deploy and manage them.