The first rule in this small to midsize business (SMB) Cloud Security Playbook is that we're in it to win it. Not to get by, or to save enough petty cash to buy coffee, or to follow the crowd. It's about boosting the company to a new level, simultaneously saving money and enhancing security. If you don't expect all of those benefits from your move to the cloud, then you're in the wrong game.

A move to the cloud is strategic and profitable. Don't treat moving to the cloud as an afterthought. Put good, experienced workers on it, not a part-time intern.

Whether your main line of business is automobile parts, event planning, or even computer software, the goal of this playbook is to help you focus on your central vision. To a large extent, computer operations are only a distraction. IT provisioning is now routine enough that you're better off trusting it to an outside vendor rather than having your own staffers try to do it all. With the right cloud choices, your organization will save capital expenses, gain operational security, and be more nimble and responsive.

An Opportunity to Know Yourself

Companies are right to be concerned about cloud security. The direct and indirect costs of recent data breaches at companies such as Anthem, Ashley Madison, CVS, Experian, Scottrade, Target, and Trump Hotel Collection are simply staggering. The failures didn't specifically result from cloud vulnerabilities; they were breakdowns in fundamental policies and execution within the companies.

"Cloud" covers an immense span of offerings. For one company, it might be a game changer to adopt a simple online service to replace workers' timecards with a networked tool. Another company might decide it needs nothing less than an entire data-center-as-a-service (DCaaS), accessed through desktops-as-a-service (DaaS), and reinforced by disaster-recovery-as-a-service (DRaaS), with everything moved off-premises. A third company might jump fully into the cloud—but a private one in a physical location that complies with legal regulations.

Cloud security details will differ between these examples but many of the fundamentals are identical:

1. Give every employee his or her own login.

2. Create a standard procedure for retiring accounts when employees leave.

3. Provide written admin instructions for backup access and cloud support.

4. Create business relationships between your organization and the cloud security vendor before an emergency occurs.

5. You and your provider should have an understandable, explicit agreement about service level agreement (SLA) expectations, including outage frequency and an outage action plan.

Just as a formal business plan helps make the most of your organization as a whole, it pays to have an explicit IT requirements writeup covering workflows, strengths, and weaknesses. One important planning aspect is to interview key workload owners within your organization to confirm precise details of how your business does its business. Make sure you migrate the true workloads, not what you remember they might have been in the past.

Also, plan an explicit sequence for your migration. Look for low-hanging fruit; migrate easily transportable, low-risk, and high-return workflows first. Learn from early migrations and update your migration pattern as you move to more uncertain or hazardous migrations (or decide, on the basis of your experience, to keep a particular workflow out of the cloud).

The first time you write up requirements, you won't be perfect at it. It's okay to start a plan, think you have captured it all, begin to depend upon cloud services, and then conclude things just aren't comfortable. The great value of your first contract might be learning what is effective. There's no shame in switching providers early on. Many headline-worthy data breaches occur when it becomes routine for an organization to "work around" well-intended but ill-fitting standards. Most cloud services explicitly provide for a trial month or so; expect to take advantage of these "test drives."

Remember: The more clearly you understand what truly matters to you, the more likely you are to receive it. In the abstract, you can ask the cloud provider for everything from mobile security and consumer-grade file-sharing and backup, to line-of-business (LOB) functions including accounting, inventory, and enterprise resource planning (ERP). You know best what your own priorities should be. Don't just take what you're offered; think through what most profits your business.

Know Your Data

Modern businesses recognize their data deserves specific attention. To a large extent, other parts of a business can be replaced or outsourced. But key data—about customers, employees, processes, and properties—form a company's unique value.

Therefore, your migration plan should include, in clear and specific terms, not just what you do and how you will do it in the cloud, but how you will keep key pieces of company information safe. Email is a common load to move to the cloud. While email is often rich in proprietary information, it's also a mature technology and one the cloud delivers well. Several independent analysts have concluded that hosting email in the cloud is generally safer than managing email service in-house. However, if you have special email requirements (such as a legal restriction for storage in a specific jurisdiction) you will need to adjust your plan to account for this.

Customized programs embodying customer transactions or industrial processes present the opposite profile. No cloud vendor exists to provide your unique service. On the other hand, even the most unusual, proprietary, and private software can run on virtual machines (VMs) rented from the cloud. It's possible to keep data storage within your organization but rely on the cloud to operate on the data. This turns the capital expenditure (CAPEX) of purchasing servers into an adjustable operating expenditure (OPEX).

Ask for What You Want

Computer operations are largely routine but the business models around them are not yet fully baked. Some parts of the cloud are thoroughly standardized. Every day, for instance, thousands of people receive new, no-charge email accounts from Google, Microsoft, Yahoo, and so on. No human intervenes.

More specialized cloud services, though, are typically backed by a support staff. You can and should ask questions. If a particular cloud service looks just right to you, except it doesn't provide reports in a matching format to your accounting system, bring it up with the provider. Often, they can make arrangements that don't appear on their public pages.



To a large extent, the cloud question is not, "Should we adopt?" Your employees are already using cloud services whether or not you realize it. The more pertinent cloud question is, "Which vendor fits best?" If you need to audit operations to comply with the Health Insurance Portability & Accountability Act (HIPAA)or the Sarbanes-Oxley Act (SOX), say so. If reading logs of foiled intrusion attempts gives you comfort, ask for them. Most providers understand that good customers form long-term relationships and they will cooperate with reasonable requests. One of the great advantages of cloud reliance is that you can have world-class experts working for you. Make the most of this.



Assign a Winning Champion

Assign responsibility of your company's success in the cloud to someone qualified. An ideal candidate should exhibit a few specific qualities:



1. High status within the company.

2. Enthusiastic about the opportunities the cloud presents.

3. Sensitive to security concerns.

4. Competent at project management and operations.

5. Ambitious (in a good way).

While you're unlikely to find a candidate who meets every qualification, it's worth the effort to identify a champion with at least two or three of these attributes. A champion need not be a certified cloud security expert or even have full-time IT responsibilities. Enthusiasm and diligence are more important qualities.

If an organization is small enough, the cloud champion might come from the finance or purchasing department, someone who brings in consultants to review plans and audit results. Look for consultants who can clearly express their accomplishments in business terms; these are the ones capable of quantifying workloads they have relieved and process times they slashed, not just fashionable technologies in which they've dabbled.



Stay in Touch

Someone devoted to your company should stay in touch with your provider. Call periodically, read any provider blogs or press releases, and ask about new offerings. You probably have an employee who makes a point of finding specials on refill soap or knows which cashier at the bank can expedite recognition of deposits. Vital company data security deserves at least as much attention to detail.

It doesn't have to be a crushing burden; even just an hour a week can dramatically improve insight into how your provider operates and what it means for you. Providers often can suggest training about new security threats, how to mitigate them, ways your company can better use the cloud (sometimes at lower cost!), changes that are likely over the coming year, and more. Make the most of what should be a strategic partner.



Trust but Verify

You need to rely on your provider to a certain extent but don't leave yourself excessively vulnerable. Make DR plans that anticipate the loss of the provider. The details depend on exactly what the cloud provides you. DR might mean anything from pulling a backup ZIP drive out of lockbox to a hot switchover to a fully equipped DRaaS installation. Good providers can help you with at least part of the planning, though your backup and DR ought to be reviewed by an independent consultant.



Should your DR plan include a reverse element? Meaning, a way to keep going even if the cloud becomes utterly unavailable or the Internet falls apart? This question roams too far into philosophy for a brief answer, but what companies can do is, include explicit consideration of extreme events and the costs associated with different countermeasures in their plan. Your company might have an inexpensive DR plan without relying on the Internet and decide that protection is worthwhile. Most organizations work up relatively primitive DR plans and prioritize daily operations. Though, at least starting DR exercises is an educational and rewarding experience.



Keep it Real

When you have realistic cloud security expectations, you're in the best position for success. Yes, you can buy terabytes of storage at the local big-box store at shockingly low prices. When you pay your monthly subscription for cloud services, remember you're receiving not just the value of a disk but one that's automatically backed up, ventilated, running on a high-speed connection to an Internet backbone, and scrubbed and monitored for security hazards. The hardware makes up a minority of the expense of nearly all cloud offerings.

Even after you move to the cloud, your greatest computer security threats will remain internal to your company: thefts and other employee crimes. Your provider can and should help you monitor operations but, ultimately, your own company culture will determine much of the fate of your travel through the cloud. Take these eight steps and your cloud migration will succeed:

1. Play to win, aim high, and expect better security, lower cost, and more responsiveness.

2. Understand your own requirements and put them in writing.

3. Understand your specific data security profile.

4. Negotiate wisely and ask for what you need.

5. Assign a cloud champion who will win.

6. Stay in touch.

7. Trust but verify to ensure against provider loss.

8. Keep it real and adjust expectations.

Further Reading

Security Reviews