Information security and risk management

Every major change in the way you conduct business entails some amount of risk; few aspects of the
cloud have generated more discussion and controversy than those regarding its security and risk. In
this time of breaches, nation-state hacking, and growing and profound concern with individual privacy on the Internet, cybersecurity has become a board-level concern, and rightly so.

Begin by understanding the security postures of the cloud platform providers. Issues to examine include the availability of antimalware software for cloud-hosted applications; the presence of intrusion detection software and tools; sophisticated and secure identity management; at-rest and inmotion encryption options; networking options for on-premises and off-premises communications; the ability to do penetration testing; and so on. The requirement to implement “defense in depth” remains; you will need to determine how you can collaborate with your cloud provider to implement
and enhance it.

You should also understand the physical security practices of the cloud provider. Are employee background checks required? Does access to the cloud datacenter require biometric authentication?

Next, because the cloud potentially makes it possible to access corporate computing devices from anywhere in the world, the information security team should address what requirements should be levied on these devices to grant them such access. For example, it might require all client devices to
have encrypted local storage by using such technologies as Microsoft Bitlocker. Similarly, because
typing usernames and passwords on mobile devices can be tedious, the team should consider the
merits of alternate forms of authentication, such as biometrics. Or, it might choose to implement
“multifactor authentication,” requiring both a username/password as well as some other form of
identity (such as a smart card).

A related capability in the cloud is its ability to accept authentication credentials from a multitude of sources by using the Open Authorization (OAuth) protocol. Information security professionals should
decide which, if any, applications may accept (for example) Facebook or Google credentials. Ecommerce sites might benefit from usage of these credentials but internal applications likely would not.

Third, verify key regulatory compliance certifications (for example, HIPAA, the Health Insurance
Portability and Accountability Act; FISMA, the Federal Information Security Management Act; and the EUDPD, European Union Data Protection Directive). Different industries and different geographies will be governed by different regulations and standards. Learn how to detect a suspected breach and how to report it to the provider, and what the response time SLA is expected to be. The Microsoft Azure Trust Center provides details on all of these as they relate to its offering. The Cloud Security Alliance is an excellent independent resource bringing together experts from across the industry to develop recommendations for best practices for secure computing in the cloud.8

Even though the cloud provides many security advantages, hosting an application in the cloud does
not entirely relieve application writers and security professionals of their responsibilities. We strongly recommend developers and testers adhere to the Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx), which provides a set of steps for anticipating
and mitigating threats. Antivirus and antimalware options should be included in your deployments. Penetration testing of deployed applications should be performed.

Source of Information : Microsoft Enterprise Cloud Strategy