Planning Guide Cloud Security Seven Steps for Building Security in the Cloud from the Ground Up Why you should read this document: This guide provides practical information to help you integrate security planning into your cloud computing initiatives and: • Makes suggestions and recommendations for strengthening data and platform protection in cloud implementations. • Provides guidance on encryption to protect data. • Describes the importance of a trusted foundation to secure platform and infrastructure. • Explains how to build higher assurance into auditing to strengthen compliance. • Discusses extending trust across federated clouds. Planning Guide Cloud Security Seven Steps for Building Security in the Cloud from the Ground Up Sponsors of Tomorrow.™ Contents 3 Security in the Cloud: What It Is (and What It Isn’t) 5 Security Challenges for Cloud Environments 6 Step 1: Start Security Planning Early 10 Step 2: Identify Vulnerabilities for Your Selected Service(s) 12 Step 3: Four Things an IT Manager Can Do To Mitigate Security Vulnerabilities 13 Step 4: Protect Data—in Motion, in Process, and at Rest 15 Step 5: Secure Your Platform 16 Step 6: Extend Trust across Federated Clouds 17 Step 7: Choose the Right Cloud Service Provider 19 Intel Resources for Learning More 2 Intel IT Center Planning Guide | Cloud Security Cloud Security: What It Is (and What It Isn’t) The cloud seems to be on everyone’s mind these days. If you’ve been considering how to make the leap to cloud computing, you’ve also had to start thinking about how to extend security to this new technology environment. Despite potential savings in infrastructure costsandimprovedbusinessflexibility,securityisstillthenumber- one barrier to implementing cloud initiatives for many companies. Security challenges in the cloud are familiar to any IT manager—loss of data, threats to the infrastructure, and compliance risk. What’s new is the way these threats play out in a cloud environment. Cloud Security Is ... • The response to a familiar set of security challenges that manifest differently in the cloud. New technologies and fuzzier boundaries surrounding the data center require a different approach. • A set of policies, technologies, and controls designed to protect data and infrastructure from attack and enable regulatory compliance. • Layered technologies that create a durable security net or grid. Security is more effective when layered at each level of the stack and integrated into a common management framework. • The joint responsibility of your organization and its cloud provider(s). Depending on the cloud delivery model and services you deploy, responsibility for security comes from both parties. Cloud Security Isn’t … • Aone-size-fits-allsolutionthatcanprotectallyourITassets.In addition to different cloud delivery models, the cloud services you deploy will most likely require more than one approach to security. • Aclosed-perimeterapproachora“fill-the-gap”measure. Organizationscannolongerrelyonfirewallsasasinglepoint of control, and cobbling together security solutions to protect a single vulnerability may leave you open in places you don’t suspect. • Something you can assume is provided at the level you require by your cloud service providers. Make sure you spell out and can verify what you require. Cloud computing security is a broad Read the full SEPTEMBER 2011.