When adopting cloud services, your organization needs to establish appropriate policies to instruct employees on the governance required for cloud services. Existing IT security policies should not be modified to address cloud-specific security policy statements. Rather, these directives should be included in a separate cloud security policy.

The following cloud security policies for the fictitious company ACME Incorporated are included to give you two different examples of cloud security policies. The first example has the CIO office approving all cloud adoption. This is called the centralized example. The second example shows a classification model that instructs employees on which classification levels require CIO office adoption and on which levels employees can procure their own cloud services. This one is referred to as the classification example.

As you will notice, both of these security policies are quite short and succinct. As opposed to a standard IT security policy that covers a multitude of areas, cloud-specific security policies are generally focused on the procurement of cloud services. These policies can be treated as a form of a template and be modified to suit the format of your particular environment.

Cloud Security Policy: Centralized Example

This example policy has a centralized approach to procurement of any cloud services that will be used at ACME Incorporated.

Purpose

This policy outlines best practices and approval processes for using cloud computing services to support the processing, sharing, storage, and management of institutional data at ACME Incorporated.

Scope

This policy applies to any ACME Incorporated acquisition of cloud computing services. The project manager must coordinate planning with the operating unit CIO early in the planning process to avoid unnecessary problems later in the planning and acquisition lifecycle.

This policy pertains to the acquisition of services from a source outside of ACME Incorporated. Internal cloud computing services are already covered by existing requirements.

Background

Cloud computing is defined by NIST as “a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” It is composed of five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured services. It can be provided at a low level as hosted infrastructure (IaaS), at a mid-tier level as a hosted platform (PaaS), or at a high level as a software service (SaaS). Cloud providers can use private, public, or hybrid models.

Policy

Use of cloud computing services must be formally authorized in accordance with ACME Incorporated risk management processes. Specifically, the following:

•   Use of cloud computing services must comply with all current laws, IT security, and risk management policies.

•   Use of cloud computing services must comply with all privacy laws and regulations, and appropriate language must be included defining the cloud computing source responsibilities for maintaining privacy requirements.

•   For external cloud computing services that require users to agree to terms of service agreements, such agreements must be approved by ACME Incorporated general counsel.

•   All use of cloud computing services must be approved in writing by the operating unit CIO. The operating unit CIO will certify that security, privacy, and other IT management requirements have been adequately addressed prior to approving use of cloud computing services.

•   The cloud computing services may not be put into production use until the operating unit CIO has provided written approval.

•   The project manager must retain the CIO’s certification along with other investment documentation.

Approval Date: December 15, 2017

Last Reviewed: November 14, 2019

Cloud Security Policy: Classification Example

In this example, ACME Incorporated has a hybrid approach to cloud service procurement. The classification of data will determine whether cloud services can be procured by the individual operating unit or must be centrally procured.

Purpose

To ensure that the confidentiality, integrity, and availability of ACME Incorporated information is preserved when stored, processed, or transmitted by a third-party cloud computing provider.

Scope

This policy concerns cloud computing resources that provide services, platforms, and infrastructure that provide support for a wide range of activities involving the processing, exchange, storage, or management of institutional data.

Background

Cloud computing services are application and infrastructure resources that are accessible via the Internet. These services, contractually provided by companies such as Amazon, Microsoft, and Google, enable customers to leverage computing resources. Cloud services provide services, platforms, and infrastructure to support a wide range of business activities. These services support processing, sharing, and storage, among other things. Cloud computing services are generally easy for people and organizations to use; they are accessible over the Internet through a variety of platforms (workstations, laptops, tablets, and smart phones); and they may be able to accommodate spikes in demand much more readily and efficiently than in-house computing services.

Policy

ACME Incorporated employees must be cautious about self-provisioning a cloud service to process, share, store, or otherwise manage corporate data. Self-provisioned cloud services may present significant data management risks or be subject to changes in risk with or without notice. Virtually all cloud services require individual users to accept click-through agreements. These agreements do not allow users to negotiate terms, do not provide the opportunity to clarify terms, often provide vague descriptions of services and safeguards, and often change without notice.

Risks associated with self-provisioned cloud services include the following:

•   Unclear and potentially poor access control or general security provisions

•   Sudden loss of service without notification

•   Sudden loss of data without notification

•   Data stored, processed, or shared on the cloud service is often mined for resale to third parties that may compromise people’s privacy

•   The exclusive intellectual rights to the data stored, processed, or shared on cloud service may become compromised

With the benefits and risks of procuring cloud services in mind, ACME Incorporated has implemented a multitier approach that considers the classification of data to centralize procurement of highly classified data while leaving business units to procure cloud services on their own for publicly available data.

Approval Date: December 15, 2017

Last Reviewed: November 14, 2019