Finally, create the policy statements themselves. One way to start is to think how you want your employees to use the cloud and write down the common sense ideas that come to mind. Concepts like not saving corporate or client data from the cloud to a personal computing device, not transmitting protected or sensitive data to or from the cloud without encryption, and not sharing your cloud user account password may seem obvious, but state them anyway.
If you already have an Acceptable Use Policy (AUP), you may borrow from that and adapt the statements to reflect the unique nature of using the cloud. If you have identified the cloud providers you are going to use, reference their AUP and use the same or similar language in your policy.
This accomplishes two goals by helping you create your policy and making sure your policy is in alignment with your cloud provider so as not to run afoul of their guidelines. Finally, look to what other organizations have published and what standards bodies like the Cloud Security Alliance (CSA), National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and other organizations that create cloud security policies and guidelines have written.
Once you have put down on paper this first basic cloud policy, pass it around to your peers, department heads and other people in your organization who might have some input. After all the feedback has been reviewed, complete a final policy, publish it and make sure everyone reads and accepts it.
As you begin your operations in the cloud, take what you learn and incorporate the refinements in future policy revisions on a regular basis. The better you define your cloud policy, the better everyone will understand how to leverage the cloud and reduce the risk to your organization.
Hazdra is a principal security consultant at Neohapsis, and a seasoned security professional with CISSP and CCSK certifications and extensive experience spanning nearly all areas of security. He has deep domain expertise securing virtualized environments and public & private clouds, and is an active member of the CSA SME council, as well as expertise and certifications in design, implementation and securing of datacenters, IP telephony and other security infrastructure and services. Hazdra previously served as Chief Security Officer (CSO) of Canopy Financial, a PCI Type 1 Merchant and poster-child for having virtualized nearly 100% of its datacenter successfully, and was Sr. Security and Compliance Specialist at VMware.