Overall though, Pescatore says cloud security starts at a basic level. Most enterprises begin their journey to the cloud with a private, internal cloud, and that's a good place to start with security controls, too. "Get security right in the private cloud first, then extent it into the hybrid and public," he suggested. Having processes in place to protecting virtualized environments from outside attacks is important, he says. "Get visibility into the system, the change controls and the vulnerabilities," he says. This includes securing the orchestration of the architecture and the provisioning of new accounts, domains and virtual machines.
The migration beyond a private cloud is usually then toward incorporating some public cloud services. Many times companies expand to public cloud services for non-mission critical applications though, such as test, development or bursting capacity. So, not everything may have to be secured to a maximum security level. "Protect the sensitive information and only put the less sensitive data into the cloud in the native form," he says, referring to the process of tokenization.
Pescatore says the focus for cloud security should be on the processes of protecting the cloud. Create policies for cloud security, then make sure they are implemented throughout the cloud deployment and stick with them. The vulnerabilities are created when there are inconsistent policies or unenforced security controls, he says. "We really have not yet seen major new attacks that are trying to compromise the cloud infrastructure or the virtualization layer," he says. "The reality today is that the easy pickings (for the hackers) are attacking the companies using the cloud services."
The good news is customers have a wide variety of options. For low-level security requirements, the cloud service provider, either on the infrastructure or software as a service side, usually each have their own security features. Amazon Web Services is FISMA compliant; FireHost, another cloud service provider, is PCI compliant. At the least, Pescatore says users should look for their providers to be ISO 27001, SOC 2 or SOC 3 certified. Beyond that, and especially for sensitive information, there are third-party security offerings for a range of uses.