Default security with most leading CSPs is already strong. Adding public cloud security measures on top of that may affect overall application performance. It could also complicate your identity and access management efforts. These considerations are all the more crucial if you are working with mission-critical application that need to integrate with other business applications-end users will not be pleased if their applications are not available when they need them.
6. Put Security at the Forefront of Your SLA.
When you run a private cloud, you have (or should have) the tools to know when and where security breaches occur. How would a CSP customer ever come to know of these kinds of security breaches?
Survey: How Secure Is the Cloud? IT Pros Speak Up
Public cloud security guarantees with CSPs are no good unless they are written as service level agreements in your contract-and, unless transparent monitoring and reporting functions are available to the cloud customer, the contract itself may be useless.
7. Insist on Transparent Security Processes.
The need for transparent and verifiable security processes, procedures and practices within your SLA goes far beyond potential data breaches. When you rent hosted servers, there is at least a physical facility, a rack and a set of physical servers you can visit. With public clouds, on the other hand, you may not know the exact physical whereabouts of your cloud instances, so all you can rely upon is the information that the CSP is making available to you. This is why transparency is critical.
8. Streamline Logging and Monitoring.
Exploring the monitoring and logging of physical cloud instances with CSPs is another key to ensuring public cloud security. Comparing one CSP's logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that's provided.
9. Add Encryption.
You may want to employ your own encryption instead of, or in addition to, the ones provided by the CSP. While the CSP will encrypt information that is sent over the public Internet and stored in the public cloud, the CSP will be providing the encryption key. This may make your organization uncomfortable, as the key could fall into the wrong hands.
A number of installable products or SaaS vendors can do this type of encryption on the fly. (VPN-enabled cloud instances fall under this category of augmented public cloud security.) When this happens, only the customer and the third party know the key; the CSP does not.
10. Spread Risk with Multiple, Redundant CSPs.