Based on lessons learned and experience from across the cloud industry, you should consider the following best practices for your organization’s planning.


As an organization plans for transitioning to a cloud service or deploying a private or hybrid cloud, the first step from a security standpoint is to consider what IT systems, applications, and data should or must remain within a legacy enterprise datacenter. Here are some considerations:



Consider the cloud model(s) to be procured or deployed internally:


Determine who the consumers of the cloud services will be. If multiple departments or peer agencies will be using the cloud service, determine which security team or organization controls the standards for the overall cloud or each application workload:




Most clouds use software-based access controls and permissions to isolate customers from one another in a multitenant cloud environment. Hardware isolation is an option for private clouds and some virtual private clouds, but at additional cost.




The first rule in an automated cloud is to plan and design a cloud system with as few manual processes as possible. This might be contrary to ingrained principles of the past, but you must avoid any security processes or policies that delay or prevent automation. Here are some considerations:



Experience has shown that traditional security processes have tended to be manual approvals, after-provisioning audits, and slow methodical assessments— tendencies that must change when building or operating a cloud. Precertify everything to allow automated deployment—avoid forcing any manual security assessments in the provisioning process.



It is common for customers to request additional network configurations or opening of firewall ports. These can be handled through a manual vetting, approval, and configuration process, but you might want to charge extra for this service. Here are some things to keep in mind: