Managing Security in Cloud and Addressing ISO 27001

As most of enterprises (smallest to largest one) are moving to cloud, it is becoming even more imperative to take care of security. Although, an objection can be easily put by any Cloud Vendor,"if you host your application/run server in my environment, you straight-way address most of security compliance/standard". But biggest question here is, what have you done to protect your environment? Cloud Vendor is protecting it's environment, which indirectly protecting yours. If you miss out certain features like (left a port open, did not do image hardening, enable firewall rule etc.), then Cloud Vendor considers that it was your business requirement. And top of this, Cloud Vendor is not responsible to know what your run in your environment, what things reside in it, if yes then it is also big breach of Privacy and Security. Think about a start-up who is under stealth-mode, if their Cloud Vendor Knows what they are cooking up, then it is not secret at all. Therefore, security starts at your level. Design your strategies, note down each & every details, seek clarification before executing things. A proverb rightly says, 'Bettter late than never'. 

Few of simple steps, you can perform to mitigate risk of security;

• Enable identity and authentication solutions
• Use appropriate access controls
• Implement and use an industry-recommended antimalware solution
• Ensure that an effective certificate acquisition and management solution is enabled
• Address the need to encrypt all customer data
• Review penetration testing and threat modeling processes
• Log security events
• Implement monitoring and visualization capabilities for security events
• Be able to determine the root cause of incidents
• Train all staff in cybersecurity issues
• Patch all systems and ensure security updates are deployed
• Keep service and server inventory current and up-to-date
• Maintain clear server configuration with security in mind