Part 11 - Cloud Security - TheCloudGuy Series on Transforming your Company into Cloud and SaaS

In Part 10 I focused on hybrid cloud solutions. This section is about Cloud Security. The focus again is on non-cloud companies transforming to cloud.

Cloud security, is?a collection of security measures designed to protect your cloud-based infrastructure, applications, and data as you move them to the cloud. Some of what these measures do, is ensure user and device authentication, data and resource access control, and data privacy protection.

Cloud security is both an enormous industry and a needed component of every cloud solution. I will not be focusing on the technical aspects of the various security solutions out there, but rather on the business aspects and customer behavior aspects that your move to Cloud brings. Specifically, your customer’s views regarding their data or rather the security of their data, and how it affects their decisions to continue working with you.

You can read more on the technical and product sides here:

What is cloud security

Cloud Security Solutions

Cloud Security Book

Once your service moves to the cloud your security responsibility grows an order of magnitude. Previously, most of the burden around data and physical security, resided on your customers IT department. Things like access control: physical and data, encryption, authentication and more. Many customer systems may have even been air gapped (not connected to the internet).

Moving to the cloud increases complexity, introduces frequent and dynamic configuration changes, and overall increases the “attack surface” to protect from. And mainly, it puts a lot of the burden, if not all of it, on you, the vendor.

This is not just about adding a few more controls or point solutions. It requires an assessment of your resources and business needs to develop a fresh approach to your culture and cloud security strategy. You need to understand the future state of your business and risk-based security program.

You should probably set up a security function, like a CISO (Chief Information Security Officer), regular security audits, and an investment in staying up to date on the latest threat landscape and how to protect yourself.

Depending on the sensitivity of the data, your customers will typically be separated into roughly 3 groups:

1.????Those comfortable with having workloads and data in the cloud with previous vendors. These customers can copy existing practices to feel comfortable with moving to consuming your product in the cloud.

2.????Those semi-comfortable with workloads and data in the cloud. Those investigating it. These customers have moved low sensitivity data to the cloud. Perhaps they will do a partial move. Perhaps you are their first material move to using cloud.

3.????Those not ready for the move to cloud who will insist on owning and controlling all their data on prem.

It’s important you map your customers into these groups and focus most of your attention on group 1, some of your attention on group 2, and minimal attention on group 3. Don’t try and take on the challenge of education groups 2-3 other than around your product: that’s a much bigger endeavor and involves a cultural and DNA change in their organizations beyond your control. Instead, segment, focus and use early adapters as North Stars for the rest of your customer base.

In addition, set a high security bar, and get certified/audited in a way you can show your customers. Invest in the documentation highlighting your security setup. Expect security audits from customers and setup to support them in terms of manpower.

Be transparent with your customers around things security. No system is 100% secure. Rather than making statements of the such, which will only concern your customer’s CISO’s, due to your over confidence, focus on specifics: what you have by way of systems and processes. Let your customers make the assessment as to your security readiness.

And lastly, learn: constantly. Nothing security is static. Learn, implement, improve, communicate.

In the next section I will dive deeper into one of the previously covered topics.

*** As usual, feel free to contact me at [email protected]?if you’re looking to engage with me on a consulting/advisory basis as an operating partner, fractional CXO and work on cloudification, transformation, turnaround, growth, product strategy, VC & PE advisory, or start-up mentoring. More here ***