Most IT department policies and procedures complement each other. They define what is to be provided -- e.g., a cloud security policy -- and how policy compliance is achieved -- e.g., cloud security procedures. Without policies, companies may be at risk of security breaches, financial losses, and other security consequences. Absence of relevant policies can be cited during IT audit activities and, in some cases, may result in noncompliance fines or other penalties.

The following is an outline of the necessary components of a cloud security policy:

· Introduction. State the fundamental reasons for having a cloud security policy.

· Purpose and scope. Provide details on the cloud policy's purpose and scope.

· Statement of policy. State the cloud security policy in clear terms.

· Policy leadership. State who is responsible for approving and implementing the policy, as well as levying penalties for noncompliance.

· Verification of policy compliance. State what is needed, such as assessments, exercises, or penetration tests, to verify cloud security activities comply with policies.

· Penalties for noncompliance. State penalties -- for example, verbal reprimand and note in personnel file for internal incidents or fines and legal action for external activities -- for failure to comply with policies and service-level agreements (SLAs) if they are part of the policy.

· Appendixes (as needed). Provide additional reference information, such as lists of contacts, SLAs, or additional details on specific cloud security policy statements.

Far too often, organizations place their trust in cloud providers to ensure a secure environment. Unfortunately, that approach has numerous problems -- namely that cloud providers don't always know the risk associated with a customer's systems and data. They don't have visibility into other components in the customer's ecosystem and the security requirements of those components. Failing to take ownership of cloud security is a serious downfall that could lead organizations to suffer data loss, system breaches, and devastating attacks.

misconfigurations and inadequate change controls;

lack of cloud security architecture and strategy;

insufficient identity, credential, access and key management;

account hijacking; insecure interfaces and APIs;

and abuse and nefarious use of cloud services.

Organizations should create a cloud IAM team dedicated to certain aspects of cloud security, such as access, authentication, and authorization. Shackleford recommended that the cloud IAM team, which could tackle single sign-on and federation, should be started with existing internal groups because they have a deep understanding of the business and its goals.

A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. CASBs are available as both an on-premises or cloud-based software as well as a service.

1. Firewalls to identify malware and prevent it from entering the enterprise network

2. Authentication to check users' credentials and ensure they only access appropriate company resources

3. Web application firewalls (WAFs) to thwart malware designed to breach security at the application level, rather than at the network level

4. Data loss prevention (DLP) to ensure that users cannot transmit sensitive information outside of the corporation

CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with an organization's security policies. CASBs use autodiscovery to identify cloud applications in use and identify high-risk applications, high-risk users, and other key risk factors. Cloud access security brokers may enforce a number of different security access controls, including encryption and device profiling. They may also provide other services such as credential mapping when single sign-on is not available.