Planning and design

Treat security as a foundational design concern, not an afterthought. Build security systems and controls from the start, establish management processes and a security awareness program, and integrate them into every stage of development and operations.

Security must be built in, not bolted on. As you build your cloud environment or on-premises data center, establish security systems, technical controls, and management processes in parallel with infrastructure and application work. A security awareness program reinforces this culture across teams. Integrate these controls, processes, and organizational structures into infrastructure development, application development, deployment, and daily operations so that security is consistent and durable rather than reactive.

Key recommendations:

• Align security with business strategy. Assess how your business strategy aligns with your cloud initiatives.

• Evaluate risks systematically. Use consulting services and risk assessment tools to evaluate the types of risks in your cloud computing environment, their likelihood, and their impact.

• Assess architectural, management, and compliance risks as part of your planning process.

• Build on established methodologies. Design your security system around reference frameworks, technical controls, and operational mechanisms drawn from proven approaches.

• Operate security continuously. Establish a security operations system that identifies risks on an ongoing basis, feeds findings back into your security framework, and drives iterative improvement of technical controls.