If you have been in IT security as long as I have, when it comes to moving to cloud, you are feeling a certain sense of d\u00e9j\u00e0 vu. We have been here before, this place of uncertainty, where we lack visibility into and control over our sensitive data.Think back to the first wave of the digital revolution in the early to mid-\u201890s, when our organizations were just connecting to the Internet and every user in the company now had Internet access. At first, we had little or no visibility into what was coming into or out of our network. We put in basic firewalls to give us granular access control and activity logging, and we now had a secure perimeter that allowed us to see and control that new traffic. Of course, every few years a new set of holes was created in that perimeter \u2013 our first websites, business-to-business email, dial-up, wireless access, etc. In each case we had to deploy new security solutions to re-secure our network perimeter.Today\u2019s move to the cloud feels so similar to how I felt back then. This time the organization wants cloud-based applications, delivered as a service, and the lines of business are connecting their systems to the cloud without us knowing. All that visibility and control we had established just flew out the window. We know with this newest wave in IT innovation that our teams need to approach it with the same goal as before \u2013 visibility and control. This time, however, the perimeter isn't around our network, it\u2019s around our sensitive data \u2013 no matter where it resides.\u00a0\u00a0I\u2019ve found it helps to remember that the main tenets of cybersecurity haven\u2019t changed. It\u2019s all about critical data, the credentials that have privilege to access that data, and the applications and processes that run on the systems \u2013 wherever those credentials are used or wherever that sensitive data resides. Treat your sensitive data in the cloud just like you would when storing your valuables at a bank. When in the bank, your valuables are secured in their own safety deposit box, just like encryption at rest.\u00a0 While transported to and from the bank, your valuables ride in an armored vehicle, just like encryption in motion.\u00a0And when they are being accessed, you need your photo ID and your key, just like\u00a0multifactor\u00a0authentication.\u00a0 At each step, access is being recorded by cameras and sign-in sheets, just like activity logs.So the main tenets that haven\u2019t changed are:Critical data \u2013 What sensitive data is monetizable? What is valuable intelligence that can be used by a competitor or nation state, and what would an attacker target for sabotage? Think like an attacker. Now, where is the data and what controls does the business require for it \u2013 encryption at rest, encryption in motion, or multifactor authentication?Credentials \u2013 Who should have access to your critical data and when are those credentials being used to access, modify, delete, or copy that sensitive data? Have those credentials been compromised?\u00a0Processes \u2013 Know which applications and processes are authorized to run on the systems containing your sensitive data.What has changed, however, is now you need to partner with your cloud service provider (CSP) and your security vendors to ensure visibility into and control over your sensitive data in the cloud. Be sure to ask these questions:\u00a0Ask your CSP about its data practices to ensure your data isn\u2019t being sent or stored outside of your control. Ensure your cloud provider offers encryption for data at rest, including backups and data in motion. Remember, disk-based encryption is not the same as file-based encryption. Inquire about how the CSP will support your corporate data retention policies. Most important, validate that adequate logging of all access to sensitive data occurs. And with any cloud service, make sure your data isn\u2019t shared with other entities.\u00a0Ensure that your CSP offers two-factor authentication to access its services and your sensitive data. Hackers are going to go after your servers first and then your credentials. Any compromise to your cloud service credentials can be devastating to your data security program. Inquire about what level of detailed logging for credential use is available. This is extremely important.\u00a0Secure your cloud services with solutions that provide both visibility and protection over cloud applications such as Intel Security Public Cloud Security Suite. You should know and be able to control which applications and processes are running on the systems that store, process, or access your sensitive data. Security for the cloud should come from the cloud and work natively in Azure and AWS.\u00a0Ideally the CSP you select fully supports giving your security team both visibility (access to the logs of sensitive data, privileged account access, and application\/process activity along with control) and the ability to terminate the access of compromised accounts or rogue processes.While it may feel frustrating, it\u2019s a challenging time to be in IT security. The cloud provides us with a fresh platform to once again architect our security systems for visibility and control of our sensitive data.\u00a0 D\u00e9j\u00e0 vu gives us the opportunity to do it better the second time around. Bring it on!