Cloud Security Matters…
Most businesses are migrating more applications, systems and processes to the cloud. Many companies resist the cloud’s numerous advantages because of lingering concerns over security in cloud computing. While concerns are understandable, when implemented correctly, cloud computing security is just as reliable as on-premise technology.
Cloud providers are a prime target for hackers. The primary security risks of cloud computing are:
A growing number of companies must comply with regulatory control of information, such as HIPAA for private health information. Staying compliant is becoming more difficult — you are required to know where your data is and who has access (and then you must protect it). The plethora of devices, including mobile phones and laptops, threatens falling into a state of non-compliance, risking disastrous effects like penalties and breaches.
Identity Theft and Data Breaches
Cloud computing essentially requires some loss of control from the customer to service providers. The convenience of cloud storage puts sensitive data is in a third party’s hands. With a lapse in security, hackers could gain access to personally identifiable information (PII), confidential data or sensitive files.
Unfortunately, anybody using cloud services is potentially at risk of cyberattacks. Cloud services can be used to proliferate malware attacks. For example, cyber criminals have used phishing tactics with file sharing services to deliver malware to unwitting targets.
Little Control over End User Activity
Without sufficient training and controls in place, employees and users can get into all kinds of “trouble” with cloud services. Data can be downloaded, devices shared, weak passwords used, or unwitting staff compromised.
Diminished Customer Trust & Lost Revenue
For obvious reasons, data breaches diminish customer trust. If customers suspect that their data is not safe, they can take their business elsewhere. There were over 5,000 data breaches worldwide in 2019, and about a third of those were in the U.S. Consider newsworthy breaches like the Target debit card scam, the Expedia hack of 2018, the Marriott breach in 2019, or the leak of Facebook profile data. Each of these incidents led to unfavorable press coverage and loss of business, negatively impacting revenue.
Best Practices in Cloud Security
Cloud security affects people, policies, processes, and technology. The objective is to protect data and systems in the cloud. In order to meet this objective, it’s a good idea to implement as many of the known best practices as a foundation.
Perform Due Diligence
First you must map the known technology landscape. Simply stated, you must know what you’re responsible for securing, whether a simple environment or a complex hybrid cloud.
Then you can develop a plan for tightening up (or implementing) safeguards.
Secure Cloud Credentials
PROTECT YOUR KEYS! You could literally hand the crown jewels via improper placement of AWS keys in source code repositories or wikis. Sure, it’s handy for your development team, but it’s also dangerous if the crown jewels fall into the wrong hands.
Control User Access
Far too many cloud environments are unsecurely configured, allowing direct access to servers (without protections from load balancers and firewalls). Know who has access to what data and when they can access it. Create identity and access control policies. Maintain minimum access levels for any privileges and grant higher level permissions as needed. That is, keep groups at the narrowest possible focused permissions.
Protect Your Data
Ensure your data is encrypted… If someone grabs Personally Identifiable Information (PII) from you, the ramifications can be horrific for your business (penalties, lost revenue, negative press). You must store any sensitive data with appropriate controls to access at all levels. Make sure the encryption keys (like your cloud credentials) are also appropriately locked down and only available to necessary personnel.
Use Logging Tools
It’s one thing to log but it’s also important to regularly review logs. Turn on security logging and monitoring (such as CloudTrail) and schedule routine reviews (weekly or monthly — annually is too late!).
Train Your Users
The weakest link in security is most likely human. Weak passwords, lost devices or social engineering all threaten exposure of data and processes. Train your users about phishing scams. Instruct everyone about the hazards of weak passwords (better yet, don’t allow them). Lock down BYOC device access so that security can’t be breached. Create policies & procedures that keep your software development from leaving doors open. Simply by training users about threats, you reduce the chances of a security nightmare.
Get Expert Help & Run Security Tests
Professional threat assessment and penetration testing are worth consideration. Consider verifying your preparedness when you have controls shored up (or even in the planning phase). If you don’t have in-house expertise, consider outsourcing to cloud security professionals. If your industry prefers certifications, consider getting compliance certification (e.g., SOC 2 or HIIPPA).
You can’t set it and forget it with security. New cracks and hacks appear daily, so you must be vigilant about threats. Review logs, audit user access, keep current with hacking news stories, and follow through with training for new users and periodic training updates.
Your Cloud Security Foundation
If your business is migrating or already residing in the cloud, youu need to prepare your team for the long and challenging security road ahead. Cloud security relies on a concerted team effort to utilize best practices. Protect your crown jewels, develop sound processes and avoid the headaches of an embarrassing data breach.