Cloud Security Matters…

Most businesses are migrating more applications, systems and processes to the cloud. Many companies resist the cloud’s numerous advantages because of lingering concerns over security in cloud computing. While concerns are understandable, when implemented correctly, cloud computing security is just as reliable as on-premise technology.

Cloud providers are a prime target for hackers. The primary security risks of cloud computing are:

  • Compliance Violations

    A growing number of companies must comply with regulatory control of information, such as HIPAA for private health information. Staying compliant is becoming more difficult — you are required to know where your data is and who has access (and then you must protect it). The plethora of devices, including mobile phones and laptops, threatens falling into a state of non-compliance, risking disastrous effects like penalties and breaches.

  • Identity Theft and Data Breaches

    Cloud computing essentially requires some loss of control from the customer to service providers. The convenience of cloud storage puts sensitive data is in a third party’s hands. With a lapse in security, hackers could gain access to personally identifiable information (PII), confidential data or sensitive files.

  • Malware Infections

    Unfortunately, anybody using cloud services is potentially at risk of cyberattacks. Cloud services can be used to proliferate malware attacks. For example, cyber criminals have used phishing tactics with file sharing services to deliver malware to unwitting targets.

  • Little Control over End User Activity

    Without sufficient training and controls in place, employees and users can get into all kinds of “trouble” with cloud services. Data can be downloaded, devices shared, weak passwords used, or unwitting staff compromised.

  • Diminished Customer Trust & Lost Revenue

    For obvious reasons, data breaches diminish customer trust. If customers suspect that their data is not safe, they can take their business elsewhere. There were over 5,000 data breaches worldwide in 2019, and about a third of those were in the U.S. Consider newsworthy breaches like the Target debit card scam, the Expedia hack of 2018, the Marriott breach in 2019, or the leak of Facebook profile data. Each of these incidents led to unfavorable press coverage and loss of business, negatively impacting revenue.

Best Practices in Cloud Security

Cloud security affects people, policies, processes, and technology. The objective is to protect data and systems in the cloud. In order to meet this objective, it’s a good idea to implement as many of the known best practices as a foundation.

  • Perform Due Diligence

    First you must map the known technology landscape. Simply stated, you must know what you’re responsible for securing, whether a simple environment or a complex hybrid cloud.

    • Technology
    • Devices
    • Systems
    • Data
    • Users

    Then you can develop a plan for tightening up (or implementing) safeguards.

  • Secure Cloud Credentials

    PROTECT YOUR KEYS! You could literally hand the crown jewels via improper placement of AWS keys in source code repositories or wikis. Sure, it’s handy for your development team, but it’s also dangerous if the crown jewels fall into the wrong hands.

  • Control User Access

    Far too many cloud environments are unsecurely configured, allowing direct access to servers (without protections from load balancers and firewalls). Know who has access to what data and when they can access it. Create identity and access control policies. Maintain minimum access levels for any privileges and grant higher level permissions as needed. That is, keep groups at the narrowest possible focused permissions.

  • Protect Your Data

    Ensure your data is encrypted… If someone grabs Personally Identifiable Information (PII) from you, the ramifications can be horrific for your business (penalties, lost revenue, negative press). You must store any sensitive data with appropriate controls to access at all levels. Make sure the encryption keys (like your cloud credentials) are also appropriately locked down and only available to necessary personnel.

  • Use Logging Tools

    It’s one thing to log but it’s also important to regularly review logs. Turn on security logging and monitoring (such as CloudTrail) and schedule routine reviews (weekly or monthly — annually is too late!).

  • Train Your Users

    The weakest link in security is most likely human. Weak passwords, lost devices or social engineering all threaten exposure of data and processes. Train your users about phishing scams. Instruct everyone about the hazards of weak passwords (better yet, don’t allow them). Lock down BYOC device access so that security can’t be breached. Create policies & procedures that keep your software development from leaving doors open. Simply by training users about threats, you reduce the chances of a security nightmare.

  • Get Expert Help & Run Security Tests

    Professional threat assessment and penetration testing are worth consideration. Consider verifying your preparedness when you have controls shored up (or even in the planning phase). If you don’t have in-house expertise, consider outsourcing to cloud security professionals. If your industry prefers certifications, consider getting compliance certification (e.g., SOC 2 or HIIPPA).

  • Review Regularly

    You can’t set it and forget it with security. New cracks and hacks appear daily, so you must be vigilant about threats. Review logs, audit user access, keep current with hacking news stories, and follow through with training for new users and periodic training updates.

Your Cloud Security Foundation

If your business is migrating or already residing in the cloud, youu need to prepare your team for the long and challenging security road ahead. Cloud security relies on a concerted team effort to utilize best practices. Protect your crown jewels, develop sound processes and avoid the headaches of an embarrassing data breach.

Major Security Breaches in 2019

Collection 1

Troy Hunt discovered a database on cloud storage site MEGA that contained 773 million email addresses and 22 million unique passwords collected from  different breaches dating back to 2008. The information was shared on a popular hacking forum where they could be shared with other cyber thieves.

Capital One

A Seattle-based software engineer hacked the database of Capital One.  The breach included over 80,000 bank account numbers, 140,000 Social Security numbers, 1 million Canadian social insurance numbers, and millions of credit card applications. Capital One reported that the breach could potentially cost  more than $300 million.

MoviePass

Personal and payment information of 58,000 subscribers to movie ticket subscription service MoviePass were stored openly on a server that was not password protected.

Adobe

Adobe Creative Cloud  account information from 7.5 million users was exposed through an unprotected online database. Data included email addresses, usernames, location, products, subscriptions and payment status.

Inmediata Health Group

Inmediata Health Group discovered that the records of 1.57 million patients were leaked and may include patients’ names, addresses, dates of birth, gender, and Social Security Numbers. Data was viewable online because of a webpage setting that permitted search engines to index internal webpages that are used for business operations.

Thinking about Moving to the Cloud?
Download our FREE Cloud Migration Strategy Guide today.

Download Free Guide