Improving Security in the Cloud
To reduce the burden on their IT staff and budget, and to gain the benefits of pooled resources and increased computational power, many businesses are looking to the Cloud for the provision of infrastructure, data storage, services, and applications. With this shift comes a learning curve, and the need to adapt to new technologies and methods of operating – whether in a fully public cloud, a private deployment, or a hybrid solution.
One key area in which new considerations must be taken into account is security.
Security in Context and Scale
Until fairly recently, the adoption of cloud technology – particularly in a multi-tenant public cloud environment – has been held back, due to security concerns. Businesses have been reluctant to cede control of their mission-critical data to service providers with an unproven track record. And some of the statistics haven’t helped.
A 2014 report by Forbes revealed that, based on 54 security benchmarks, a little over 13% of health-care facilities using the Cloud were at a high risk, with an alarming 77% in the medium risk category. Fewer than 10% of the organizations surveyed had an acceptable security level. And that was just in one industry.
Clearly, there’s still cause for concern. But there are measures that can be applied right now, to make your enterprise foray into the Cloud a safe and fruitful one.
Secure Possible Points of Entry
With Bring Your Own Device or BYOD policies in effect at so many organizations, there’s scope for an unsecured mobile phone to allow hackers access to your systems and data. Even a customer or supplier using a compromised device may be a point of access. Sharing passwords with work colleagues, or using Web applications with malware, vulnerabilities, or “back door” potential – these are all possible ways by which malicious intruders could gain access to your vital systems and data. And they need to be secured.
Regulate Access Permissions
Your system administrators will need to review the way in which they grant access to data, applications, and network resources. Ideally, a user’s access to data residing in the Cloud should vary, according to their location and the device they’re using to reach it. Access permissions may also vary, by location (e.g., in the office, at home, on assignment).
Training and orientation in data handling and accountability should also be given to high-level users who have access to mission-critical data or proprietary information.
Secure Your Assets
Do a thorough assessment of your information and applications in the Cloud, to identify potential risk areas and vulnerabilities. Any databases or assets that could become targets due to the value and sensitivity of the information they hold should be earmarked for extra security – in the form of access control, intrusion detection, monitoring, encryption, etc.
Secure Your Devices
On your employees’ mobile devices, make sure that business and personal data are kept separate. This can be written into your BYOD policy agreements, together with provisions for installing anti-malware apps, and authorizing automatic software patches and updates. Users should be required to set strong password and lockscreen protection on devices in the field. And administrators should be given rights to remotely wipe data on any hardware which is reported lost, stolen, or potentially compromised.
Monitor Your Providers
You should conduct a thorough audit of your cloud service providers – either via your specialist IT/security staff or by hiring an independent auditor.
You’ll need to establish the measures that your providers have in place to ensure the privacy and integrity of your confidential business data, and their methods of restricting who within their organization has access to critical applications, servers, and infrastructure. The scope of the audit should extend to include any partner or sub-contracted services that your cloud providers use.
You’ll also need to study your Service Level Agreements (SLAs), to confirm the provisions they make for ensuring network and service availability, data security, backups, disaster recovery, monitoring, and so on – and the levels of liability or compensation involved, when issues arise.
Monitor Your Applications
With Cloud assisting the rapid and agile development of applications, there’s a need to continuously monitor and test both new and existing ones, for vulnerabilities and glitches. To moderate the load on your IT division, do an audit of your cloud-based applications, to identify the most critical ones. These should be submitted to deep scanning, while parallel scans for the most common threats may be run on all the others. Cloud-based scanning tools may be employed for this purpose – so long as they originate from a trusted and reputable source.
Different types of Cloud deployment may pose different kinds of threats to applications. So it’s important to bear in mind the security implications of your application’s performance under, say, a Platform as a Service (PaaS) situation, compared to the risks it faces under Infrastructure as a Service (IaaS).
Use Analytics and Intelligence
The tools required for password validation and user access capture information that can be used in forensic examinations of threat incidents, and for regulatory compliance purposes. It’s important to exploit these resources for the insight they can provide into avenues of possible attack, and areas of potential vulnerability.
A security intelligence layer of data analytics tools can monitor these issues in real time, and provide a view of what’s happening in your own data center and in whatever Cloud infrastructure that you employ. The devices protecting your own network can add to this layer by providing information and analysis on the resources and applications that your users are interacting with.
Plan for the Worst
Have a contingency plan in place, and keep testing. It’s possible to have your IT staff simulate the effects of a disaster (in-house fire drill), or to hire a “benevolent hacker” (an independent consultant) to do the same.
Don’t Neglect the Basics
The simple expedient of regularly backing up your mission-critical data is the simplest way of protecting it. So don’t neglect this vital chore.