Storing data in the cloud is the most cost effective option for many companies. However, while cloud computing is limitlessly scalable and supremely flexible, data security can be a concern. Mitigating risk when using cloud computing solutions is one of the top challenges facing CIOs and CISOs today. Here are some of the key factors to consider.
Choose the Right Provider
Look for a provider with an understanding of any data security requirements unique to your industry. They should already have adequate security measures in place, and be able to present documentation of independent audits. Accept nothing less than 99.9%-plus availability, and ask about responsiveness of support. Ideally, the cloud provider you choose will be able to provide security assurances that match or exceed what you could do in-house.
It’s crucial to clarify who is responsible for what when it comes to maintaining security in the cloud environment. If you are considering a provider that offers an online subscription agreement, address the responsibility associated with handling any potential data breach. Ask to see their data breach policy and plan for handling a breach. Ideally, the provider should bear all costs associated with addressing a data breach that is their responsibility, including notifications. However, not all contracts can be negotiated, and you must fully understand the risks of the service you are utilizing. You should also have an exit plan for if/when you may need to discontinue cloud service or switch providers in the future.
Classify Your Data
Examine your data and separate it into different tiers before shifting it to the cloud. Some data and applications can be considered low risk, and be moved to the cloud with little or no hesitation. Mission critical applications may be moved if the level of security is deemed sufficient, but be aware of how important access to this data is for daily running of your business. Finally, regulated information such as customer financial data or patient data subject to Data protection should only be stored in the cloud if the business value offsets the risk, and there is a high level of confidence in the cloud provider.
Trust But Verify
A lack of trust in cloud security has hampered widespread adoption. However, if you complete due diligence, you can provide peace of mind for the C-suite and shareholders in your organisation. Gather and compare information on non-disclosure agreements, compliance, physical security, incident handling, logs of security attacks, and backup and recovery policies. Then you can make your case for cloud data storage with confidence.
Retain Traditional Security Processes
Many of the same security processes that work on-premises translate to providing the same protection for applications in the cloud. A web application firewall can help secure your data against threats like Application DDoS or SQL Injection, defending applications or workloads hosted in the cloud.
The devices used to connect to cloud storage can provide a vulnerability for attacks. An unprotected laptop used to regularly access cloud-stored data can be infected by malware and keys to the cloud stolen. Require all devices to be protected, and mandate Managed Antivirus, and Anti-Malware be updated regularly. Implement DNS routing mobile device management and a secure mobile wireless connection with restricted admin privileges.
Many cybersecurity attacks don’t penetrate a data center or cloud directly. Instead, the attacks seek to compromise end-points in retail, manufacturing, and healthcare settings. Common end-points ripe for exploitation include payment terminals, teller registers, and end-user laptops. Virtualising users and applications can reduce the perimeter of exposure, housing applications, data and processes behind a protected infrastructure with no direct data access permitted.
Want the cost-effectiveness, scalability and flexibility cloud computing offers, but feel uncomfortable giving up control? Your instincts are right. Consider implementing innovative technologies like a combination of split key encryption and homomorphic key management. You’ll be able to seamlessly migrate apps and data to the cloud, but retain total control of data and encryption keys, which are never stored with cloud providers.
Encrypt In Flight and At Rest
Data that is ‘in flight’ (transferring/sharing) must be encrypted, and ideally is left encrypted while ‘at rest’ (in storage) until it is needed. This is particularly important for data protected by HIPAA, or the Health Insurance Portability and Accountability Act. Monitoring system logs can help build a picture of when and by whom data is being transferred, and where and when encryption or decryption takes place.
Minimise Vendor Risk
If you have third-party vendors who will be allowed access to your cloud data, you are opening up new vulnerabilities. Limit direct access, deploy zero-trust parameters for unknown devices or users, and use two-step authentication to maintain control of your cloud. Consider setting up a smaller server dedicated for guest and vendor use, and control it tightly to prevent unauthorised access.
The biggest enemy of data security in the cloud is complacency. Security isn’t something you can set and forget. A monthly review of cloud and on-premises security should be the norm, all incoming employees should undergo cybersecurity training, and an annual or biannual audit should be completed to highlight any vulnerabilities between your organisation and the cloud.
Following these guidelines can help you maintain the security of data while in the cloud, whether it’s your own or belongs to clients or customers.