Do you assume that your data in the cloud is backed up and safe from threats? Not so fast.
With a record number of cybersecurity attacks taking place in 2018, it is clear that all data is under threat.
Everyone always thinks “It cannot happen to me.” The reality is, no network is 100% safe from hackers.
According to the Kaspersky Lab, ransomware rose by over 250% in 2018 and continues to trend in a very frightening direction. Following the advice presented here is the ultimate insurance policy from the crippling effects of a significant data loss in the cloud.
How do you start securing your data in the cloud? What are the best practices to keep your data protected in the cloud? How safe is cloud computing?
To help you jump-start your security strategy, we invited experts to share their advice on Cloud Security Risks and Threats.
Key Takeaways From Our Experts on Cloud Protection & Security Threats
- Accept that it may only be a matter of time before someone breaches your defenses, plan for it.
- Do not assume your data in the cloud is backed up.
- Enable two-factor authentication and IP-location to access cloud applications.
- Leverage encryption. Encrypt data at rest.
- The human element is among the biggest threats to your security.
- Implement a robust change control process, with weekly patch management cycle.
- Maintain offline copies of your data to in the event your cloud data is destroyed or held ransom.
- Contract with 24×7 security monitoring service.
- Have an security incident response plan.
- Utilize advanced firewall technology including WAF (Web Access Firewalls).
- Take advantage of application services, layering, and micro-segmentation.
1. Maintain Availability In The Cloud
Dustin Albertson, Senior Cloud Solutions Architect at Veeam
When most people think about the topic of cloud-based security, they tend to think about Networking, Firewalls, Endpoint security, etc. Amazon defines cloud security as:
Security in the cloud is much like security in your on-premises data centers – only without the costs of maintaining facilities and hardware. In the cloud, you do not have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.
But one often overlooked risk is maintaining availability. What I mean by that is more than just geo-redundancy or hardware redundancy, I am referring to making sure that your data and applications are covered. Cloud is not some magical place where all your worries disappear; a cloud is a place where all your fears are often easier and cheaper to multiply. Having a robust data protection strategy is key. Veeam has often been preaching about the “3-2-1 Rule” that was coined by Peter Krogh.
The rule states that you should have three copies of your data, storing them on two different media, and keeping one offsite. The one offsite is usually in the “cloud,” but what about when you are already in the cloud?
This is where I see most cloud issues arise, when people are already in the cloud they tend to store the data in the same cloud. This is why it is important to remember to have a detailed strategy when moving to the cloud. By leveraging things like Veeam agents to protect cloud workloads and Cloud Connect to send the backups offsite to maintain that availability outside of the same datacenter or cloud. Don’t assume that it is the providers’ job to protect your data because it is not.
2. Cloud MIgration is Outpacing The Evolution of Security Controls
Salvatore Stolfo, CTO of Allure Security
According to a new survey conducted by ESG, 75% of organizations said that at least 20% of their sensitive data stored in public clouds is insufficiently secured. Also, 81% of those surveyed believe that on-premise data security is more mature than public cloud data.
Yet, businesses are migrating to the cloud faster than ever to maximize organizational benefits: an estimated 83% of business workloads will be in the cloud by 2020, according to LogicMonitor’s Cloud Vision 2020 report. What we have is an increasingly urgent situation in which organizations are migrating their sensitive data to the cloud for productivity purposes at a faster rate than security controls are evolving to protect that data.
Companies must look at solutions that control access to data within cloud shares based on the level of permission that user has, but they must also have the means to be alerted when that data is being accessed in unusual or suspicious ways, even by what appears to be a trusted user.
Remember that many hackers and insider leaks come from bad actors with stolen, legitimate credentials that allow them to move freely around in a cloud share, in search of valuable data to steal. Deception documents, called decoys, can also be an excellent tool to detect this. Decoys can alert security teams in the early stage of a cloud security breach to unusual behaviors, and can even fool a would-be cyber thief into thinking they have stolen something of value when in reality, it’s a highly convincing fake document. Then, there is the question of having control over documents even when they have been lifted out of the cloud share.
This is where many security solutions start to break down. Once a file has been downloaded from a cloud repository, how can you track where it travels and who looks at it? There must be more investment in technologies such as geofencing and telemetry to solve this.
3. Minimize Cloud Computing Threats and Vulnerabilities With a Security Plan
Nic O’Donovan, Solutions Architect and Cloud Specialist with VMware
The Hybrid cloud continues to grow in popularity with the enterprise – mainly as the speed of deployment, scalability, and cost savings become more attractive to business. We continue to see infrastructure rapidly evolving into the cloud, which means security must develop at a similar pace. It is essential for the enterprise to work with a Cloud Service Provider who has a reliable approach to security in the cloud.
This means the partnership with your Cloud Provider is becoming increasingly important as you work together to understand and implement a security plan to keep your data secure.
Security controls like Multi-factor authentication, data encryption along with the level of compliance you require are all areas to focus on while building your security plan.
4. Never Stop Learning About Your Greatest Vulnerabilities
Isacc Kohen, CEO of Teramind
More and more companies are falling victim to the cloud, and it has to do with cloud misconfiguration and employee negligence.
1. The greatest threats to data security are your employees. Negligent or malicious, employees are one of the top reasons for malware infections and data loss. The reasons why malware attacks and phishing emails are common words in the news is because they are ‘easy’ ways for hackers to access data. Through social engineering, malicious criminals can ‘trick’ employees into giving passwords and credentials over to critical business and enterprise data systems. Ways to prevent this: an effective employee training program and employee monitoring that actively probes the system
2. Never stop learning. In an industry that is continuously changing and adapting, it is important to be updated on the latest trends and vulnerabilities. For example with the Internet of Things (IoT), we are only starting to see the ‘tip of the iceberg’ when it comes to protecting data over increased wi-fi connections and online data storage services. There’s more to develop with this story, and it will have a direct impact on small businesses in the future.
3. Research and understand how the storage works, then educate. We’ve heard the stories – when data is exposed through the cloud, many times it’s due to misconfiguration of the cloud settings. Employees need to understand the security nature of the application and that the settings can be easily tampered with and switched ‘on’ exposing data externally. Educate security awareness through training programs.
4. Limit your access points. An easy way to mitigate this, limit your access points. A common mistake with cloud exposure is due to when employees with access by mistake enable global permissions allowing the data exposed to an open connection. To mitigate, understand who and what has access to the data cloud – all access points – and monitor those connections thoroughly.
5. Monitoring the systems. Progressive and through. For long-term protection of data on the cloud, use a user-analytics and monitoring platform to detect breaches quicker. Monitoring and user analytics streamlines data and creates a standard ‘profile’ of the user – employee and computer. These analytics are integrated and following your most crucial data deposits, which you as the administrator indicated in the detection software. When specific cloud data is tampered with, moved or breached, the system will “ping” an administrator immediately indicating a change in character.
5. Consider Hybrid Solutions
Michael V.N. Hall, Director of Operations for Turbot
There are several vital things to understand about security in the cloud:
1. Passwords are power – 80% of all password breaches could have been prevented by multifactor identification: by verifying your personal identity via text through to your phone or an email to your account, you can now be alerted when someone is trying to access your details.
One of the biggest culprits at the moment is weakened credentials. That means passwords, passkeys, and passphrases are stolen through phishing scams, keylogging, and brute-force attacks.
Passphrases are the new passwords. Random, easy-to-remember passphrases are much better than passwords, as they tend to be longer and more complicated.
MyDonkeysEatCheese47 is a complicated passphrase and unless you’re a donkey owner or a cheese-maker, unrelated to you. Remember to make use of upper and lowercase letters as well as the full range of punctuation.
2. Keep in touch with your hosting provider. Choose the right hosting provider – a reputable company with high-security standards in place. Communicate with them regularly as frequent interaction allows you to keep abreast of any changes or developing issues.
3. Consider a hybrid solution. Hybrid solutions allow for secure, static systems to store critical data in-house while at the same time opening up lower priority data to the greater versatility of the cloud.
6. Learn How Cloud Security Systems Work
Tom DeSot, CIO of Digital Defense, Inc.
Businesses need to make sure they evaluate cloud computing security risks and benefits. It is to make sure that they educate themselves on what it means to move into the cloud before taking that big leap from running systems in their own datacenter.
All too often I have seen a business migrate to the cloud without a plan or any knowledge about what it means to them and the security of their systems. They need to recognize that their software will be “living” on shared systems with other customers so if there is a breach of another customer’s platform, it may be possible for the attacker to compromise their system as well.
Likewise, cloud customers need to understand where their data will be stored, whether it will be only in the US, or the provider replicates to other systems that are on different continents. This may cause a real issue if the information is something sensitive like PII or information protected under HIPAA or some other regulatory statute. Lastly, the cloud customer needs to pay close attention to the Service Level Agreements (SLA) that the cloud provider adheres to and ensure that it mirrors their own SLA.
Moving to the cloud is a great way to free up computing resources and ensure uptime, but I always advise my clients to make a move in small steps so that they have time to gain an appreciation for what it means to be “in the cloud.”
7. Do Your Due Diligence In Securing the Cloud
Ken Stasiak, CEO of SecureState
Understand the type of data that you are putting into the cloud and the mandated security requirements around that data.
Once a business has an idea of the type of data they are looking to store in the cloud, they should have a firm understanding of the level of due diligence that is required when assessing different cloud providers. For example, if you are choosing a cloud service provider to host your Protected Health Information (PHI), you should require an assessment of security standards and HIPAA compliance before moving any data into the cloud.
Some good questions to ask when evaluating whether a cloud service provider is a fit for an organization concerned with securing that data include: Do you perform regular SOC audits and assessments? How do you protect against malicious activity? Do you conduct background checks on all employees? What types of systems do you have in place for employee monitoring, access determination, and audit trails?
8. Set up Access Controls and Security Permissions
Michael R. Durante, President of Tie National, LLC.
While the cloud is a growing force in computing for its flexibility for scaling to meet the needs of a business and to increase collaboration across locations, it also raises security concerns with its potential for exposing vulnerabilities relatively out of your control.
For example, BYOD can be a challenge to secure if users are not regularly applying security patches and updates. The number one tip I would is to make the best use of available access controls.
Businesses need to utilize access controls to limit security permissions to allow only the actions related to the employees’ job functions. By limiting access, businesses assure critical files are available only to the staff needing them, therefore, reducing the chances of their exposure to the wrong parties. This control also makes it easier to revoke access rights immediately upon termination of employment to safeguard any sensitive content within no matter where the employee attempts access from remotely.
9. Understand the Pedigree and Processes of the Supplier or Vendor
Paul Evans, CEO of Redstor
The use of cloud technologies has allowed businesses of all sizes to drive performance improvements and gain efficiency with more remote working, higher availability and more flexibility.
However, with an increasing number of disparate systems deployed and so many cloud suppliers and software to choose from, retaining control over data security can become challenging. When looking to implement a cloud service, it is essential to thoroughly understand the pedigree and processes of the supplier/vendor who will provide the service. Industry standard security certifications are a great place to start. Suppliers who have an ISO 27001 certification have proven that they have met international information security management standards and should be held in higher regard than those without.
Gaining a full understanding of where your data will to geographically, who will have access to it, and whether it will be encrypted is key to being able to protect it. It is also important to know what the supplier’s processes are in the event of a data breach or loss or if there is downtime. Acceptable downtime should be set out in contracted Service Level Agreements (SLAs), which should be financially backed by them provide reassurance.
For organizations looking to utilize cloud platforms, there are cloud security threats to be aware of, who will have access to data? Where is the data stored? Is my data encrypted? But for the most part cloud platforms can answer these questions and have high levels of security. Organizations utilizing the clouds need to ensure that they are aware of data protection laws and regulations that affect data and also gain an accurate understanding of contractual agreements with cloud providers. How is data protected? Many regulations and industry standards will give guidance on the best way to store sensitive data.
Keeping unsecured or unencrypted copies of data can put it at higher risk. Gaining knowledge of security levels of cloud services is vital.
What are the retention policies, and do I have a backup? Cloud platforms can have widely varied uses, and this can cause (or prevent) issues. If data is being stored in a cloud platform, it could be vulnerable to cloud security risks such as ransomware or corruption so ensuring that multiple copies of data are retained or backed up can prevent this. Guaranteeing these processes have been taken improves the security levels of an organizations cloud platforms and gives an understanding of where any risk could come from
10. Use Strong Passwords and Multi-factor Authentication
Fred Reck, InnoTek Computer Consulting
Ensure that you require strong passwords for all cloud users, and preferably use multi-factor authentication.
According to the 2017 Verizon Data Breach Investigations Report, 81% of all hacking-related breaches leveraged either stolen and/or weak passwords. One of the most significant benefits of the Cloud is the ability to access company data from anywhere in the world on any device. On the flip side, from a security standpoint, anyone (aka “bad guys”) with a username and password can potentially access the businesses data. Forcing users to create strong passwords makes it vastly more difficult for hackers to use a brute force attack (guessing the password from multiple random characters.)
In addition to secure passwords, many cloud services today can utilize an employee’s cell phone as the secondary, physical security authentication piece in a multi-factor strategy, making this accessible and affordable for an organization to implement. Users would not only need to know the password but would need physical access to their cell phone to access their account.
Lastly, consider implementing a feature that would lock a user’s account after a predetermined amount of unsuccessful logins.
11. Enable IP-location Lockdown
Chris Byrne is co-founder and CEO of Sensorpro
Companies should enable two-factor authentication and IP-location lockdown to access to the cloud applications they use.
With 2FA, you add another challenge to the usual email/password combination by text message. With IP lockdown you can ring-fence access from your office IP or the IP of remote workers. If the platform does not support this, consider asking your provider to enable it.
Regarding actual cloud platform provision, provide a data at rest encryption option. At some point, this will become as ubiquitous as https (SSL/TLS). Should the unthinkable happen and data ends up in the wrong hands, i.e., a device gets stolen or forgotten on a train, then data at rest encryption is the last line of defense to prevent anyone from accessing your data without the right encryption keys. Even if they manage to steal it, they cannot use it. This, for example, would have ameliorated the recent Equifax breach.
12. Cloud Storage Security Solutions With VPN’s
Eric Schlissel, President, and CEO of GeekTek
Use VPNs (virtual private networks) whenever you connect to the cloud. VPNs are often used to semi-anonymize web traffic, usually by viewers that are geoblocked by accessing streaming services such as Netflix USA or BBC Player. They also provide a crucial layer of security for any device connecting to your cloud. Without a VPN, any potential intruder with a packet sniffer could determine what members were accessing your cloud account and potentially gain access to their login credentials.
Encrypt data at rest. If for any reason a user account is compromised on your public, private or hybrid cloud, the difference between data in plaintext vs. encrypted format can be measured in hundreds of thousands of dollars — specifically $229,000, the average cost of a cyber attack reported by the respondents of a survey conducted by the insurance company Hiscox. As recent events have shown, the process of encrypting and decrypting this data will prove far more painless than enduring its alternative.
Use two-factor authentication and single sign-on for all cloud-based accounts. Google, Facebook, and PayPal all utilize two-factor authentication, which requires the user to input a unique software-generated code into a form before signing into his/her account. Whether or not your business aspires to their stature, it can and should emulate this core component of their security strategy. Single sign-on simplifies access management, so one pair of user credentials signs the employee into all accounts. This way, system administrators only have one account to delete rather than several that can be forgotten and later re-accessed by the former employee.
13. Beware of the Human Element Risk
Steven J.J. Weisman, Lawyer, and Professor at Bentley University
To paraphrase Shakespeare, the fault is not in the cloud; the responsibility is in us.
Storing sensitive data in the cloud is a good option for data security on many levels. However, regardless of how secure a technology may be, the human element will always present a potential security danger to be exploited by cybercriminals. Many past cloud security breached have proven not to be due to security lapses by the cloud technology, but rather by actions of individual users of the cloud.
They have unknowingly provided their usernames and passwords to cybercriminals who, through spear phishing emails, phone calls or text messages persuade people to give the critical information necessary to access the cloud account.
The best way to avoid this problem, along with better education of employees to recognize and prevent spear phishing, is to use dual factor authentication such as having a one time code sent to the employee’s cell phone whenever the cloud account is attempted to be accessed.
14. Ensure Data Retrieval From A Cloud Vendor
Bob Herman, Co-Founder, and President of IT Tropolis.
1. Two-factor authentication protects against account fraud. Many users fail victim to email phishing attempts where bad actors dupe the victim into entering their login information on a fake website. The bad actor can then log in to the real site as the victim, and do all sorts of damage depending on the site application and the user access. 2FA ensures a second code must be entered when logging into the application. Usually, a code sent to the user’s phone.
2. Ensuring you own your data and that can retrieve it in the event you no longer want to do business with the cloud vendor is imperative. Most legitimate cloud vendors should specify in their terms that the customer owns their data. Next, you need to confirm you can extract or export the data in some usable format, or that the cloud vendor will provide it to you on request.
15. Real Time and Continuous Monitoring
Sam Bisbee, Chief Security Officer at Threat Stack
1. Create Real-Time Security Observability & Continuous Systems Monitoring
While monitoring is essential in any data environment, it’s critical to emphasize that changes in modern cloud environments, especially those of SaaS environments, tend to occur more frequently; their impacts are felt immediately.
The results can be dramatic because of the nature of elastic infrastructure. At any time, someone’s accidental or malicious actions could severely impact the security of your development, production, or test systems.
Running a modern infrastructure without real-time security observability and continuous monitoring is like flying blind. You have no insight into what’s happening in your environment, and no way to start immediate mitigation when an issue arises. You need to monitor application and host-based access to understand the state of your application over time.
- Monitoring systems for manual user actions. This is especially important in the current DevOps world where engineers are likely to have access to production. It’s possible they are managing systems using manual tasks, so use this as an opportunity to identify processes that are suited for automation.
- Tracking application performance over time to help detect anomalies. Understanding “who did what and when” is fundamental to investigating changes that are occurring in your environment.
2. Set & Continuously Monitor Configuration Settings
Security configurations in cloud environments such as Amazon Direct Connect can be complicated, and it is easy to inadvertently leave access to your systems and data open to the world, as has been proven by all the recent stories about S3 leaks.
Given the changeable (and sometimes volatile) nature of SaaS environments, where services can be created and removed in real time on an ongoing basis, failure to configure services appropriately, and failure to monitor settings can jeopardize security. Ultimately, this will erode the trust that customers are placing in you to protect their data.
By setting configurations against an established baseline and continuously monitoring them, you can avoid problems when setting up services, and you can detect and respond to configuration issues more quickly when they occur.
3. Align Security & Operations Priorities for Cloud Security Solutions and Infrastructure
Good security is indistinguishable from proper operations. Too often these teams are at odds inside an organization. Security is sometimes seen as slowing down a business— overly focused on policing the activities of Dev and Ops teams. But security can be a business enabler.
Security should leverage automation testing tools, security controls and monitoring inside an organization — across network management, user access, the configuration of infrastructure, and vulnerability management across application layer — will drive the business forward, reducing risk across the attack surface and maintaining operational availability.
16. Use Auditing Tools to Secure Data In the Cloud
Jeremey Vance, US Cloud
1. Use an auditing tool so that you know what all you have in the cloud and what all of your users are using in the cloud. You can’t secure data that you don’t know about.
2. In addition to finding out what services are being run on your network, find out how and why those services are being used, by whom and when.
3. Make that auditing process a routine part of your network monitoring, not just a one-time event. Moreover, if you don’t have the bandwidth for that, outsource that auditing routine to a qualified third party like US Cloud.
17. Most Breaches Start At Simple Unsecured Points
Marcus Turner, Chief Architect & CTO at Enola Labs
The cloud is very secure, but to ensure you are keeping company data secure it is important to configure the cloud properly.
For AWS specifically, AWS Config is the tool best utilized to do this. AWS, when configured the right way, is one of the most secure cloud computing environments in the world. However, most data breaches are not hackers leveraging complex programs to get access to critical data, but rather it’s the simple unsecured points, the low hanging fruit, that makes company data vulnerable.
Even with the best cloud security, human error is often to blame for the most critical gap or breach in protection. Having routines to validate continuous configuration accuracy is the most underused and under-appreciated metric for keeping company data secure in the cloud.
18. Ask Your Cloud Vendor Key Security Questions
Brandan Keaveny, Ed.D., Founder of Data Ethics LLC
When exploring the possibilities of moving to a cloud-based solution, you should ensure adequate supports are in place should a breach occur. Make sure you ask the following questions before signing an agreement with a cloud-based provider:
Question: How many third-parties does the provider use to facilitate their service?
Reason for question (Reason): Processes and documentation will need to be updated to include procedural safeguards and coordination with the cloud-based solution. Additionally, the level of security provided by the cloud-based provider should be clearly understood. Increased levels of security made need to be added to meet privacy and security requirements for the data being stored.
Question: How will you be notified if a breach of their systems occurs and will they assist your company in the notification of your clients/customers?
Reason: By adding a cloud-based solution to the storage of your data also adds a new dimension of time to factor into the notification requirements that may apply to your data should a breach occur. These timing factors should be incorporated into breach notification procedures and privacy policies.
When switching to the cloud from a locally hosted solution your security risk assessment process needs to be updated. Before making the switch, a risk assessment should take place to understand the current state of the integrity of the data that will be migrated.
Additionally, research should be done to review how data will be transferred to the cloud environment. Questions to consider include:
Question: Is your data ready for transport?
Reason: The time to conduct a data quality assessment is before migrating data to a cloud-based solution rather than after the fact.
Question: Will this transfer be facilitated by the cloud provider?
Reason: It is important to understand the security parameters that are in place for the transfer of data to the cloud provider, especially when considering large data sets.
19. Secure Your Cloud Account Beyond the Password
Contributed by the team at Dexter Edward
Secure the cloud account itself. All the protection on a server/os/application won’t help if anyone can take over the controls.
- Use a strong and secure password on the account and 2-factor authentication.
- Rotate cloud keys/credentials routinely.
- Use IP whitelists.
- Use any role-based accesses on any associated cloud keys/credentials.
Secure access to the compute instances in the cloud.
- Use firewalls provided by the cloud providers.
- Use secure SSH keys for any devices that require login access.
- Require a password for administrative tasks.
- Construct your application to operate without root privilege.
- Ensure your applications use encryption for any communications outside the cloud.
- Use authentication before establishing public communications.
Use as much of the private cloud network as you can.
- Avoid binding services to all public networks.
- Use the private network to isolate even your login access (VPN is an option).
Take advantage of monitoring, file auditing, and intrusion detection when offered by cloud providers.
- The cloud is made to move – use this feature to change up the network location.
- Turn off instances when not in use. b. Keep daily images so you can move the servers/application around the internet more frequently.
20. Consider Implementing Managed Virtual Desktops
Michael Abboud, CEO, and Founder of TetherView
Natural disasters mixed with cyber threats, data breaches, hardware problems, and the human factor, increase the risk that a business will experience some type of costly outage or disruption.
Moving towards managed virtual desktops delivered via a private cloud, provides a unique opportunity for organizations to reduce costs and provide secure remote access to staff while supporting business continuity initiatives and mitigating the risk of downtime.
Taking advantage of standby virtual desktops, a proper business continuity solution provides businesses with the foundation for security and compliance.
The deployment of virtual desktops provides users with the flexibility to work remotely via a fully-functional browser-based environment while simultaneously allowing IT departments to centrally manage endpoints and lock down business critical data. Performance, security, and compliance are unaffected.
Standby virtual desktops come pre-configured and are ready to be deployed instantaneously, allowing your team to remain “business as usual” during a sudden disaster.
In addition to this, you should ensure regular data audits and backups
If you don’t know what is in your cloud, now is the time to find out. It’s essential to frequently audit your data and ensure everything is backed up. You’ll also want to consider who has access to this data. Old employees or those who no longer need access should have permissions provoked.
It’s important to also use the latest security measures, such as multi-factor authentication and default encryption. Always keep your employees up to speed with these measures and train them to spot potential threats that way they know how to deal with them right away.
21. Be Aware of a Provider’s Security Policies
Jeff Bittner, Founder and President of Exit technologies
Many, if not most, businesses will continue to expand in the cloud, while relying on on-premise infrastructure for a variety of reasons, ranging from a simple cost/benefit advantages to reluctance to entrust key mission-critical data or systems into the hands of third-party cloud services providers. Keeping track of what assets are where in this hybrid environment can be tricky and result in security gaps.
Responsibility for security in the cloud is shared between the service provider and the subscriber. So, the subscriber needs to be aware not only of the service provider’s security policies, but also such mundane matters as hardware refresh cycles.
Cyber attackers have become adept at finding and exploiting gaps in older operating systems and applications that may be obsolete, or which are no longer updated. Now, with the disclosure of the Spectre and Meltdown vulnerabilities, we also have to worry about threats that could exploit errors or oversights hard-coded at the chip level.
Hardware such as servers and PCs has a limited life cycle, but often businesses will continue to operate these systems after vendors begin to withdraw support and discontinue firmware and software updates needed to counter new security threats.
In addition to being aware of what their cloud provider is doing, the business must keep track of its own assets and refresh them or decommission them as needed. When computer systems are repurposed for non-critical purposes, it is too easy for them to fall outside of risk management and security oversight.
22. Encrypt Backups Before Sending to the Cloud
Mikkel Wilson, CTO at Oblivious.io
1. File metadata should be secured just as vigilantly as the data itself. Even if an attacker can’t get at the data you’ve stored in the cloud, if they can get, say, all the filenames and file sizes, you’ve leaked important information. For example, if you’re a lawyer and you reveal that you have a file called “michael_cohen_hush_money_payouts.xls” and it’s 15mb in size, this may raise questions you’d rather not answer.
2. Encrypt your backups *before* you upload them to the cloud. Backups are a high-value target for attackers. Many companies, even ones with their own data centers, will store backups in cloud environments like Amazon S3. They’ll even turn on the encryption features of S3. Unfortunately, Amazon stores the encryption keys right along with the data. It’s like locking your car and leaving the keys on the hood.
23. Know Where Your Data Resides To Reduce Cloud Threats
Vikas Aditya, Founder of QuikFynd Inc,
Be aware of where their data is stored these days so that they can proactively identify if any of the data may be at risk of a breach.
These days, data is being stored in multiple cloud locations and applications in addition to storage devices in business. Companies are adopting cloud storage services such as Google Drive, Dropbox, OneDrive, etc. and online software services for all kind of business processes. This has led to vast fragmentation of company data, and often managers have no idea where all the data may be.
For example, a confidential financial report for the company may get stored in cloud storage because devices are automatically synching with cloud or a sensitive business conversation may happen in cloud-based messaging services such as Slack. While cloud companies have all the right intentions to keep their customer data safe, they are also the prime target because hackers have better ROI in targeting such services where they can potentially get access to data for millions of subscribers.
So, what should a company do?
While they will continue to adopt cloud services and their data will end up in many, many locations, they can use some search and data organization tools that can show them what data exists in these services. Using full-text search capabilities, they can then very quickly find out if any of this information is a potential risk to the company if breached. You cannot protect something if you do not even know where it is. And more importantly, you will not even know if it is stolen. So, companies looking to protect their business data need to take steps at least to be aware of where all their information is.
24. Patch Your Systems Regularly To Avoid Cloud Vulnerabilities
Adam Stern, CEO of Infinitely Virtual
Business users are not defenseless, even in the wake of recent attacks on cloud computing like WannaCry or Petya/NotPetya.
The best antidote is patch management. It is always sound practice to keep systems and servers up to date with patches – it is the shortest path to peace of mind. Indeed, “patch management consciousness” needs to be part of an overarching mantra that security is a process, not an event — a mindset, not a matter of checking boxes and moving on. Vigilance should be everyone’s default mode.
Spam is no one’s friend; be wary of emails from unknown sources – and that means not opening them. Every small and midsize business wins by placing strategic emphasis on security protections, with technologies like clustered firewalls and intrusion detection and prevention systems (IDPS).
25. Security Processes Need Enforcement as Staff Often Fail to Realize the Risk
Murad Mordukhay, CEO of Qencode
1. Security as a Priority
Enforcing security measures can become difficult when working with deadlines or complex new features. In an attempt to drive their products forward, teams often bend the rules outlined in their own security process without realizing the risk they are putting their company into. A well thought out security process needs to be well enforced in order achieve its goal in keeping your data protected. Companies that include cloud security as a priority in their product development process drastically reduce their exposure to lost data and security threats.
2. Passwords & Encryption
Two important parts of securing your data in the cloud are passwords and encryption.
Poor password management is the most significant opportunity for bad actors to access and gain control of company data. This usually accomplished through social engineering techniques (like phishing emails) mostly due to poor employee education. Proper employee training and email monitoring processes go a long way in helping expose password information. Additionally, passwords need to be long, include numbers, letters, and symbols. Passwords should never be written down, shared in email, or posted in chat and ticket comments. An additional layer of data protection is achieved through encryption. If your data is being stored for in the cloud for long periods, it should be encrypted locally before you send it up. This makes the data practically inaccessible in the small chance it is compromised.
26. Enable Two-factor Authentication
Tim Platt, VP of IT Business Services at Virtual Operations, LLC
For the best cloud server security, we prefer to see Two Factor Authentication (also known as 2FA, multi-factor authentication, or two-step authentication) used wherever possible.
What is this? 2 Factor combines “something you know” with “something you have.” If you need to supply both a password and a unique code sent to your smartphone via text, then you have both those things. Even if someone knows your password, they still can’t get into your account. They would have to know your password and have access to your cell phone. Not impossible, but you have just dramatically made it more difficult for them to hack your account. They will look elsewhere for an easier target. As an example, iCloud and Gmail support 2FA – two services very popular with business users. I recommend everyone use it.
Why is this important for cloud security?
Because cloud services are often not protected by a firewall or other mechanism to control where the service can be accessed from. 2FA is an excellent additional layer to add to security. I should mention as well that some services, such as Salesforce, have a very efficient, easy to use implementation of 2FA that isn’t a significant burden on the user.
27. Do Not Assume Your Data in the Cloud is Backed-Up
Mike Potter, CEO & Co-Founder at Rewind
Backing up data that’s in the cloud: There’s a big misconception around how cloud-based platforms (ex. Shopify, QuickBooks Online, Mailchimp, WordPress) are backed up. Typically, cloud-based apps maintain a disaster recovery cloud backup of the entire platform. If something were to happen to their servers, they would try to recover everyone’s data to the last backup. However, as a user, you don’t have access to their backup to restore your data.
This means that you risk having to manually undo unwanted changes or permanently losing data if:
- A 3rd party app integrated into your account causes problems.
- You need to unroll a series of changes
- Your or someone on your team makes a mistake
- A disgruntled employee or contractor deletes data maliciously
Having access to a secondary backup of your cloud accounts gives you greater control and freedom over your own data. If something were to happen to the vendor’s servers, or within your individual account, being able to quickly recover your data could save you thousands of dollars in lost revenue, repair costs, and time.
28. Minimize and Verify File Permissions
Randolph Morris, Founder & CTO at Releventure
1. If you are using a cloud-based server, ensure monitoring and patching the Spectre vulnerability and its variations. Cloud servers are especially vulnerable. This vulnerability can bypass any cloud security measures put in place including encryption for data that is being processed at the time the vulnerability is being utilized as an exploit.
2. Review and tighten up file access for each service. Too often accounts with full access are used to ensure software ‘works’ because they had permission issues in the past. If possible, each service should use its own account and only have restricted permission to access what is vital and just give the minimum required permissions.
29. When Securing Files in the Cloud, Encrypt Data Locally First
Brandon Ackroyd, Founder and Mobile Security Expert at Tiger Mobiles
Most cloud storage users assume such services use their own encryption. They do, Dropbox, for example, uses an excellent encryption system for files.
The problem, however, is because you’re not the one encrypting, you don’t have the decryption key either. Dropbox holds the decryption key so anyone with that same key can decrypt your data. The decryption happens automatically when logged into the Dropbox system so anyone who accesses your account, e.g., via hacking can also get your now non-encrypted data.
The solution to this is that you encrypt your files and data, using an encryption application or software, before sending them to your chosen cloud storage service.
30. Exposed Buckets in AWS S3 are Vulnerable
Todd Bernhard, Product Marketing Manager at CloudCheckr
1. The most common and publicized data breaches in the past year or so have been due to giving the public read access to AWS S3 storage buckets. The default configuration is indeed private, but people tend to make changes and forget about it, and then put confidential data on those exposed buckets.
2. Encrypt data, both in traffic and at rest. In the data center, where end users, servers, and application servers might all be in the same building. By contrast, with the Cloud, all traffic goes over the Internet, so you need to encrypt data as it moves around in public. It’s like the difference between mailing a letter in an envelope or sending a postcard which anyone who comes into contact with it can read the contents.
31. Use the Gold-standard of Encryption
Jeff Capone, CEO of SecureCircle
There’s a false sense of privacy being felt by businesses using cloud-based services like Gmail and Dropbox to communicate and share information. Because these services are cloud-based and accessible by password, it’s automatically assumed that the communications and files being shared are secure and private. The reality is – they aren’t.
One way in which organizations can be sure to secure their data is in using new encryption methods such as end-to-end encryption for emailing and file sharing. It’s considered the “gold standard” method with no central points of attack – meaning it protects user data even when the server is breached.
These advanced encryption methods will be most useful for businesses when used in conjunction with well-aligned internal policies. For example, decentralizing access to data when possible, minimizing or eliminating accounts with privileged access, and carefully considering the risks when deciding to share data or use SaaS services.
32. Have Comprehensive Access Controls in Place
Randy Battat, Founder and CEO, PreVeil
All cloud providers have the capability of establishing access controls to your data. This is essentially a listing of those who have access to the data. Ensure that “anonymous” access is disabled and that you have provided access only to those authenticated accounts that need access.
Besides that, you should utilize encryption to ensure your data stays protected and stays away from prying eyes. There is a multitude of options available depending on your cloud provider. Balance the utility of accessing data with the need to protect it – some methods are more secure than others, like utilizing a client-side key and encryption process. Then, even if someone has access to the data (see point #1), they only have access to the encrypted version and must still have a key to decrypt it
Ensure continuous compliance to your governance policies. Once you have implemented the items above and have laid out your myriad of other security and protection standards, ensure that you remain in compliance with your policies. As many organizations have experienced with cloud data breaches, the risk is not with the cloud provider platform. It’s what their staff does with the platform. Ensure compliance by monitoring for changes, or better yet, implement tools to monitor the cloud with automated corrective actions should your environment experience configuration drift.
33. 5 Fundamentals to Keep Data Secure in the Cloud
David Gugick, VP of Product Management at CloudBerry
- Perform penetration testing to ensure any vulnerabilities are detected and corrected.
- Use a firewall to create a private network to keep unauthorized users out.
- Encrypt data using AES encryption and rotate keys to ensure data is protected both in transit and at rest.
- Logging and Monitoring to track who is doing what with data.
- Identity and Access Control to restrict access and type of access to only the users and groups who need it.
34. Ensure a Secure Multi-Tenant Environment
Anthony Dezilva, CISO at PhoenixNAP
When we think of the cloud, we think of two things. Cost savings due to efficiencies gained by using a shared infrastructure, and cloud storage security risk.
Although many published breaches are attributed to cloud-based environment misconfiguration, I would be surprised if this number was more than, the reported breaches of non-cloud based environments.
The best cloud service providers have a vested interest in creating a secure multi-tenant environment. Their aggregate spending on creating these environments are far more significant than most company’s IT budgets, let alone their security budgets. Therefore I would argue that a cloud environment configured correctly, provides a far higher level of security than anything a small to medium-sized business can create an on-prem.
Furthermore, in an environment where security talent is at a grave shortage, there is no way an organization can find, let alone afford the security talent they need. Resulting in the next best thing, create a business associate relationship with a provider that not only has a strong secure infrastructure but also provides cloud monitoring security solutions.
Cloud Computing Threats and Vulnerabilities: Need to know
- Architect solution as you would any on-prem design process;
- Take advantage of application services layering and micro-segmentation;
- Use transaction processing layers with strict ACLs that control inter-process communication. Use PKI infrastructure to authenticate, and encrypt inter-process communication.
- Utilize advanced firewall technology including WAF (Web Access Firewalls) to front-end web-based applications, to minimize the impact of vulnerabilities in underlying software;
- Leverage encryption right down to record level;
- Accept that it is only a matter of time before someone breaches your defenses, plan for it. Architect all systems to minimize the impact should it happen.
- A flat network is never okay!
- Robust change control process, with weekly patch management cycle;
- Maintain offline copies of your data, to mitigate the risk of cloud service collapse, or malicious attack that wipes your cloud environment;
- Contract with 24×7 security monitoring services that have an incident response component.