How to Secure Your Business in the Cloud — Best Practices
Cloud computing has been one of the key focuses for business innovation in recent times, with a study from LogicMonitor predicting that 83% of enterprise workloads will be in the cloud by 2020. The same study notes that digitally transforming enterprises is the main cause of increased cloud adoption today, while AI and ML are predicted to be the main cause for cloud integration by the end of next year.
This comes as no surprise given the benefits that cloud integration can offer businesses and it’s customers – including increased flexibility, limitless scalability, reduced costs in IT equipment/management and better efficiency in collaboration.
Despite the cloud’s increase in business adoption and its utility in cloud services and storage, 66% of IT professionals say that security is their greatest concern in adopting enterprise cloud computing platforms. Among these concerns are the threat of malicious wrongdoers from within the business structure, hijacked accounts and full-scale data breaches.
Clearly, despite its benefits, large enterprises and SMEs alike are hesitant to make their move with cloud integration without performing comprehensive due diligence with security experts and pen testers. This hesitation is not misplaced, since cloud integration comes with its own unique set of security challenges and considerations.
With cloud services, data is stored by a third-party provider and accessed over the internet. This removes the essential need of IT hardware in order for a business to effectively digitize their processes and services, but removes some of that businesses’ control over stored data.
Enterprise cloud computing platforms themselves will state that security is a shared responsibility. In short, the cloud platform will ensure the security of the cloud itself, while the business must ensure security on their end by protecting its data and credentials from security threats, and controlling access to that data.
SaaS Cloud Security
This shared responsibility model forces organizations that operate on the SaaS model to focus primarily on data and access when looking to perform an audit of their application security.
Common security issues and threats within SaaS models:
- Compromising on compliance and certifications like PCI DSS
- The inability of your cloud provider to conform to SOC II or III, COBIT and HITRUST – standards that require providers to design and manage their services with the highest level of data security
- Lack of visibility or complete control and access to sensitive data
- Theft of data or inability to prevent illegal access or misuse of data
- Sophisticated attacks against your cloud provider
- Lack of internal expertise to manage security processes and reviews
Dedicated cloud providers should bare the responsibility of securing SaaS applications with infrastructure services that aid in data security, data segregation and network security, but your organization’s cloud security protocols need to be established and adhered to – in line with the best practices recommended by the cloud vendor.
It should be noted that public cloud vendors are on the radars of hackers and wrongdoers. This constant threat means that public cloud vendors cannot realistically guarantee a 100% security. It is therefore recommended to keep extremely sensitive data off of the cloud where possible and to scrutinize your provider’s security programs, supported by a third-party audit.
IaaS Cloud Security
Protection of data in IaaS models is critical since the responsibilities scale to include virtualization, applications and traffic – and with each come new threats to the security of your organization and your customers.
Common security issues and threats within IaaS models:
- Misconfigurations and failure to adhere to security best practices
- No consistent security protocols or monitoring across multi-cloud environments
- Failure to detect and mitigate vulnerabilities in workloads
- Shadow-IT – ghost virtual servers or workloads, orphan storage or nefarious workloads (e.g. using cloud computing to launch denial of service attacks or to crack passwords)
- Lateral spread of attacks among cloud workloads
- Inability to prevent unauthorized access to sensitive data
Comprehensive logging and reporting must be in place in order to keep track of where data is, and who has access to it. VM images and templates must be kept clean with restricted access, preferably offline with access to security updates. All disk data must be encrypted (not just user data) to prevent offline attacks.
IaaS brings new security challenges, and those outsourcing such services must seek out a competent provider with appropriate security measure to limit access of data, prevent theft and monitor to catch abnormal activity. Providers must secure and harden images and track resource modifications in order to prevent a system compromise being a possible vector for hackers to do a lot more damage than only stealing sensitive data.
Security in Private Cloud Environments
With all of the considerations to be made with using public cloud vendors, a growing number of organizations are relying on private cloud solutions where higher levels of configuration are possible. This is usually to secure sensitive data in those use cases where higher levels of security are worth the trade-off when compared with the lower cost, fully-featured cloud solutions offered by public vendors.
Common security issues and threats within private cloud implementations:
- Sophisticated attacks targeting these environments
- No access to industry standard security controls common in traditional server infrastructures
- Increasing complexity in infrastructure requires further investment of time to implement and maintain the private cloud environment
- Lack of internal expertise to manage security processes and reviews
- Incomplete visibility over security protocols and network traffic or no access to analytics tools showing the otherwise unseen 80% of east-west traffic (between VMs) that make up a typical virtualized data center
While private cloud environments are unrivaled for allowing complete control and advanced options for the protection of data, they can often create a complex structure that is difficult and costly to maintain. This can be reduced through abstraction of controls, essentially unifying private or public clouds across physical, virtual and mobile environments.
Cloud Security Best Practices
1. Understand your shared responsibility model – In a private data center, the organization is entirely responsible for all aspects of security. In a public cloud however, the lines can get a bit blurry. Leading IaaS and PaaS vendors like AWS and Azure have documentation to explain exactly who is responsible for each aspect – so be sure to study and understand these.
2. Secure access and encrypt everything – Always encrypt any data in the server before sending it to the cloud to prevent hackers who succeed in getting passed your firewall from reading, editing or deleting any server-side data. 2FA should be used to make it harder for hackers to gain access. Limit permissions to prevent data mismanagement and secure all endpoints, including mobile devices.
3. Work with the best cloud vendor – It is important to do your research when selecting between cloud vendor. As mentioned, HITRUST and COBIT are compliance certifications to keep an eye out for but all additional precautions a vendor takes to secure your organization’s data should play a part in your decision.
4. Protect your data – It cannot be stressed enough; do not store very sensitive data on the cloud! It is also worth noting that while your data is on the cloud, it is prone to be damaged or deleted and so it is vitally important to make backups regularly. Those backups must be secured using replication or erasure coding.
Without a doubt, cloud computing has enabled businesses unseen access to computational power, storage in a way that is flexible and scalable – but security remains a top concern. Cloud providers may not be as responsible for the security of data as you think, and it is important to take steps to establish security protocols that work for your business.