In the not-so-distant past, IT security was based on perimeter protections surrounding racks of on-premises servers. There was a clear distinction between inside versus outside, and it was theoretically possible to admit only authorized users and connections.
Today, the internet, smart devices, and cloud services are changing the way we do business and offer undeniable agility to make our work and personal lives more productive and easier.
It is, however, this very ease-of-use that makes the cloud, in particular, riskier than on-premises solutions. Cloud services have broken down the notion of a network perimeter and continue to do so as their roles grow in mainstream IT environments.
Businesses must be aware that they are, after all, turning their data over to an outside party and ought to proceed with caution to be certain they are considering cloud security during the selection and implementation of these tools.
Related Reading: Implementing Defense in Depth in the Cloud
Secure Cloud Selection Considerations
If your organization is shifting to cloud services, here are some areas to consider as they relate to secure cloud adoption when making your selection:
Data Security: Clarifying how the cloud vendor handles data is the most obvious factor in ensuring cloud security. Find out what, if any, data is collected by the cloud provider. Be diligent in getting answers to questions like how your data will move from your users’ computer to the cloud, how will it be stored and will it be encrypted. Also, if it can be encrypted be sure to find out who can decrypt the data.
Customer Support: Success in using cloud technology securely directly ties to the quality of customer support offered by the vendor. Find out how easy is it to get help or have your questions answered. Ask if there is an email address to reach out through or online chat. Look to see if there are public forums to provide additional help or that you can post questions to and take note of how active they are. Check for a FAQs link on their website. The more reliable resources you have, the better the chance you can set up your services securely.
Ease-of-Use: If the service is difficult to use, the chance of employees making mistakes and accidentally exposing or losing information increases. Select a cloud provider whose user interface is easy to understand regarding setup and use to avert the accidental risk of exposure.
Terms of Service: Take time out to review and read the Terms of Service. This area will also explain your cloud provider’s security responsibilities versus what you are responsible for handling. Confirm who can access your company’s data and educate yourself on your legal rights.
Understanding the pros and cons of the points mentioned above will help you to choose a cloud service that will support your security posture.
How to Secure your Data in the Cloud
Once you’ve adopted the technology, the next step is ensuring your workforce is using the cloud service properly. There are important steps to take to secure data in the cloud:
Authentication: Be certain your users employ strong and unique passphrases to authenticate their cloud accounts. If two-step verification is offered by your cloud provider, we strongly recommend you require your users to use it. This is one of the most important steps you can do to protect your account.
File/Folder Sharing: Examine the tool’s method for file sharing. Users may think they are sharing company files with a specific individual but may inadvertently make these files (or even entire folders) publicly available for anyone on the web to access. A smart practice in protecting data and files is to not share anything with anyone by default. Only allow specific people (or groups) access to specific files/folders with restrictions. Educate staff on protocol and how to allow access on a need-to-know basis and remove it when it is no longer needed. Your cloud provider should make tracking who has access to your files and folders readily available.
Using Links for Sharing Files/Folders: A common cloud service feature is the ability to create web links that point to files and folders. Link sharing files offers little security. Consider this scenario: An employee shares a file via the web link with a trusted individual and this person shares the link with another. Be sure users disable links once they are no longer needed and, if possible, protect the link with a password or set an expiration date.
Know the Settings: You should read and understand your cloud provider’s security settings. Find out if other individuals can share files/data without user knowledge. Research if there is visibility into who has viewed shared content and when it was viewed. Set file sharing to “read-only” access versus giving full read and write permissions.
Antivirus: Keep all users, including remote workers, up to date on the latest version of antivirus software installed on all endpoints and scan regularly. Include traditional antivirus as well as advanced capabilities such as anti-ransomware, analysis of fileless malware, malicious processes, and anomalous activities, and remote response tools.
Monitor Remote Workforce's Usage: Depending on how access is controlled, your remote workers may not need to be on the corporate network at all to gain access to your cloud environments. Data flowing between endpoints and the cloud should be centrally monitored. Doing this by inspecting your private network’s egress firewall logs is insufficient. Instead, accomplish central monitoring through API-driven integration between your cloud services providers and your centralized Security Information and Event Management (SIEM) platform.
Related Reading: Monitoring Telework Security with Disappearing Network Perimeters
Data Governance in the Cloud
Many companies rely on having control of their physical facilities to frame the critical security and compliance strategies that form the foundation of internal governance. But data governance methods that worked for traditional on-premises systems simply won’t work for the cloud.
As organizations move data to the public cloud, enterprise control decreases, and more responsibility falls on the shoulders of the cloud providers. Therefore, to ensure cloud security during selection and implementation, organizations must shape their governance strategies to rely less on internal security and control, and more on their cloud providers' offerings.
It's critical to know if your governance practices, policies, and procedures translate strongly to cloud adoption or if they fall short of regulations. Common issues faced when planning for a cloud migration include the following:
- Identifying security controls that must be in place post cloud migration
- Ensuring that the cloud provider has and can supply the necessary paperwork to prove security and compliance certifications
- Creating and/or modifying existing security policies and procedures to account for the cloud services
- Access control
- Encryption
- Data destruction/reclamation clauses
Contact us to learn how to secure your cloud services.
The Risky Business of SaaS + Hybrid Cloud
SaaS solutions and the hybrid cloud improve business operations but increase security risks. Download this white paper on how to mitigate these risks. Download Now