Securing the data in your public, private or hybrid cloud environment is important.
While your CSP will handle the security of their data centers, server hardware and virtual machines, as well as offer an array of security services and tools, there are security measures that your IT team is responsible for as well.
If your system administrator hasn’t implemented the security measures required to keep your data safe, you may be vulnerable. And, regardless of the data in your cloud environment, if your network, users and applications aren’t secure, your business isn’t secure.
According to Varun Badhwar, CEO and co-founder of RedLock, a cloud security company,
“The problem is not that the cloud is insecure, but ultimately customers are responsible for securely configuring their networks, applications and data.”
It’s important to regularly assess the security of your cloud environment as well as your partners, suppliers and vendors. Here are seven ways you can make sure your cloud, and the data in it, is secure:
#1 Understand Your Responsibility
As mentioned above, part of the responsibility for securing your data in the cloud falls on your CSP, however the rest of that responsibility falls on you and your IT team. Depending on the cloud provider and services you use, your security needs will vary.
Software as a Service (SaaS) providers typically ensure the security of their applications and the data being transmitted, some CSPs will manage the operating system configuration and applications for their cloud storage and computing and some will leave that responsibility to the organization. To ensure your security, discuss security with your CSP to make sure you understand what they do and what should be handled by your team.
#2 Know and Train Your Users
Data breaches don’t always come from outside the organization, often sensitive data or access keys are vulnerable because of human error. People are fallible and susceptible to social engineering, phishing, malware and other threats.
Train your IT staff to double check settings and security logs; thinking something has been done when it hasn’t can mean the difference between security and breach. Providing the right training and being able to trust the people responsible for your data can put your mind at ease that your data is safe.
#3 Control Access
The Verizon data breach occurred because the settings on an Amazon S3 bucket allowed external access. Unfortunately, this is a common mistake.
Other common mistakes include leaving databases in the public cloud open to the Internet, whereas only load balancers and bastion hosts should be exposed to the Internet; mistakenly enabling global permissions on servers, leaving them open to connections from every machine; and leaving SSH open, which means that anyone who can figure out the server location could bypass the firewall and attempt to get in.
In addition to these common issues, it’s important to know who has access to what data and when. Many CSPs offer identity and access control tools that you can use to secure your data. Follow best practices when setting up access control policies, grant the minimum necessary privileges needed and keep the production environment separate from the development and staging environments.
#4 Secure Your Credentials
It’s unfortunately common for access keys to be exposed on websites, source code repositories, dashboards or other forums. Treat your access keys and credentials with the utmost care and train your users to avoid accidentally exposing them.
Other best practices around access keys and credentials are to create unique keys for each external service as well as follow rule number 3 and restrict access, and remember to rotate keys regularly, not rotating your keys regularly can leave them vulnerable to attack. Related to this issue, follow best practices around the root user account, don’t use it for administrative tasks, instead create a new user with the necessary privileges.
Lock the root account using multi-factor authentication and use it only for specific tasks. Also, review user accounts, disable and remove any that aren’t being used.
#5 Protect Your Data
Encrypt your data in the cloud. Given the common occurrence of numbers three and four, encrypting data stored in the cloud will protect it from potential breach. When you encrypt your data, even if an attacker manages to get a hold of it, it’s unusable.
When possible, also maintain control of the encryption keys. Even when you need to share the encryption keys with your CSP, the responsibility of managing them and the data they protect falls on your organization. If your CSP offers encryption services, consider implementing it.
#6 Use Logging and Monitoring
Security logging and monitoring have been a mainstay of IT security and it should be leveraged in cloud environments as well. Many CSPs offer logging and monitoring tools, if you implement them you’ll be able to see unauthorized access attempts and API calls, often including the identity of the API caller, time of the call, caller’s source IP address, and request parameters.
Using the logging services offered by your CSP and monitoring those logs will help you identify areas that are under attack and may be vulnerable, allowing you to be proactive in further securing your data.
#7 Follow Best Practices
When securing your data in the cloud, consider following best practices such as defense-in-depth and multi-factor authentication. Defense-in-depth is the coordinated use of security measures based on the military principle that it’s more difficult for an enemy to defeat a complex, multi-layered defense system that a single barrier.
When used to secure your cloud environment, it ensures that if one control fails, there are other security measures in place to keep data, applications and the network safe. Multi-factor authentication adds a layer of protection to username and password credentials. Use it to restrict access to privileged accounts (such as root account), management consoles and dashboards to make it harder for attackers to access them.
By using these security measures and best practices you can do your part to make sure your data is secure.
Remember to regularly assess the security of your cloud environment and train your staff to maintain the integrity of your security architecture. Following the rules outlined above you can be sure that your cloud environment, applications and data are protected.