7 steps safely into the cloud
The cloud has become a mainstay for many businesses thanks to its flexibility and capacity compared to traditional computing and storage methods. However, as with traditional storage and file sharing methods, specific data security issues arise from the cloud.
However, a pragmatic, data-centric approach can make the path to the cloud clearly actionable. Below is a 7-step framework for an effective cloud security program:
- Securing endpoints that have access to cloud applications: Cloud applications reside outside of an organization's IT environment and therefore outside of the protection offered by many network or perimeter-based security technologies. Before organizations use cloud services, it is important to secure the devices used to access the cloud. These endpoints should be protected by security technologies such as data loss prevention (DLP) with controls for data exfiltration, end-to-end encryption and secure access. This prevents the unauthorized upload of sensitive data to the cloud and ensures that data is encrypted prior to upload.Data should remain encrypted in the cloud and only be decrypted once it reaches an authorized user's device. Once data enters the cloud, it is no longer under the direct control of the organization. Therefore, encrypting sensitive data and preventing certain types of data from being uploaded is fundamental to protecting mission-critical information from cybercriminals.
2. monitoring access to cloud data and services: Transparency of data access and usage is also critical to effective data security in the cloud. In addition to securing the endpoints used to access cloud data, organizations must ensure they have visibility into who is accessing the cloud and what data is being uploaded or downloaded there. This visibility increases the effectiveness of endpoint security controls and enables the security team to quickly identify and respond to risky or suspicious behavior related to cloud data.
3. use of cloudAPIs to expand data security: If an organization allows the use of cloud-based email services or storage services such as Box or Dropbox, it should leverage the providers' APIs to extend existing data security measures to these platforms. This can optimize visibility into cloud data access and enable greater control through encryption or access management over data in the cloud. Many network security devices offer cloud integrations via APIs. Enterprises should therefore ask their provider which cloud platforms they are integrated with and take advantage of these features where available.
4. securing the cloud applications: In addition to endpoints and networks, cloud security also depends on the security of the applications running in the cloud. Far too often, security takes a back seat during cloud application development, especially for cloud apps created by individual developers or small teams.
Enterprises should therefore test their cloud applications for commonly exploited security vulnerabilities and ask third-party cloud application vendors to share the results of application security testing (such as static or dynamic analysis or penetration testing) with them. Any vulnerabilities discovered during application testing should be patched securely before the apps are used.
5. implementation of guidelines and controls for BYODs: If organizations want to allow access to cloud data via employee-owned mobile devices (laptops, smartphones or tablets), it is imperative that they first create a BYOD (bring your own device) policy and implement controls to enforce proper data access by BYOD users. Organizations should consider using two-factor authentication, end-to-end encryption and mobile device management (MDM) software to secure BYOD use in the cloud. Two-factor authentication helps prevent unauthorized access, while encryption ensures that sensitive cloud data accessed by BYOD users is visible only to authorized individuals. Mobile device management software is a good last line of defense if a device is lost or stolen, as MDM allows IT departments to restrict access to BYODs or remotely wipe the data on the device if needed.
6. regular backups of the cloud data: As cloud providers and applications are increasingly targeted by cyber-attacks, organizations must prepare for the worst-case scenario: the permanent loss of cloud-based data. Although this does not protect against consequences such as financial loss or legal penalties, performing regular backups at least ensures that any critical data lost in a cloud data breach, ransomware attack or destructive malware infection can be recovered.
7. safety training of employees: Regardless of how secure endpoints, applications and network connections are, their security also depends on the employees who use them. Social engineering tactics such as spear phishing remain among the most common, easiest and successful methods used by cybercriminals. Regular training is critical to ensure employees can effectively recognize social engineering attacks and build safe web habits. Organizations should therefore regularly conduct simulated social engineering attacks to test their employees' ability to identify and remediate vulnerabilities.
Thanks to the numerous benefits, cloud migration will continue to increase in the future - but so will security threats. However, by taking the above security steps, consisting of data-centric technologies and security best practices, enterprises can effectively protect their data in the cloud from attackers.
Author: Christoph M. Kumpa, Director DACH & EE at Digital Guardian
