The use of cloud services is still on an upward trajectory; in the UK in fact, cloud is the preferred option when organizations procure new IT services. Organizations are migrating to the cloud to enhance the security, reliability and efficiency of their IT infrastructure while relieving the burden on staff – something that is particularly valuable when considering the current skills shortage in the industry.
One of the biggest advantages of leveraging the cloud is the security benefits it offers. For example, companies implementing a hybrid cloud approach can use cost-effective public cloud environments while also storing their sensitive data in a secure private cloud environment.
However, organizations must be careful to delineate where cloud service providers’ security responsibilities end and where their own begin, while the expansive nature of cloud infrastructure increases a business’s potential attack surface.
In fact, there’s a security checklist every company leveraging cloud infrastructure needs to adhere to in order to ensure their security – both digital and physical – is up to scratch.
1 Encryption
Encryption – which involves converting data into an unreadable format before it is either transferred or stored in the cloud – is one of the most effective measures for securing data. This way, even if bad actors manage to successfully access the data, it remains unintelligible. This simultaneously makes it a far less attractive target for cyber attacks.
Most crucially, vulnerable ‘in flight’ data should be encrypted, particularly if organizations are leveraging a hybrid cloud solution where data is regularly being transferred between applications and environments.
2 Data sovereignty
Data is subject to the laws and regulations of the country or region in which it’s stored. This is why US fertility app Proov has decided to migrate its workloads to a data center in Nevada – to take advantage of storing data in a state which is unlikely to pass restrictive abortion laws. However, there can be direct conflicts between these rules.
In the US, there are laws that require cloud service providers to hand over data to authorities if asked. This means that EU and UK-based organizations which use largescale public cloud providers with US data centers could have their data be subject to these laws – even if their own data is stored in a data center outside of the US.
In the EU, meanwhile, GDPR says that data stored in the region can only be accessed by law enforcement based on requests that arise under EU law.
To avoid the tensions between geographical definitions of data sovereignty, companies can turn to sovereign cloud solutions – only working with local cloud providers or building on-premise cloud storage.
3 Identity and access management
There are many reasons for cloud data breaches, but poor password hygiene is one of the top causes. On a basic level, organizations need to ensure employees are using complex, unique passwords and enable multifactor authentication.
Organizations can then enhance cloud security by using an end-to-end identity and access management solution which take responsibility for password management away from employees all together.
Moreover, not all employees need the same access privileges; restricting who has high-level access to cloud applications and systems will also help in managing security from an access point of view.
4 Consistently patching
Any gap in security represents an open door to cybercriminals. It’s crucial to close that window of opportunity before bad actors have a chance to exploit it. This means making software updates and implementing patches as soon as they become available.
As mentioned, when working with a public cloud provider, it can be tricky to know who is responsible for this process. It’s important to make sure both parties are clear on this so that patches are made immediately, and no cracks are left for bad actors to slip through.
5 Backing up cloud data
With all this in mind, back-ups are the final component of any comprehensive cloud security checklist. A last resort tactic, backing up cloud data can nevertheless help ensure services are continued and business is disrupted as little as possible in the event of a successful cyber attack.
A good back-up strategy should involve having both ‘live’ and ‘cold’ back-ups, so that updates can be made automatically if possible, before an offline back-up unconnected to live systems is resorted to in the event the live back-up is also compromised.
Overcoming the challenge
Maintaining cloud security is a challenge, and bad actors are constantly evolving their tactics, techniques and technologies in order to exploit any gaps or vulnerabilities and steal sensitive data. And they’re not fussy when it comes to approach – for example, they can work to gain entry to a data center and physically feed in ransomware to servers. Securing data physically is just as important as securing it digitally.
This is especially something to consider for those organizations with on-premise facilities, who might not be able to accommodate the same level of security as perhaps a tier 4 data center might operate.
Either way, organizations need to make sure they have all the right security measures in place themselves or that they’ve selected the right cloud service providers who can work with them to ensure that both digital and physical security of their cloud data is robust.
Fundamentally, though, with the right security strategy and cloud service providers on board, security can be comprehensively managed and even enhanced by migrating workloads to the cloud.