Moving to the cloud often means lower costs, 24/7 access, and higher security. But higher security doesn’t mean guaranteed. It takes two to make cloud security work: the cloud service provider, and you—the user. While a reputable cloud service provider keeps their systems patched and swiftly responds to threats on their infrastructure, it’s up to the cloud consumer to fill in the rest of the data security equation: your data and how you access it.
Challenges of the cloud
What makes securing data on the cloud different than data on your own machines? While the principles are the same, one of the main challenges as a subscribing enterprise is the lack of control and visibility. It’s a fine balance between outsourcing services and technologies while ensuring the implementation is up to par with your policies. Your employees could add new unsanctioned services on the fly, and the lack of standards in configuration and available options across vendors can make security a nontrivial task.
As an enterprise, you understand that there are risks you must take, but leaving security in the hands of a cloud provider is not enough. You have your own risk equation; how can you measure risk if you’re not sure what’s going on in the cloud? If you have hundreds of users and multiple vendors, what does a standard assessment look like? Read on to learn the must-dos for keeping data secure on the cloud and how to gain visibility to position yourself for the better.
Tip #1: Secure your accounts with MFA
Multi-factor authentication (MFA) should be a baseline, but the usage rates tell a different story. Less than 1/3 of Azure Active Directory administrators use MFA. Considering how common MFA is now in the consumer world—for banking, for email—you may have thought businesses have led the way.
The payoff of MFA is clear: Microsoft engineers stated that 99.9% of account compromises happened to those without MFA. Take the extra few minutes (at most) and opt-in for MFA. You can count on a SMS-based attack or theft of SIM card to be harder than cracking a password considering the speed of modern-day computing.
Tip #2: Configure your databases properly
In the past, an on-premise database may have been air-gapped and well-protected by access control or obscurity. Now, data can be exposed to the whole world with simple mistakes like forgetting to password-protect or leaving default settings in place. While mistakes happen, in some cases they come with costly ramifications in reputation and financial resources. Take it from Uber who paid $148 million to settle civil lawsuits after revealing private information of 57 million people.
Default settings often emphasize speed and convenience over security. For a database of public data like lottery powerball winning numbers, why not? For a database of credit card numbers and social security numbers, speed sounds great too—but not at the cost of security. Default settings must be reviewed and configured to protect against unauthorized access. Sometimes, a first solution is simply to use a password (vs. none) combined with MFA (see tip #1).
Tip #3: Encrypt your sensitive data
Having a strong authentication goes far, but for your most sensitive data, encryption will provide layers of extra protection. This protection is analogous to having a locked safe in your home; there’s a reason you aren’t leaving your birth certificate out on a shelf or kitchen table. Perhaps it’s a legal reason as well; encryption is commonly used to comply with the requirements of regulations such as the United States Health Insurance Portability and Accountability Act (HIPAA), which requires security for electronic health information.
Many reputable cloud service providers encrypt data at rest by default in the event an attacker lands on the machine without the correct credentials. When this isn’t enough, other options allow customers to manage the encryption on their own or use specialized hardware managed by the cloud service provider.
Tip #4: Enforce your policies with a broker
One of the main benefits of working on the cloud is the ability to outsource computing resources, applications, storage, and security to specialists. Like any decision in life, this choice comes with disadvantages. Hiring someone else to provide you a service means less visibility and less ability to enforce security policies of your own.
However, you do not have to settle for this gap. Providers known as cloud access security brokers (CASBs) fill this gap by sitting between cloud service providers and their users to enforce security policies such as authentication and encryption. CASBs accomplish this task through monitoring traffic between the cloud and user or by using the cloud provider’s API. Each has its own advantages and disadvantages, like speed or vendor lock-in. They all provide the advantage of visibility into your cloud activity and ensuring that the policies you’ve meticulously put in place are actually enforced.
Tip #5: Stay up to the date with the threat landscape
Five years (or less) from now, this advice may be moot if everyone is implementing MFA and configuring their databases correctly. Stay up to date by following cybersecurity news, domain experts, security research teams, and government authorities. While technology can help you stay updated with the latest patches to fix zero-day exploits, the trends over time will take more proactive work.
Training your staff, from the non-technical to technical also plays a part in disseminating best practices based on the current state-of-the-art. Anyone can implement MFA, and developers who handle sensitive information can understand the appropriate tier of encryption to implement. To up the game, live cybersecurity exercises can test how ready you truly are.
By following all of these tips, you can better protect your data on the cloud without having to settle for less.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.