For a long time, “the public cloud,” was a foreign concept many businesses shied away from because of security concerns. In recent years, this has steadily changed. Many reliable and trustworthy third-party cloud vendors have entered the market and, with this competition, the market has matured.
While the concept of the cloud is far more accepted today with increased numbers of organizations contracting with vendors for cloud services, this doesn’t mean people can ignore security concerns. Vendors invest heavily in security but customers need to do their part as well. Rest assure, bad actors will continue to exploit any possible way they can. Any steps taken to mitigate their efforts will go a long way towards protecting sensitive and proprietary data.
Projections by Gartner suggest through 2025, 90% of the organizations that neglect to control public cloud use will share sensitive data inappropriately. Here are six ways to stay secure in the cloud.
1. UNDERSTAND VENDOR AND CUSTOMER RESPONSIBILITIES
Cloud providers have specific responsibilities, but customers also have their share of responsibility. Understand where the vendor’s responsibility ends and where yours begins. This will vary depending on the specific vendor or type of services chosen. Carefully read over the contract, understand the language used, and take note of your security responsibilities so proper steps can be taken in day-to-day operations.
2. KEEP CONFIGURATIONS UP-TO-DATE
It is critical administrators utilize identity and access management tools as they were designed to be used.
Remove old accounts from the system.
Limit access for users to a need-to-know basis.
Eliminate broad access for all users and assign specific permissions.
Utilize multi-factor authentication (MFA).
Require users to create strong passwords.
Cloud providers offer security tools for a reason, be sure to use them. When tools are deployed as designed, many of the accidental – or even intentional – breaches can easily be avoided.
3. AVOID SECURITY MISCONFIGURATIONS
One of the first vulnerabilities cybercriminals seek out is cloud misconfiguration. Administrators within an organization should routinely check their configurations to ensure they are set as intended. Look over access restrictions, access logs, and data protection settings and audit them to ensure they haven’t been changed or resources haven’t inadvertently been left exposed.
4. INVENTORY INFORMATION STORED IN THE CLOUD
Data is a valuable asset. Many organizations collect excess data because of the potential opportunities it may present in the future and, as a result, it gets stored and then forgotten about. A good practice is to take regular inventory of data and determine who has access to it.
Remove unnecessary data with no legitimate need to reduce risk of exposure.
Employ security on the data that does need to be kept.
Encrypt data that does need to be kept but is not routinely accessed.
Not all data needs to be kept, nor should it be. It’s difficult to safeguard data if it’s fallen off the radar.
5. TRAIN AND EDUCATE USERS
Creating a culture rooted in strong security practices goes a long way towards eliminating risks. Many breaches are unintentionally caused by people. Users who are educated about security risks can better understand security measures to prevent data exposure or loss.
Provide training and written guidelines to any “do’s and don’ts” associated with cloud use and security. This should not be a one and done task, it should be revisited often as cloud providers consistently add and change features in their services. Be sure to keep everyone up to date on any changes, risks (including social engineering, including but not limited to a former employee or a cybercriminal posing as a vendor employee), or other pertinent factors relating to security.
6. ELIMINATE COMPLEXITIES
Many organizations use a combination of storage solutions and may even simultaneously use several cloud solutions. Reduce these complexities by streamlining the services used. Managing multiple sets of configurations gets convoluted and, in the process, important security steps often get missed. By simplifying infrastructure as much as possible, potential risks can be reduced.
The remote work model has been steadily growing in recent years but in 2020, it has exponentially grown and it is projected this model will continue into the future. Use of the public cloud is here to stay and due to a need for remote access, will continue to grow. Organizations understanding their share of security responsibilities can better avoid becoming tomorrow’s headlines that report the latest data breach.
Today’s guest post is by a friend and professional peer of mine, Tony Chiappetta, owner of CHIPS.
CHIPS is a Technology Success Provider located in Shoreview, MN near the intersection of Highway 96 and Lexington. Since 2001, CHIPS has been working with businesses to help them get the most from their technology investment.
Tony has been around technology all his life and holds numerous industry certifications. With the completion of both a Law Enforcement and a Business Management Degree, Tony brings a business perspective to the technology landscape. This has allowed CHIPS to lead the industry by bringing enterprise solutions down to the Small Business sector.
CHIPS has received many industry awards and accredations however, Tony is most proud that his team has been asked to help secure the Critical Infrastructure of the Twin Cities by bringing to market a proven technology that was previously only available to Federal Government Agencies. You can follow Tony on the CHIPS blog
Cloud Security – Secure Data – Cyber Security flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) licenseShare
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com