10 Best Practices for Cloud Security: How to Protect Your Business Assets2023-06-26 12:59:03
By migrating to the cloud, your company uses tools another party maintains.
As a result, you don't have to worry about managing your software so that it works appropriately and instead can focus on the part of the business that you specialise in. Deloitte's research demonstrated that SMBs using cloud computing grew 26% faster and made 21% more profit.
Migrating to the cloud also has negative sides, with one of the most severe being that you may overlook a seemingly basic procedure.
This may happen as when working with a cloud service provider (CSP), you enter a "shared responsibility model". Because of this, teams sometimes assume that their CSP will handle all cloud security issues while it's still their own responsibility to secure data and workloads.
More often than not, cloud security configuration is still up to your team.
In this post, I'm outlining the most important steps for securing your cloud environment. But first things first, so let's start by briefly discussing the risks involved.
What are the risks of cloud computing?
According to Flexera’s State of the Cloud 2022, security remains the top challenge for companies – 85% of respondents indicated it in the survey.
The strategy for setting up cloud security differs significantly from building protections for physical data centres. Many security issues in the cloud start with misconfigurations leading to security gaps.
Cloud misconfiguration, lack of runtime protection, and human error can open your setup for attackers to steal data. For instance, they could get into the apps on the server and install scripts executed when users enter sensitive information. They can then send that data back to a server owned by bad actors, who then can use it as they wish.
The evolution of the cloud threat landscape has led to the growth of more complex attacks involving ransomware. In this attack type, hackers access a system by inserting malicious code into your cloud infrastructure and affecting apps in that space.
Recovering from a ransom attack can be difficult and costly. According to Sophos State of Ransomware 2022, the average recovery cost doubled within a year, reaching $1.85 million in 2021.
So it’s definitely better to be safe than sorry.
10 best practices for cloud security
Below you will find the most critical cloud security practices battle-tested by our team when working with Tenesys clients.
Remember, however, that even the best procedure won’t replace common sense, a global overview of the situation, and critical thinking.
#1: Identify your cloud security needs and create a plan that meets them
One of the fundamental questions you must answer is about the kinds of data you plan to store in the cloud and the risks affecting its security.
Preparing an environment storing source code, images, and video shared on an open-source or Creative Commons licence will differ from, let’s say, storing the medical data of patients in the EU.
Storing certain data types is subject to legal regulations, so it is essential to remember this from the outset of designing a system.
#2: Apply multi-layered protection – Multi-Factor Authentication (MFA)
Sticking to just a set of a username and password is insufficient. By combining several different authentication methods, you can better secure your cloud data against various attack types.
For instance, brute-force attacks happen when the attacker generates usernames and passwords. Of course, systems should be ready to fend off such attacks, but sometimes they aren’t, so another layer of security helps to protect your valuable assets.
It’s essential to remember that both the length and quality of passwords matter. That’s why it’s best to avoid using “weak” passwords, i.e. short passwords with only one character type (e.g. lowercase or uppercase) or no special symbols. A strong password is a foundation for the rest of the structure that you can build upon it.
It’s also a good idea to use applications generating one-time keys, such as Google Authenticator, LastPass Authenticator or Microsoft Authenticator. You install or initiate the app in the cloud, and your users can do the rest on their smartphones. Then, each time they log in, they can use the code they get in the app on their phone. If it is correct, the system lets them in.
To further enhance login security, you can use location-based authentication, one-time passwords sent to a secure email, or access cards attached directly to the computer.
#3: Establish and control access to data in the cloud
Cloud maintenance is multi-level – if someone uses a spreadsheet editor-type application, they do not need to know where it is installed or what processes it is subject to. Only administrators must (and can) have access to this type of information, not necessarily all of it.
It’s best to follow the principle of least privilege and allow your users only as much access as necessary – granting it should never be treated lightly.
Moreover, if your organisation operates in a highly regulated market (medicine, finance, etc.) and employees migrate between departments, you should pay special attention to their access permissions.
At times of job changes within an organisation, the highest number of security incidents occur. Paradoxically, the simplest scenario is when an employee leaves the company. At that point, they lose all access rights.
#4: Monitor your cloud infrastructure and respond to potential threats
The primary task of securities is to see if everything works as it should. Attackers wishing to break into your infrastructure can do the most damage if their actions go undetected.
A 24/7 cloud security monitoring solution is a must, and so is responding in real-time to incidents if they occur.
You should also never save on penetration testing. White hacking specialists get the task of breaking into your infrastructure, learning about its weaknesses, and operating ethically. Doing so lets you know your system’s weaknesses and, in turn, better protect yourself against actual breaches.
Apart from protecting against attacks, penetration tests also help to check whether your monitoring detects irregularities correctly.
#5: Make use of the safeguards offered by cloud providers, such as access control
Access control is a mechanism to determine who can access data or resources in the cloud. You can implement it through the authentication and authorisation processes of users and devices.
It is not unusual to use hardware tokens to secure access further. By using services such as AWS IAM or Azure AD, you can manage access to both your cloud and individual applications. The situation here is similar to that I described in the section on data access (#3).
There’s no doubt that applications are also data. The difference, however, is that if that data falls into the wrong hands, it can serve as a finite source of information. However, if someone unauthorised gets into the app and you fail to detect it, then you risk data leaks over a much more extended period of time.
An infected application may even be used to sabotage your work by destroying or falsifying information. In such cases, detecting such changes to data can be challenging, as there is no obvious way to verify information accuracy.
#6: Make sure you are in control of your data
Cloud services are a great tool when you want to take care of your product and are not interested in ‘what’s beneath’. In this case, you transfer the responsibility to someone more experienced, so you take care of your product.
The problem comes when that component stops working. Using whatever is highest up in the product hierarchy gives you no control over what the service provider delivers to you.
Of course, there are specialised services, but these come at an extra cost. Typically, you buy ‘processor cores’, ‘SSD space’ or ‘RAM resources’. In this case, you don’t know if a particular memory model will not be vulnerable to attacks that exploit its deficiencies and if the memory will not cause data loss when writing to a specific cell.
While these issues are worth keeping in mind, it’s also important to remember that such events are rare.
#7: Ensure connections to and from the cloud are secure
Data encryption is the process of using an encryption key to turn data into an unreadable form for third parties.
You can encrypt the data transferred between the user and the cloud and the data stored in the cloud. Cloud providers offer various encryption options, including client-side encryption and provider-side encryption. These security features help to keep your data private and secure in the cloud.
It is worth setting up VPN connections for your employees. Then, even when an attacker intercepts a data stream, they won’t be able to decrypt it.
#8: Comply with all applicable data security regulations
The General Data Protection Regulation (“GDPR”) regulates the security of data storage related to people in the EU by explicitly stating where and how to keep it. In addition, the person in charge of data must explicitly communicate who has access to it. If they fail to do so, they face penalties that can reach millions of euros.
The result is that although you can keep your data virtually anywhere in the world, you must physically store it within the European Union. If this is not the case, you must immediately make it clear.
Remember that GDPR is not the only regulation you may need to abide by. Organisations in the legal, medical, and financial sectors will have the most work to do on the legal side.
#9: Regularly test your security measures to ensure they are effective
The IT industry is one of the most dynamic industries. This brings the need to ‘stay up to date’ even if you have no direct exposure to IT.
Let’s say your organisation uses any type of computer system, and you already need to know as much as possible about it. You need to keep the operating systems, purchased applications and other software up to date.
Such a need disappears if you use cloud applications. Then, it is up to the service provider to keep the software up to date, and you can focus on the core of your business.
However, even in that case, you still need to control the situation – and nothing can replace a well-trained system administrator.
#10: Prepare a security incident action plan to respond quickly to threats
You should always be ready for the worst. You may have the most secure system, but even these protections can get compromised.
If that happens, you should proceed immediately with a business continuity plan. Having potential scenarios and ways to deal with them prepared in advance is a must. It is unacceptable to leave things to chance and focus on mitigating threats only when they occur.
Suppose your customers’ data is published as a file on some forum. Do your administrators know what to do? Does your business department know what to do? And if everyone knows, has it been tested in practice or has it just remained on paper?
At this point, it is essential to point out that organisations often unwittingly succumb to a paradox: there is never time to test, but there is always time to fix. By abandoning this attitude, you can avoid many unpleasant situations.
Cloud security is in your hands
Cloud computing undoubtedly brings you multiple benefits, but it can also compromise your security posture. The shared responsibility model associated with public cloud services can sometimes lead to confusion.
When unattended on time, incidents can cause data breaches, leaks, and loss of valuable business assets, but also costly ransomware attacks. That’s why cloud security should be one of the key considerations from the outset.
I hope that the strategies outlined above will help you create a secure and reliable cloud setup for your business. Good luck!
In case of any questions, please drop us a line and our team of cloud security experts will be happy to lend you a hand in your cloud migration journey.