10 Best Practices for Cloud Security: How to Protect Your Business Assets

This may happen as when working with a cloud service provider (CSP), you enter a "shared responsibility model". Because of this, teams sometimes assume that their CSP will handle all cloud security issues while it's still their own responsibility to secure data and workloads. 

More often than not, cloud security configuration is still up to your team.

In this post, I'm outlining the most important steps for securing your cloud environment. But first things first, so let's start by briefly discussing the risks involved. 

10 best practices for cloud security

Below you will find the most critical cloud security practices battle-tested by our team when working with Tenesys clients.

Remember, however, that even the best procedure won’t replace common sense, a global overview of the situation, and critical thinking.

#1: Identify your cloud security needs and create a plan that meets them

One of the fundamental questions you must answer is about the kinds of data you plan to store in the cloud and the risks affecting its security. 

Preparing an environment storing source code, images, and video shared on an open-source or Creative Commons licence will differ from, let’s say, storing the medical data of patients in the EU. 

Storing certain data types is subject to legal regulations, so it is essential to remember this from the outset of designing a system. 

#2: Apply multi-layered protection – Multi-Factor Authentication (MFA)

Sticking to just a set of a username and password is insufficient. By combining several different authentication methods, you can better secure your cloud data against various attack types. 

For instance, brute-force attacks happen when the attacker generates usernames and passwords. Of course, systems should be ready to fend off such attacks, but sometimes they aren’t, so another layer of security helps to protect your valuable assets. 

It’s essential to remember that both the length and quality of passwords matter. That’s why it’s best to avoid using “weak” passwords, i.e. short passwords with only one character type (e.g. lowercase or uppercase) or no special symbols. A strong password is a foundation for the rest of the structure that you can build upon it.

It’s also a good idea to use applications generating one-time keys, such as Google Authenticator, LastPass Authenticator or Microsoft Authenticator. You install or initiate the app in the cloud, and your users can do the rest on their smartphones. Then, each time they log in, they can use the code they get in the app on their phone. If it is correct, the system lets them in.

To further enhance login security, you can use location-based authentication, one-time passwords sent to a secure email, or access cards attached directly to the computer.

#3: Establish and control access to data in the cloud

Cloud maintenance is multi-level – if someone uses a spreadsheet editor-type application, they do not need to know where it is installed or what processes it is subject to. Only administrators must (and can) have access to this type of information, not necessarily all of it. 

It’s best to follow the principle of least privilege and allow your users only as much access as necessary – granting it should never be treated lightly. 

Moreover, if your organisation operates in a highly regulated market (medicine, finance, etc.) and employees migrate between departments, you should pay special attention to their access permissions. 

At times of job changes within an organisation, the highest number of security incidents occur. Paradoxically, the simplest scenario is when an employee leaves the company. At that point, they lose all access rights.

#4: Monitor your cloud infrastructure and respond to potential threats

The primary task of securities is to see if everything works as it should. Attackers wishing to break into your infrastructure can do the most damage if their actions go undetected. 

A 24/7 cloud security monitoring solution is a must, and so is responding in real-time to incidents if they occur. 

You should also never save on penetration testing. White hacking specialists get the task of breaking into your infrastructure, learning about its weaknesses, and operating ethically. Doing so lets you know your system’s weaknesses and, in turn, better protect yourself against actual breaches. 

Apart from protecting against attacks, penetration tests also help to check whether your monitoring detects irregularities correctly.

#5: Make use of the safeguards offered by cloud providers, such as access control

Access control is a mechanism to determine who can access data or resources in the cloud. You can implement it through the authentication and authorisation processes of users and devices. 

It is not unusual to use hardware tokens to secure access further. By using services such as AWS IAM or Azure AD, you can manage access to both your cloud and individual applications. The situation here is similar to that I described in the section on data access (#3).

There’s no doubt that applications are also data. The difference, however, is that if that data falls into the wrong hands, it can serve as a finite source of information. However, if someone unauthorised gets into the app and you fail to detect it, then you risk data leaks over a much more extended period of time. 

An infected application may even be used to sabotage your work by destroying or falsifying information. In such cases, detecting such changes to data can be challenging, as there is no obvious way to verify information accuracy.

#6: Make sure you are in control of your data

Cloud services are a great tool when you want to take care of your product and are not interested in ‘what’s beneath’. In this case, you transfer the responsibility to someone more experienced, so you take care of your product. 

The problem comes when that component stops working. Using whatever is highest up in the product hierarchy gives you no control over what the service provider delivers to you. 

Of course, there are specialised services, but these come at an extra cost. Typically, you buy ‘processor cores’, ‘SSD space’ or ‘RAM resources’. In this case, you don’t know if a particular memory model will not be vulnerable to attacks that exploit its deficiencies and if the memory will not cause data loss when writing to a specific cell. 

While these issues are worth keeping in mind, it’s also important to remember that such events are rare.

#7: Ensure connections to and from the cloud are secure

Data encryption is the process of using an encryption key to turn data into an unreadable form for third parties. 

You can encrypt the data transferred between the user and the cloud and the data stored in the cloud. Cloud providers offer various encryption options, including client-side encryption and provider-side encryption. These security features help to keep your data private and secure in the cloud. 

It is worth setting up VPN connections for your employees. Then, even when an attacker intercepts a data stream, they won’t be able to decrypt it.

#8: Comply with all applicable data security regulations

The General Data Protection Regulation (“GDPR”) regulates the security of data storage related to people in the EU by explicitly stating where and how to keep it. In addition, the person in charge of data must explicitly communicate who has access to it. If they fail to do so, they face penalties that can reach millions of euros. 

The result is that although you can keep your data virtually anywhere in the world, you must physically store it within the European Union. If this is not the case, you must immediately make it clear. 

Remember that GDPR is not the only regulation you may need to abide by. Organisations in the legal, medical, and financial sectors will have the most work to do on the legal side.

#9: Regularly test your security measures to ensure they are effective

The IT industry is one of the most dynamic industries. This brings the need to ‘stay up to date’ even if you have no direct exposure to IT. 

Let’s say your organisation uses any type of computer system, and you already need to know as much as possible about it. You need to keep the operating systems, purchased applications and other software up to date. 

Such a need disappears if you use cloud applications. Then, it is up to the service provider to keep the software up to date, and you can focus on the core of your business. 

However, even in that case, you still need to control the situation – and nothing can replace a well-trained system administrator.

#10: Prepare a security incident action plan to respond quickly to threats

You should always be ready for the worst. You may have the most secure system, but even these protections can get compromised. 

If that happens, you should proceed immediately with a business continuity plan. Having potential scenarios and ways to deal with them prepared in advance is a must. It is unacceptable to leave things to chance and focus on mitigating threats only when they occur. 

Suppose your customers’ data is published as a file on some forum. Do your administrators know what to do? Does your business department know what to do? And if everyone knows, has it been tested in practice or has it just remained on paper? 

At this point, it is essential to point out that organisations often unwittingly succumb to a paradox: there is never time to test, but there is always time to fix. By abandoning this attitude, you can avoid many unpleasant situations.