At least 6 of Deloitte clients affected by a high-profile cyber-attack. US Securities and Exchange Commission (SEC) suffers a system breach. 143 million US consumers affected in the Equifax breach.
With such resonant cyber-attacks taking place within a single month, it becomes clear that anyone can be affected by cybercriminals.
But how do you even start with securing your data? What are the best practices to keep your data fully safe in the cloud?
To help you jump-start your cloud security strategy, we invited 15 experts to share their top cloud security tips. Coming from renowned professionals in the field, these tips are something you do not want to ignore!
Best of all, they are actionable so that you can start implementing them them tomorrow.
1. Maintain availability in the cloud
Dustin Albertson, Veeam®
Cloud Security. When most people think about the topic of cloud security, they tend to think about Networking, Firewalls, Endpoint security, etc. As a matter of fact, Amazon defines cloud security as:
Security in the cloud is much like security in your on-premises data centers - only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.
But one often overlooked risk is maintaining availability. What I mean by that is more than just geo-redundancy or hardware redundancy, I’m referring to making sure that your data and applications are covered. Cloud isn’t some magical place where all your worries disappear; cloud is a place where all your worries are often easier and cheaper to multiply. Having a robust data protection strategy is key. Veeam has often been preaching about the “3-2-1 Rule” that was coined by Peter Krogh.
The rule states that you should have 3 copies of your data, storing them on 2 different media, and keeping 1 offsite. The 1 offsite is usually in the “cloud”, but what about when you are already in the cloud?
This is where I see most issues arise, when people are already in the cloud they tend to store the data in the same cloud. This is why it’s important to remember to have a detailed strategy when moving into the cloud. By leveraging things like Veeam agents to protect cloud workloads and Cloud Connect to send the backups offsite to maintain that availability outside of the same datacenter or cloud. Don’t assume that it’s the providers’ job to protect your data because it isn’t.
Dustin Albertson (VCAP-CIA, VMCE, AWS-TP) is the Senior Cloud Solutions Architect for the Cloud & Alliance Strategy Group at Veeam Software based in South Carolina, USA. Dustin is an active member of the virtualization and Service Provider communities. Dustin’s career started in telecom before focusing on virtualization. His main areas of expertise are VMware and Networking, with a strong focus on Cloud Service Providers and Public Clouds. Follow Dustin on Twitter @clouddizzle
Choose a Cloud Provider that has a solid approach to security in the cloud
Nic O’Donovan, VMware®
The Hybrid cloud continues to grow in popularity with the enterprise – particularly as the speed of deployment, scalability and cost savings become more attractive to business. We continue to see infrastructure rapidly evolving into the cloud, which means security must evolve at a similar pace. It is very important for the enterprise to work with a Cloud Service Provider which has a solid approach to security in the cloud.
This means the partnership with your Cloud Provider is becoming increasingly important as you work together to understand and implement a security plan to keep your data secure.
Security controls like Multi-factor authentication, data encryption along with the level of compliance you require are all areas to focus on while building your security plan.
Nic O’Donovan is a Solutions Architect and Cloud Specialist with the VMware Cloud Provider Program working with Cloud Service Providers. Nic is an active blogger and works with CSPs to build new offerings across infrastructure, security and disaster recovery solutions.
3. Patch your systems and servers regularly
Adam Stern, Infinitely Virtual
Business users aren’t defenseless, even in the wake of nefarious bits of ransomware like WannaCry or Petya/NotPetya. The best antidote is patch management. It’s always sound practice to keep systems and servers up to date with patches – it’s the shortest path to peace of mind. Indeed, “patch management consciousness” needs to be part of an overarching mantra that security is a process, not an event -- a mindset, not a matter of checking boxes and moving on. Vigilance should be everyone’s default mode. Spam is no one’s friend; be wary of emails from unknown sources – and that means not opening them. Every small and midsize business wins by placing strategic emphasis on security protections, with technologies like clustered firewalls and intrusion detection and prevention systems (IDPS).
Any business - or more pointedly, any business’s data - is considerably safer in the cloud than parked on equipment under someone’s desk. In addition to IDPS, any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures, and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, and round-the-clock monitoring.
4. Learn how the cloud works
Tom DeSot, Digital Defense, Inc.
My number one security tip for businesses looking at cloud computing is to make sure that they educate themselves on what it really means to move into the cloud before taking that big leap from running systems in their own datacenter.
All too often I’ve seen a business make a move to cloud computing without really having any knowledge about what it means to them and to the security of their systems. They need to recognize that their software will be “living” on shared systems with other customers so if there is a breach of another customer’s platform, it may be possible for the attacker to compromise their system as well.
Likewise, cloud customers need to understand where their data will be stored, whether it will be only in the US, or the provider replicates to other systems that are on different continents. This may cause a real issue if the information is something sensitive like PII or information protected under HIPAA or some other regulatory statute. Lastly, the cloud customer needs to pay close attention to the Service Level Agreements (SLA) that the cloud provider adheres to and ensure that it mirrors their own SLA.
Moving to the cloud is a great way to free up computing resources and ensure uptime, but I always advise my clients to make the move in small steps so that they have time to truly gain an appreciation for what it means to be “in the cloud”.
As CIO of Digital Defense, Inc., Tom DeSot is charged with key industry and market regulator relationships, public speaking initiatives, key integration and service partnerships, and regulatory compliance matters. He also serves as the company’s internal auditor on security-related matters. He holds NSA’s INFOSEC Assessment Methodology Certification and is trained in OCTAVE risk assessment.
5. Updated OS, Strong Passwords, 2-Step Verification
Brian Smith, CTO of Hushmail
Brian Smith, CTO of Hushmail, highlights three critical elements of a secure data system.
Tip #1: Keep your operating systems up to date. The companies that create operating systems are always on the lookout for vulnerabilities in their systems. When they find weaknesses, they (usually) issue updates quickly to fix them. The irony, of course, is that when companies issue updates, it can be a signal to hackers that there is a weakness in the system. That’s why it’s so important to stay on top of updates as they come up and to automate their installation when appropriate.
Tip #2: Don’t use the same passwords for multiple sites. The reason for this is that if a website is compromised, attackers may be able to use the user IDs and passwords they steal to unlock valuable information on other sites or services. Using the same password for many products and services is like giving thieves a skeleton key to unlock your personal information across the web. Unique passwords make it difficult for bad guys to hurt you more than once.
Tip #3: Enable two-step verification. Two-step verification is a feature many online services offer. It employs a two-stage process to authenticate your identity on new devices. It’s helpful since passwords can be broken. Two-step verification makes it much harder for non-authorized parties to access your account. To get in, they would need to have access to your phone or alternate email address, in addition to your user ID and password. It’s an added layer of security that has been shown to be quite effective in mitigating digital fraud.
Brian was a co-founder of Hushmail in 1999 and has been CTO since 2002. He is responsible for technology architecture, software development, network operations, security, and compliance at Hushmail. Brian has broad expertise in Internet security and email messaging systems.
6. Always backup your data
Scott Fcasni, 1SEO Technologies
One of the most obvious, but overlooked, aspects of cloud computing is to always backup your data. The internet is the Wild West and anything can happen. Having proper backups of all your data is the easiest way to ensure you always have control over your data, no matter what situation arises. Whether you have a small or large business, your data is essential to your operations.
According to the Kaspersky Lab Malware Report ransomware has risen by over 250% for the first few months of 2017 and continues to trend in a very frightening direction. Regularly backing up your data is the ultimate insurance policy for your business and can save your company from the crippling effects of a major data loss. Everyone always thinks "It can't happen to me," but the reality is, no network is safe from ransomware and natural disasters. If I can give one piece of advice to any companyout there, it is to ensure peace of mind with an effective backup strategy.
Scott Fcasni is the President of 1SEO Technologies, an elite IT support and managed services company. With more than ten years of experience, Scott and his team always help their clients stay ahead with technology that best suits their business.
7. Enable two-factor authentication
Tim Platt, VP IT Business Services
I’m VP of IT Business Services at an IT Managed Service Provider (MSP). We provide full IT services to small and medium-sized business in the Orlando, FL area. As such, we see a lot of requests for security assistance with the cloud.
For the best cloud security, we prefer to see Two Factor Authentication (also known as 2FA, multi-factor authentication, or two-step authentication) used wherever possible. What is this? 2 Factor combines “something you know” with “something you have”. If you need to supply both a password and a special code sent to your smartphone via text, then you have both those things. Even if someone knows your password, they still can’t get into your account. They would have to know your password and have access to your cell phone. Not impossible, but you’ve just dramatically made it more difficult for them to hack your account. They’ll look elsewhere for an easier target. As an example, iCloud and Gmail support 2FA – two services very popular with business users. I recommend everyone use it.
Why is this important for cloud security?
Because cloud services are often not protected by a firewall or other mechanism to control where the service can be accessed from. 2FA is a good additional layer to add to security. I should mention as well that some services, such as Salesforce, have a very efficient, easy to use implementation of 2FA that isn’t a large burden on the user.
Tim Platt has almost 25 years of experience in multiple areas of technology including programming, networking, databases, cloud computing, security, and project management. He currently works as a VP IT Business Services at Virtual Operations, LLC, providing technology consulting in the Orlando, FL area.
8. Be proactive
Adnan Raja, Atlantic.Net
There are many steps that organizations can take to protect themselves from various cybersecurity attacks. On many occasions, these attacks succeed because employees haven’t been properly trained to recognize (and avoid) suspicious links or email attachments. Proper email security training, as well as establishing better rules for email attachments and assigning users that are allowed to run executable files and install software can go a long way toward bolstering your defenses against a cyber attack.
Multi-factor authentication helps ensure that only your authorized employees can access your network. Two-factor authentication should be applied not only to your VPN, but also to your organization’s LinkedIn and Google accounts and other online accounts.
Better password management (including using password management tools such as KeePass) will also prove helpful in locking down your infrastructure.
Autonomous offsite backup is a must, and network monitoring solutions to throw up an alarm if thousands of files suddenly start modifying themselves in the middle of the night can alert you soon enough to head off the worst of the damages if a cyber attack hits you.
Constant vigilance and thoughtful, prudent, proactive security measures will keep your organization safe from cyber attacks. Organizations owe it to themselves, their employees, and their customers to keep their fingers on the pulse of cybersecurity and look for new exploits and threats to be aware of.
Adnan Raja, Vice President, Marketing at Atlantic.Net
9. Know where your data resides
Vikas Aditya, QuikFynd Inc
My #1 tip is for businesses is to be aware of where their data is stored these days so that they can proactively identify if any of the data may be at risk of a breach.
These days, data is being stored in multiple cloud locations and applications in addition to storage devices in business. Companies are adopting cloud storage services such as Google Drive, Dropbox, OneDrive, etc. and online software services for all kind of business processes. This has led to vast fragmentation of company data, and often managers have no idea where all the data may be.
For example, a confidential financial report for the company may get stored in a cloud storage because devices are automatically synching with cloud or a sensitive business conversation may happen in cloud-based messaging services such as Slack. While cloud companies have all the good intentions to keep their customer data safe, they are also the prime target because hackers have better ROI in targeting such services where they can potentially get access to data for millions of subscribers.
So, what should a company do?
While they will continue to adopt cloud services and their data will end up in many, many locations, they can use some search and data organization tools that can show them what data exists in these services. Using full-text search capabilities, they can then very quickly find out if any of this information is a potential risk to the company if breached. You can't protect something if you don't even know where it is. And more importantly, you won't even know if it is stolen. So, companies looking to protect their business data need to take steps at least to be aware of where all their information is.
Vikas Aditya is an entrepreneur and an expert in software solutions, cloud services, and business strategy. He founded QuikFynd Inc, a company specializing in machine learning techniques to search and organize our personal data that is fragmented across several locations. Prior to this, he worked for Intel and was responsible for product strategy for small and medium businesses.
10. Do your due diligence
Ken Stasiak, SecureState
The number one cloud security tip for businesses is to understand the type of data that you are putting into the cloud and the mandated security requirements around that data.
Once a business has an idea of the type of data they are looking to store in the cloud, they should have a strong understanding of the level of due diligence that is required when assessing different cloud providers. For example, if you are choosing a cloud service provider to host your Protected Health Information (PHI), you should require an assessment of security standards and HIPAA compliance before moving any data into the cloud.
Some good questions to ask when evaluating whether a cloud service provider is a fit for an organization concerned with securing that data include: Do you perform regular security audits and assessments? How do you protect against malicious activity? Do you conduct background checks on all employees? What types of systems do you have in place for employee monitoring, access determination, and audit trails?
Ken Stasiak is the CEO of SecureState. He has consulted with hundreds of companies on business risk management and cybersecurity. Ken holds various certifications including CISSP, CISA, CGEIT, and CISM, and has been featured on Bloomberg Businessweek, CNN, SIRIUS XM Satellite Radio, PBS, and Fox News for his expertise on information security.
11. Set up access controls and security permissions
Michael R. Durante, Tie National, LLC
While the cloud is a growing force in computing for its flexibility for scaling to meet the needs of a business and to increase collaboration across locations, it also raises security concerns with its potential for exposing vulnerabilities relatively out of your control. For example, BYOD can be a challenge to secure if users are not regularly applying security patches and updates.
The number one tip I would offer, however, is to make the best use of available access controls. Businesses need to utilize access controls to limit security permissions to allow only the actions related to the employees’ job functions. By limiting access, businesses assure critical files are available only to the staff needing them, thus reducing chances of their exposure to the wrong parties. This control also makes it easier to revoke access rights immediately upon termination of employment to safeguard any sensitive content within no matter where the employee attempts access from remotely.
Michael is a President of Tie National, LLC. He successfully built an IT operations team which supports 7,000+ client locations nationwide and an extensive subcontractor base of 5,000+ partners. With his promotion to President in 2017, Michael refreshed Tie National’s commitment to quality, attentiveness, and growth; the values that have branded Tie National as a respected technology integrator.
12. Understand the pedigree and processes of the supplier/vendor
Paul Evans, Redstor
The use of cloud technologies has afforded businesses of all sizes the opportunity to drive performance improvements and gain efficiency with more remote working, higher availability and generally more flexibility.
However, with an increasing number of disparate systems deployed and so many cloud suppliers and software to choose from, retaining control over data security can become challenging. When looking to deploy a cloud service, it is important to thoroughly understand the pedigree and processes of the supplier/vendor who will provide the service. Industry standard certifications are a great place to start. Suppliers who have an ISO 27001 certification have proven that they have met international information security management standards and should be held in higher regard than those without.
Gaining a full understanding of where your data will be stored geographically, who will have access to it, and whether it will be encrypted is key to being able to protect it. It is also important to know what the supplier’s processes are in the event of a data breach or loss or if there is downtime. Acceptable downtime should be set out in contracted Service Level Agreements (SLAs), which should be financially backed for them provide reassurance.
Paul Evans is a CEO of Redstor. Redstor is a fast-growing international, data management software as a service (SaaS) business focused on securely managing and protecting customer data throughout its lifecycle. Since 1998, we have been a trusted adviser to organizations across the accounting and finance sectors, specializing in backup, disaster recovery, and compliance solutions.
13. Use strong passwords and multi-factor authentication
Fred Reck, InnoTek Computer Consulting
As President of InnoTek Computer Consulting, an IT Security and Cloud Computing company in Pennsylvania, my number one cloud security tip for businesses would be the following:
Ensure that you require strong passwords for all cloud users, and preferably use multi-factor authentication.
According to the 2017 Verizon Data Breach Investigations Report, 81% of all hacking related breaches leveraged either stolen and/or weak passwords. One of the biggest benefits of the Cloud is the ability to access company data from anywhere in the world on any device. On the flip side, from a security standpoint, anyone (aka “bad guys”) with a username and password can potentially access the businesses data. Forcing users to create strong passwords makes it vastly more difficult for hackers to use a “brute force” attack (guessing the password from multiple random characters.)
In addition to strong passwords, many cloud services today can utilize an employee’s cell phone as the secondary, physical security authentication piece in a multi-factor strategy, making this easy and affordable for an organization to implement. Users would not only need to know the password but would need physical access to their cell phone to access their account.
Lastly, consider implementing a feature that would lock a user’s account after a predetermined amount of unsuccessful logins.
Fred Reck is an Amazon #1 Best Selling Author, technology-industry speaker, and leading consultant based in Central Pennsylvania. Pulling from his beginnings with IBM in their systems integration and training division, Fred has advised over 1100 companies on technology issues through his business InnoTek Computer Consulting.
14. Enable IP-location lockdown
Chris Byrne, SensorPro
My No1 cloud security tip for businesses, in terms of access to the cloud applications they use, is to enable two-factor authentication and IP-location lockdown.
With 2FA, you add another challenge to the usual email/password combination by text message. With IP lockdown you can ring-fence access from your office IP or the IP of remote workers. If the platform does not support this, consider asking your provider to enable it.
In terms of actual cloud platform provision, my No1 tip is to provide a data at rest encryption option. At some point, this will become as ubiquitous as https (SSL/TLS). Should the unthinkable happen and data ends up in the wrong hands, i.e. a device gets stolen or forgotten on a train, then data at rest encryption is the last line of defense to prevent anyone from accessing your data without the right encryption keys. Even if they manage to steal it, they can’t use it... This, for example, would have ameliorated the recent Equifax breach somewhat. We wrote about that on our blog.
Chris Byrne is co-founder and CEO of Sensorpro.
15. Configure Cloud Environment Correctly
Anthony Dezilva, PhoenixNAP
When we think of cloud, we think of two things. Cost savings due to efficiencies gained by using a shared infrastructure, and security issues. Although there are many published breaches that are attributed to cloud-based environment misconfiguration, I would be surprised if this number was more than, the reported breaches of non-cloud based environments.
Cloud providers have a vested interest in creating a secure multi-tenant environment. Their aggregate spending on creating these environments are far greater than most company’s IT budgets, let alone their security budgets. Therefore I would argue that a cloud environment configured correctly, provides a far greater level of security than anything a small to medium-sized business can create an on-prem.
Furthermore, in an environment where security talent is at a grave shortage, there is no way an organization can find, let alone afford the security talent they need. Resulting in the next best thing, create a business associate relationship with a cloud provider that not only has a verifiable secure infrastructure, but also monitoring and incident response services.
Cloud Security: Need to know
- Architect solution as you would any on-prem design process;
- Take advantage of application services layering and micro-segmentation;
- Use transaction processing layers with strict ACLs that control inter-process communication. Use PKI infrastructure to authenticate, and encrypt inter-process communication.
- Utilize advanced firewall technology including WAF (Web Access Firewalls) to front-end web-based applications, to minimize the impact of vulnerabilities in underlying software;
- Leverage encryption right down to record level;
- Accept that it's only a matter of time before someone breaches your defenses, plan for it. Architect all systems to minimize the impact should it happen.
- A flat network is never okay!
- Strong change control process, with weekly patch management cycle;
- Maintain offline copies of your data, to mitigate risk of cloud service collapse, or malicious attack that wipes your cloud environment;
- Contract with 24x7 security monitoring services that have an incident response component.
Anthony Dezilva is an Information Security/Assurance Leader (CISO), Global Management Executive, and Educator. As a Development Manager of Security Services at phoenixNAP, he is helping take cloud security to the next level.
Interested in learning more about cloud security? Join our webinar with VMware and Intel to find out how you can make your company battle-ready!