7 Tips to Prevent Cloud Security Threats
According to the 2016 State of the Cloud Survey, 95% of respondents are using the cloud. Despite its rapid growth, the nature of cloud computing introduces the possibility of serious cloud security breaches that can drastically affect an organization. Data security is one of the leading concerns for IT professionals.
How can IT managers protect themselves (and their organizations) while still enabling innovation, data access and flexibility?
Let’s take a look at 7 tips that IT managers can focus on to prevent cloud security threats within their organizations.
1. Educate your employees.
For most organizations, there is an easy explanation for the security threats: uneducated employees. By teaching your employees proper defense practices, you can minimize risk and prevent cloud security threats:
- Involve the entire company. When employees are actively involved in protecting company assets, they’re more likely to take ownership of their obligations regarding security measures. Involve the entire workforce in security training and brief them on best practices moving forward.
- Set up a plan. Set up a response protocol in case employees feel they have been compromised. Create a document that offers users steps to take in several scenarios so they will always be prepared.
- Run unannounced security tests. Educating your employees is important, but not if none of the information is retained. Invest in tools that allow you to send simulated phishing emails to see if workers take the appropriate action given the scenario.
2. Secure a data backup plan.
As the cloud continues to mature, the possibility of permanent data loss is high. Make sure that whatever happens, you have a secure backup of that data (this is more about securing your business than your actual data, but provides the same peace of mind).
“Develop a security platform that allows the business to implement consistent data protection policies across multiple cloud services, notes Gerry Grealish, CMO at cloud security company Perspecsys, “preferably one that does not involve complex key management or policy administration.”
IT managers should distribute data and applications across multiple zones for added protection, as well as adhere to best practices in daily data backup, offsite storage and disaster recovery.
3. Who has access to the data?
Sure, the location of your stored data is important — but nowhere near as important as who has access to it.
IT managers: who is doing what, who has access, and what are they trying to access? Establish access controls to manage risk. Tie user identities to back-end directories, even for external identities.
Be proactive and put security measures in place to make sure that your data is protected, and take things a step further: a smartphone access control system allows you to easily manage users and assign door access from virtually anywhere.
Rather than utilizing one too many passwords, implement single sign on (SSO) authentication capabilities.
4. Encryption is key.
Cloud encryption is critical for protection. It allows for data and text to be transformed using encryption algorithms and is then placed on a storage cloud.
Ask your provider how data is managed. To ensure the protection of your data before it leaves your business, you can encrypt at the network’s edge, ensuring the movement of data in the cloud is protected. Once the data is encrypted, keep the keys that both encrypt and decipher your information. Having both of these means that even if the information is stored at a third party provider, all information requests will need to involve the owner.
Do not store encryption keys in the software where you store your data. IT teams need to keep physical ownership of encryption keys as well as vet the strength of the encryption techniques being used.
5. Take passwords seriously.
Since files are zipped and encrypted with passwords, it’s important to choose one wisely. Most passwords — 90%, to be exact — can be cracked within seconds.
“Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust,” noted Duncan Stewart, director of technology for Deloitte Canada, recently. “But these can be easily cracked with the emergence of advance hardware and software.”
Although the limitations of our ability to remember complex credentials means there is a tendency for password reuse, don’t fall into that risk category. Come up with distinct, original passwords to deter hackers.
As for the future? Here’s the good news: SMS passwords, fingerprint requirements and smartphone access control systems will soon be the norm for passwords.
6. Test, test, test.
When putting measures in place to protect your cloud, think like a criminal. One of the best ways to do this is penetration testing: an IT security practice designed to identify and address vulnerabilities as well as minimize cloud security threats.
A few things to keep in mind:
- A penetration test looks like a real attack, so be sure to inform your cloud provider before beginning.
- Evaluate what your weaknesses are and create an inventory of what to test such as servers and applications.
As you continue to build your cloud penetration testing plan, remember that internal threats are as likely as external threats.
7. Establish thorough cloud governance policies.
Certifying a cloud application is only the beginning. Make sure you have the right cloud application governance process in place to ensure compliance with internal and external data privacy mandates. Train your information workers and enforce usage policies, conduct periodic health checks and risk assessments, and stay alert to the ever-changing security landscape.
Data should be classified based on sensitivity and the correct data security techniques need to be applied to each class of data.
Once you better understand what’s at stake and how to prevent cloud security threats, you can make more informed, proactive decisions about IT infrastructures. By taking a proactive approach towards cloud security, we can refine our individual security to manage risks more effectively.