Published on Mar 11, 2020 By: Bryan Campbell, Chief Operations Officer
Moving data services to the cloud is a smart decision for many firms and organizations. It takes away most of the burden of IT management and puts full-time experts in charge of managing systems, upgrading software, and protecting security.
Any transition requires careful planning to minimize risks, though, and when properly handled, the adoption of cloud services can improve overall security. At the same time, it introduces new kinds of risks. Organizations need to take the right steps to prevent cloud security problems. These six steps are essential for protecting sensitive client data.
Not all cloud providers are equal. It is imperative to choose one with a solid reputation and strong security practices. It should use trustworthy software and keep it up to date. Its physical facilities should be well protected, with safeguards against intruders and casual visitors. The service level agreement should guarantee a satisfactory degree of protection, with recourse if the provider doesn’t meet its commitments. These aren’t the only characteristics of a reliable cloud provider, but these are minimum factors to evaluate. For example, with a secure supply chain solution, your cloud container travels with additional threat protection through any infrastructure throughout the application lifecycle. Having a single interface and managing content (with the help of an open-source container-orchestration system like Kubernetes) centrally allows you to have a seamless workflow that streamlines governance and ensures compliance across the organization.
Accounts with extensive privileges are risky and should be kept to a minimum. Someone who gains unauthorized access to one can perform administrative functions and read or alter your data. User permissions and privileges should be provided under the principle of least privilege – each user account should have only the privileges it needs.
Cloud applications usually support user role management. Employees who only need to view data should have a read-only role. No more than one or two employees should get administrative accounts. Accounts that become obsolete, when an employee leaves or moves to a different position, should be promptly backed up and purged.
Most security incidents arise not from defective software but from carelessness. Employees might download data onto unprotected personal devices. Losing a phone that holds a lot of privileged data can lead to a data breach. Even sharing data with other employees needs to have its limits.
Establishing and communicating acceptable use policies can help employees understand which ways of using data are proper and which ones they ought to avoid.
People have trouble devising strong passwords and protecting them. And a data thief only needs to access an important account once to cause a lot of damage. To be safe, a password shouldn’t be enough by itself to gain access. Two-factor authentication uses a cell phone message, an application, or a hardware device for an extra layer of protection. This is especially important for administrative accounts and others with broad privileges.
The best cloud providers encrypt their storage using methods that are hard to break. They use encrypted TLS connections to safeguard data in transit. However, that doesn’t protect data against anyone who comes in through a compromised user account.
Encrypting data before uploading and decrypting it locally provides additional protection. No one can force the cloud provider to decrypt data if it doesn’t have the key. Anyone who breaks into an account but doesn’t have the encryption information can’t do anything with the stolen files.
However reliable a cloud provider’s security is, it depends on its users’ practices. Employees of any organization with sensitive data should be required to complete security awareness training so they’re alert about phishing emails and other attempts to trick them into providing access and disclosing data. They should be aware of security policies and abide by them. Security awareness is for everyone working for the organization, from part-time clerks to full-time C-Suite Executives.
