More and more small and medium sized businesses are moving their critical IT infrastructure and data to the cloud. The flexibility, reliability, and cost of cloud computing are driving factors in this shift. But, like every technology, there are risks and rewards.
The very nature of the cloud makes it susceptible to cybercrimes like data breaches. The rise in attacks and actual breaches on big companies like Target, Google, and Facebook, underscore the importance of cloud security and the need for a data loss prevention strategy.
Form a Strategy
As data moves to the cloud, making sure that the data is not compromised in transit and is secured once there is critical. Cloud systems are a highly profitable target due to the content, like personally identifiable information, intellectual property, or trade secrets. Unethical Hackers trade this data as a form of currency.
Take the time to understand how the chosen cloud platform works for your business and how it fits your existing security posture. Make sure that your IT provider or staff understand the controls at their disposal. At a minimum, there should be settings configured to alert the team and scan for suspicious activity as well as procedures to immediately plug any potential vulnerabilities or leaks. With how quickly cloud migrations are taking place, we see a lack of preparedness from a security perspective. Organizations plan the movement to a cloud infrastructure, but the IT team scrambles after the move. They realize that they do not have as much control over their data as they did on while it was on premise. Because of this, the IT team implements a stop-gap measure, which creates a security risk.
When developing the strategy to protect your cloud infrastructure, focus on your existing controls and policies. The cloud environment should mimic these policies. In some cases, the cloud provider could provide even more systems to secure the data, so make sure those are investigated and taken into consideration.
Up in the Clouds
The responsibility of keeping your business data secure in the cloud is on your security team, but it should be a concerted effort with your CSP (Cloud Security Provider)
Here are some security considerations and information to consider when migrating to a cloud environment:
- Perform your due diligence when picking a cloud provider. Make sure who you choose has in place appropriate controls and systems to enforce your existing policies.
- Be sure there is strong encryption available at the file level for securing your company data. Ensure you can encrypt the data as it enters the cloud as well as leaving it if needed.
- Be sure that your cloud provider offers multifactor authentication methods and ways to audit and alert on logins.
- Make sure you are monitoring your perimeter systems. Ideally, a SOC (Security Operations Center) is in place or provided as a service for incident response.
- Have your security team use tools to identify any gaps between your security systems and your CSP’s security systems. Hackers can attack providers, and several of them have been (AWS, iCloud, Dropbox, and Google Drive). Know that since hackers may exploit the host systems used by your CSP, then they may exploit the data or applications running on that system as well.
- Be sure you continue to have a proper change management process and adopt a guided framework for promoting best practices.