How safe is the cloud? And how to make it safer

null

Cloud computing is convenient and increasingly popular, but does require some thoughtful planning if it is to be used securely.

Thanks — in part — to better connectivity, businesses can now access the software, services and computing power they need over the web, reducing the time and cost associated with installing and managing those resources locally. This is known as cloud computing.

A fifth (21 per cent) of the companies we surveyed plan to invest further in public cloud services, which use infrastructure provided by a supplier such as Google, Microsoft or Amazon. Slightly more (23 per cent), however, intend to go for private cloud services, creating enterprise clouds relying entirely on their own facilities and IT infrastructure.

To ensure business continuity, company networks must be able to deliver the additional bandwidth and high levels of availability required by cloud computing. Security is also an area of concern; a recent study revealed 91 per cent of cyber security professionals still have concerns, primarily around the potential for unauthorised access from the misuse of employee credentials.

Public versus Private Cloud

Using a public cloud tends to be the less expensive option, since it only involves paying for a single service ‘package’, unlike a private cloud which requires the setup and management of a server and all its resources.

In exchange for the convenience and lower cost of a public cloud solution comes a decreased amount of control. In a public cloud, all of your data is stored within the provider’s network, and you do not know where it is kept (unless they allow you to specify which country your data should be stored in). With a private cloud, you control everything, deciding where data goes and how it will be kept secure.

A private cloud is not open to the world via the Internet as data is stored within the local network of the organisation. Although it’s rare for attacks to occur in a public cloud, just one breach on the provider is all that’s required to expose your confidential data.

Types of cyber security required for cloud computing

Handing over data security to a third party may not always be appropriate, despite the huge levels of resources that can be deployed by large public cloud service providers.

Collocating one’s own IT equipment in a shared data centre specifically designed for that purpose may get around this issue. It allows businesses to control security, replication and backup end-to-end, in effect creating a private cloud.

Fundamentally, the amount of computing power and information you trust to the cloud comes down to how sensitive and important that information is. Once that decision is made, consider the following techniques, which cyber security experts deem to be most effective for staying safe in the cloud:

1.         Know your people and ensure they know how to work safely

People are usually the weakest link in the cyber security chain. Vet them before they are employed and train them to avoid the main cyber security risks they might be exposed to.

The level of access, authentication, vetting and training required depends on the how sensitive the data and how vital the systems which need protecting. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

Ensure you are part of a secure supply chain. Criminals study companies and the networks they interact in to find a weak link in the supply chain. Expand your risk consideration beyond the boundaries of your own organisation, ensure suppliers adhere to the same security principles you do and take steps to mitigate the risk if they do not.

Finally, security policies should require strong passwords as standard. Traditionally, the strongest passwords have included letters, numbers and symbols, but there is a move now to encourage employees to create passwords based on three random words. We recommend following the guidance provided by the Government’s Cyber Aware campaign.

2.         Use technology to enforce security across cloud environments

Strong passwords should be used as part of multifactor authentication, which maximises system resilience by granting access to users only after presenting several pieces of information. This might include a strong password, approved device and a physical token. Some organisations will require the user to be physically located in one of its offices or another approved location to access their systems.

Data in the cloud should be encrypted where it is stored and whilst it is in motion. Use HTTPS with strong encryption when accessing cloud data and invest in Virtual Private Networks that use dedicated connections and specialist protocols to secure data between sites. Intrusion detection and prevention tools should be used to monitor systems for suspicious activity.

Make use of cloud access security brokers, ‘gatekeeper’ software that sits between a business and its cloud provider to ensure network traffic between the parties complies with its security policies. This type of software allows businesses to enforce different kinds of access control such as encryption, two-factor authentication and device profiling.

More than half of large organisations using cloud services also use Active Directory services located on their premises or in rented rack space in data centres to identify, authenticate and authorise access to cloud applications. This provides a greater control over the cloud environment but still relies on businesses keeping their security controls fully up to date when someone leaves the organisation.

3.         Secure your devices and locations

Don’t forget to secure physical access to your devices. Secure your premises so people can’t simply walk in and take your devices away and put in place strong policies and protections to ensure the cyber security of devices used to access cloud services.

Make sure all of your devices are password protected and that — wherever possible — they can be tracked remotely. Ensure that anti-virus software and security patches are up to date and that your employees aren’t able to override the security settings.

Sonia Blizzard, managing director, Beaming
Image source: Shutterstock/faithie