It hasn’t taken long for cloud technology to entrench itself as a fundamental pillar of global business. In as little as five years, cloud has evolved to be a necessity for growth in the digital age. Whether it’s the ability to reinvent IT functions, fuel new services, provide greater network flexibility or drive innovation, it is clear that this technology is supporting the next generation of business services.
While cloud undoubtedly brings some crucial benefits, it also makes way to a new wave of risk in the form of cybersecurity threats, the impacts of which can have a detrimental impact on a business. For example, a recent report from the Ponemon Institute revealed that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records. The financial impact is clearly a big concern for business, but it is only one of the risk factors to consider. Companies can face irreparable damage to their reputation and erosion in customer trust.
Alongside the increasing number of breaches, the industry is also seeing a raft of new regulation such as GDPR and the CLOUD Act, implemented to protect businesses and consumers. As such, having the right security posture in place has never been more important.
But, where do you start? What should you be considering to ensure you have the cybersecurity in place for your data stored in the cloud?
At AWS, we believe that security should be baked into the very fabric of any cloud offering, regardless of business size. As we get started, here are some key considerations that we work with our customers during deployment:
- Data classification – create clear rules and policies for data
Firstly, you must classify your data assets based on the privacy and security policy of your business, compliance regulations in your country and other regulations and laws, like GDPR. An effective data classification process is important because it can help determine the level of controls needed in your network and maintain the confidentiality and integrity of your data.
By following this classification and inputting when you design your ISMS (Information Security Management System), you can ensure you have the security technology to meet your compliance controls, including capabilities such as end-to-end encryption and defend against impending threats.
- Use a least privilege model
Understanding and restricting who has access to your data is vital to mitigate risk and minimise the impact of human error. By introducing a privilege model and being strict with the access rights and ‘privileges’ over your assets, you can retain control over your network and protect your business against increasingly prevalent threats. In order to do so, simply enforce a policy that always grants the absolute minimum access, depending on what privilege level that is required from the user. Follow the cloud vendor's Identity Access Management (IAM) best practices and be conscious to demand capabilities that have the flexibility and stringent security policies that meet your needs.
- Use available tools to monitor and track access and usage
Use the cloud vendor’s tools to log, continuously monitor access and understand the activity and usage of your platform. Make sure you have tools to monitor historical logins and also save these records for auditing purposes. In doing so, you can identify insider threats and changes in behaviour before it happens and a serious breach occurs.
There are plenty of tools to help you define and track metrics, and they should also be able to alert you when someone accesses or changes the data assets stored in the cloud. If you have a tool to discover sensitive data in your data assets, use it!
- Apply rules for protecting your content
Work with your cloud provider and teams such on versioning and encryption to protect your content. For example, Amazon S3 default encryption provides a way to set the default encryption behaviour for your S3 bucket. Importantly, when you use server-side encryption, Amazon S3 encrypts an object before saving it to disk in its data centres and decrypts it when you download the objects, protecting your assets both on-premises and in transit. By instilling these rules and working with your cloud provider to deploy the necessary encryption, regardless of the movement of data, you can protect your content against the most sophisticated of threats.
Securing your data in the cloud
There is no denying that cloud enablement across all business is the future, as it will create opportunities for innovation across the globe. However. protecting data stored in the cloud takes careful consideration and collaboration with the right partners and investment in the solutions that are the best fit for your business. Fundamentally you must take into account your business needs, understanding and classification of the data flowing through your network and education of your workforce on the benefits of clouds and challenges of cloud security.
By having security baked in, following these simple steps and having the right cloud partner that can scale as you do, you can monitor and mitigate against the most prevalent of threats.
Ian Massingham, Director of Developer Technology & Evangelism, Amazon Web Services
Image Credit: Melpomene / Shutterstock