Flexibility, speed, scalability, decreased infrastructure and maintenance costs all contribute to the allure of cloud computing. With increased cloud adoption, organisations are showing caution when it comes to maintaining data security while migrating to the cloud.
From widescale data breaches such as Equifax and the NSA to tools used in ransomware attacks such as Petya, to the suspected N Korean WannaCry attack, 2017 was a watershed year for cyber-crime. These brought a wave of questions about the security of an organisation's data. IT and security departments face tough security challenges due to the wildly interconnected nature of today's business environment.
When it comes to migrating to the cloud, the number one fear for a Chief Information Security Officer (CISO) is losing control of their data. Wholistic cloud security is a baseline requirement for organisations migrating to the cloud. Below are some key ideas and questions to get started on your secure journey to the cloud: Who's responsible for the security of my data?
There's a common misconception that the cloud service provider is responsible for your data's security. However, most providers are only responsible for protecting the infrastructure that runs these services, while the customer is responsible for security inside the cloud. This creates a shared responsibility of both the cloud provider and the customer. As a customer, you need to make sure that your security controls are in place and that your cloud provider offers the levels of security you require. It's up to you to choose the right controls for your organisation.
If you're concerned about the security of your data, then the first question you should ask your cloud service provider is, “Who has access to my data?” The cloud provider must have access to your data but you should ensure that controls are in place to ensure minimum access. Good cloud service providers will have services that offer real-time notifications anytime someone connects to your cloud. Monitoring changes in security will help secure your virtual machine. It only takes seconds to compromise your virtual machine if someone changes its security controls, putting your data at risk.
There is a myriad of security controls that can be customised and implemented in your cloud environment. Regardless of your cloud provider's size, there are questions regarding security that are crucial to your cloud's security:
Where's my data located? Knowing where your data is located is important to maintain compliance with industry and in some jurisdictions, such as the US federal regulations which may mandate cross-border data flows. Furthermore, your data's location may affect data delivery time. If it's stored far away, geographically, then you may experience latency which could affect your bottom line.
Is my data being mined? Many cloud service providers allow you to de-identify and mine your data. Your customers entrust you with their data and want it kept secure from unintended visitors. Ensure that both you and the cloud service provider are transparent about any data mining.
What are the perimeter and physical security of the data center? It's important to have a multi-layer security approach to your data. This includes firewalls, IDSs, IPSs and VPNs. A lot goes into the physical security of a data center from the need for multiple utilities to Kevlar walls.
Are there IP Table Restrictions? These restrictions, that allow or deny content to a specific IP address, can be used to manage the location of access, users or domain names. IP table restrictions help secure your network by denying access to vulnerable IP addresses.
Is my data being replicated? If so, how many places is it being replicated? You should know if and why your data is replicated. There are a number of reasons for it to be copied including security measures to backup storage.
Is this cloud service provider keeping up to date with patches? How often? Your cloud service provider should be responsible for fixing flaws in their infrastructure. You should know if they're up to date on security standards and how often they patch their system. We've witnessed the consequences of unpatched infrastructure this year with the WannaCry ransomware attack which exploited the Microsoft Windows vulnerability known as Eternal Blue.
Does the data centre have security certifications? Many organisations must adhere to all industry regulations and standards. It's important that your security and technical controls are verified through certifications such as ISO 27001, SSAE-18, SOC 2 Type 2, SOC 3 Type 2, and more.
Contributed by Kurt Long ,founder and CEO, FairWarning
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.