By: Paige Goss
Share This Post
How to Mitigate Security Risk in the Cloud
When it comes to mitigating security risks, especially in the cloud, we agree with the old saying: “an ounce of prevention is worth a pound of cure.” We’d just be more likely to phrase it along the lines of: keep your data secure if you want to stay in business! There are a lot of messes nobody wants to clean up – and data breaches are among them.
As more and more service providers are moving to the cloud, and increasing numbers of employees are working remotely, it’s important to understand the risks inherent in cloud-based SaaS. Even if your team is working on virtual machines, accessing the cloud can put your network at risk because it allows traffic to traverse the firewall. And the other side of the firewall is where all the internet bad guys lurk: botnets, malware, spyware, ransomware…
We don’t mean to be doom and gloom here. Think about it like this: in your house you’re safe from the dangers of the outside world. But you’re also missing out on the fun, interesting experiences you’d have outside your four walls. Similarly, technology outside your network can include all kinds of great stuff, you just need to take a few precautions first.
While no system or service is 100% impenetrable or perfect, there are absolutely ways you can mitigate security risk and keep your data secure. The most important factors are your overall data governance program and your employee education and training. Start by getting clear guidelines, policies and procedures in place and then make sure you thoroughly educate your team. After that, throw in the occasional pop quiz in the form of penetration tests and phishing exercises to keep everybody sharp.
Start With Your Data Governance
Data governance is the umbrella term for the overall comprehensive approach to data lifecycle management. In other words, it covers questions like: who has the ability to create data entries? Who has the ability to edit it? Where does your data get stored? When it’s no longer valuable to the business, how does it get destroyed?
These questions are particularly relevant when accessing third-party software services in the cloud. Once you let data past your firewall and out of your direct control, it’s really important to keep an eye on what that means for your business. When accessing cloud services and thinking about security, you really want to be clear on who is responsible for what. Both the end user and the service provider need to ask: what security obligations do I have? Understanding what you are responsible for and who is actively monitoring the solution are just two small steps. A well-defined security program is the only way for your organization to ensure data remains in the right hands.
Focus on Data Masking
Data masking – being able to hide or present data in a way that’s less appetizing for folks with ill intentions – is a key factor in keeping your data secure. Encryption is the name of the game in this arena, particularly when it comes to your company’s data and working in the cloud. To minimize risk, you want to have encryption available for any and all data that exists in the cloud, along with data that’s being transported to multiple applications.
While encrypting data may seem like an obvious suggestion in this day and age, it’s easy to forget that encrypted data is only part of the picture. In order to encrypt data, you have to have a key. So keeping the keys both secure and backed up is just as important. Without the key to unlock the data, it stays encrypted, even to you. Ever been locked out of your car or house? It’s pretty much like that. Only it’s harder to call in roadside assistance or a locksmith for encrypted data if you lose your only set of keys.
Treat your encryption keys as mission critical to your organization. Ensure that you have a good management system in place for wherever you’re storing those keys. This included how they’re being backed up, and who has access to that information. If you’ve only got one set of keys stored on one system, if that system goes down, access to your data goes with it.
Establish Access Controls along with Real-Time Auditing & Reporting
By now, everyone in your organization should be at least passingly familiar with the importance of access controls. It’s the foundation of data security: ensuring that the right people are gaining access to the right data at the right time. We’re talking about having well defined and clearly visible separation of duties and roles around who should be accessing what types of data. Having access controls in place ensures that you’re staying in compliance and that everything is on the up and up. But again, that’s just one part of mitigating security risk.
Once you’ve established your access controls, you also need a level of awareness and systems intelligence to raise alerts for incidents that occur outside of permitted access. If there’s a policy that says Jaroy can view this data but cannot download it, and then, lo and behold, he goes and downloads it, someone should be alerted. The key is fine-tuning your audit systems, so these alerts can’t be easily overlooked.
We’ve seen too many systems, in the name of monitoring access, bombard their security teams with thousands of notifications each day. In reality, they probably only need to be concerned with a hundred of those notifications – the rest are just noise. The consequence of that much noise is a desensitization of your operations center. Fine tuning your notifications and system events will reduce that noise and allow them to be more responsive and attentive.
Regardless of whether or not you’re officially required to meet compliance standards or data governance regulations, building in audit and reporting controls will help to, as they say, CYA. Build auditing and reporting into your security controls. Keep track of who is accessing what, when and where. Because if you get these systems in place, you’re far more likely to prevent a breach, or in the event something does happen, you can track down what went wrong and stop it from happening again.
Educate Everyone About Security Risks
Once you have a security program in place, it’s super important that everyone understands their role in securing data. It’s not just the IT team’s responsibility to secure and manage data. Be certain that your team understands the ramifications of security breaches both at the individual and organizational level.
If you really want to mitigate security risk in the cloud (or anywhere else, for that matter), make sure your employees are well-informed. Your end users should know how to recognize if something has happened and who to alert if it does. A lot of issues escalate quickly because people don’t know who to alert when an incident occurs.
Establish a good training regime based on security best practices to increase awareness for employees and end users. We recommend having a security awareness campaign that reminds employees of key policies and procedures on a semi-annual basis, at the very least. While ongoing training can seem tiresome, it also plays a huge role in keeping data secure. Preventing data breaches starts with vigilance, and continues by keeping everyone’s awareness at peak levels.
Run Regular Penetration Tests
Finally, a key means to mitigate security risk is to identify it before someone else does. A lot of organizations don’t run penetration tests with enough frequency, and this leaves them vulnerable to attack. Doing internal and external penetration tests and vulnerability scans will go a long way toward keeping your systems secure. In addition to external penetration testing, you should also be doing internal vulnerability scans. This involves performing a network sweep or scan to ensure there aren’t any rogue devices on your network. These exercises help you to learn about risks and exposure points that might otherwise go unnoticed.
How often should you perform these sorts of tests? To a certain extent, that’s a business decision – based on the sensitivity of your data. To be honest, we’d recommend bi-monthly to quarterly testing. Some might call that overkill, but when it comes to security, erring on the side of caution will save you in the long run.
Consult with Experts
If you don’t feel confident that your organization is ticking all the boxes we’ve outlined so far, we’d love to help you get there. As experts in information security and problem solving, we’ll help you get your systems up to snuff and on track for bigger and better things. We fundamentally believe that an investment in your organization’s security will not only keep your company safe from external threats, it can also drive revenue. Improved security can be a fundamental growth mechanism for your company – expanding your opportunities to work with current clients and opening doors you never dreamed possible. Let us show you the way there.