There are so many different kinds of clouds — public, private, hybrid, internal — that many businesses and customers have difficulty deciding which is the right one for them. Furthermore, many businesses may use a few different variations of cloud environments — a private cloud for their own intranet, a hybrid cloud to keep some data on premises and some off premises to meet compliance regulations, and a public cloud for low-risk data.
These different types of environments make it difficult for IT and security teams to monitor every cloud on every device, or to monitor access requests for each different type of cloud environment. If you don’t control the cloud or where your data and apps reside, don’t manage them, or don’t know what you have in the cloud, your risk starts to sprawl and you don’t even know what’s happened when there’s a breach — or where to start to remediate. Follow these guidelines to make sure you avoid the cloud’s possible pitfalls.
1) Decide which kind of cloud is right for you from a security perspective.
Companies must stop treating the cloud as if it were their data center. Once data is in the cloud, it’s in a shared domain. With a public cloud, businesses have to relinquish a perceived level of control and decide if they’re comfortable with that. They need to determine if the third party (or parties) managing their cloud meets their security requirements and compliance regulations, and if there’s a clear path for accountability, threat management, and response. These days, it’s not if an attack will happen, but when.
2) Increase and improve cloud security and control.
Cloud management and security is all about control. The cloud environment you pick should depend on the level of control you want for your business. Former President Ronald Reagan used the Russian proverb “Trust, but verify” in his relations with the country. We’re going to borrow that attitude for security. Some organizations tend to enable product capabilities or features such as the “any/any” firewall rule, which allows “anything” onto the network. But that any/any rule then instructs the network to drop a potentially nasty network packet without logging it so that it can be flagged or investigated, making it impossible to find the cause of a problem if that nasty packet makes its way onto the network.
A general rule of thumb for the cloud is, “Don’t turn on anything you don’t understand.” Malicious actors know that companies allow encrypted traffic in and out every day, so they encrypt their own command and control traffic, making it harder for network security add-on technology to see it and flag it for human attention and remediation. Using the trust-but-verify model creates a good reminder for IT and security operations (SecOps) teams to go back periodically and check on active security features and policies to make sure they have the right access, rights, rules, and trust in place. Such things are easier to enable than to revoke, and SecOps teams have real threats to manage instead of monitoring how many people are sharing credentials.
3) Follow these rules of thumb when selecting or managing your cloud.
4) Keep track of what you have to mitigate risk.
Compliance is a huge piece of the cloud security puzzle, but compliance doesn’t always equal secure. Many of today’s attacks happen simply because contractors, partners, and/or service providers aren’t up to speed on company security policies. Make sure you have a plan in place to keep track of the data you have in the cloud, who’s accessing it, and why.
With the right controls in place, the cloud doesn’t need to be as scary as some make it out to be. This digital transformation we’re seeing across the industry has put businesses in a good position to take full advantage of the anywhere, anytime, any-device access on or off premises that’s provided by cloud solutions, but it’s critical to follow industry best practices and tips to ensure you’re picking the right cloud and the right vendor(s) as well as monitoring the security of data and applications, wherever they reside.