This article on cloud security tips was first published on May 5, 2015. It was updated on August 6, 2018.
Have you read the news? Chances are there’s breaking coverage of a cloud security breach. Maybe it’s personal cloud storage from a celebrity. Maybe it’s a huge enterprise suffering a major loss, like the theft of credit cards. Maybe it’s a small business hosted website that someone hacked. The threats are real.
No matter how you use hosted physical or virtual servers, your cloud security needs to be managed closely. Here are our Top 10 cloud security tips.
Tip #1. Enable strong passwords and two-factor authentication
Complex passwords are a must. Set your minimum password lengths to at least eight characters and require a mix of case, numerals and special characters. If your service providers allow it, consider using two-factor authentication for any user access to cloud services and data. Replacing passwords on a regular basis (i.e. every 90 days) and enforcing uniqueness, much as you would on your local network, can also help. Never reuse an old password, and never use the same password on more than one site. Password managers can help shoulder the burden of remembering multiple passwords.
Tip #2. Enable encryption
There are two ways that encryption can be implemented with data stored in the cloud. The service provider may offer local encryption for your data. In this case, data is encrypted as it is stored in the cloud. Some vendors may also offer encryption of the data as it is transferred to the cloud. On the fly, encryption may increase the amount of time necessary to send and retrieve data. Some services use a hybrid hardware, software cloud approach that uses locally installed appliances to manage encryption and data transfer.
It is also possible to encrypt data locally before it is moved to the cloud, though this extra step might require direct user interaction. If your business’s data has a very high level of confidentiality, you might even want to consider encrypting data before moving it to an encrypted cloud. Think of it as a belt-and-suspenders protection plan.
Tip #3. Backup, backup, backup
Just because you’re using a cloud or other hosted service doesn’t mean your data is backed up. Explicitly contracting for backup services is necessary to actually have your data secured. Data replication to multiple locations, while designed to allow continued operations in the event of a primary site failure, is still not the same as data backup. For absolutely critical corporate data, you might want to consider maintaining a local copy of that information as well, especially if you are not contracting for disaster recovery or business continuity services. (Hint: You might want to talk to your service provider about adding those services onto your account.)
Tip #4. Establish comprehensive user policies for your employees and partners
Given the ease of accessing cloud services from almost any location, strict policies need to be in place to control the when and where of access control. Even strict access control can be undermined by users who leave computers unsecured and logged into the cloud services or those who use unsecured WiFi connections when not in the office. User education remains a key part of keeping corporate information secure.
Tip #5. Secure all communications with the hosted dedicated or virtual servers
With security for access ranging from dedicated clients to simple HTTPS communications, be prepared to implement the secure communications protocols that are supported by your service provider. Sometimes the default for some services is to fall back to unencrypted communications if encrypted communications fail or are not supported by both parties. You should disable that option — if it’s not secure, then it’s not secure.
Tip #6. Control access to your back-end and employee-oriented services by mobile devices
Even the best cloud security can be easily compromised by lax BYOD (Bring Your Own Device) policies. If you are allowing employees to utilize mobile devices to access cloud resources, you need to be able to control those devices to assure that they are locked down and can be remotely wiped if necessary. As cloud management applications can be found in mobile versions, it is especially important to make sure any device authorized to run such applications is completely controlled and managed by IT.
Tip #7. Know where your data is located — it’s your data, after all
In any active organization, data is always on the move. Think about critical information, like customer records or employee data. Is it in the cloud? On local servers? On employees’ desktops or laptops or phones? In the hands of contractors? Can it be copied onto a USB stick, or emailed outside your secure domain? It is vitally important to not only understand your information lifecycle management process but also where the cloud storage and services fit into that process. The security of data that is no longer considered active should be taken into consideration as part of your overall security model – you should have plans to archive it, delete it, or otherwise make sure it is safe.
Tip #8. Understand the service contracts from your service providers
Read the fine print! You should make sure that the responsibility for the security of your data and cloud applications is clearly spelled out, with no misunderstandings that would allow for security breaches due to a failure to properly understand who was responsible for what.
Tip #9. Test, test, test, and then test some more
Just because a server or database is in the cloud don’t make it magically secure. With the assistance of your service provider, you should be able to perform an active assessment of the security of the cloud service in much the same way that you do on your local resources. Security scanning, vulnerability assessment tools, and penetration testing can give you a higher level of confidence in your cloud security or provide notification of issues that need to be addressed.
Tip #10. Take nothing for granted
Whether using cloud services, hosted dedicated or virtual servers, or your own on-premises servers and networks, information security remains your responsibility. Yours. Not the host’s or service provider’s responsibility.
While your hosting company and other service providers will be wonderful partners, it’s up to you to develop a security plan and ensure that it is implemented correctly. The buck stops with you. Or to put it another way, it’s your job to ensure that when someone sees a security story in the news, it’s not about your company.