Security in the cloud? Some companies see it as an oxymoron, but it’s simply a different way of looking at the same problem.
Cloud security strategies aren’t the same as those employed on local stacks—as Winston Churchill put it, “however beautiful the strategy, you should occasionally look at the results.”
As the third installment of this three-part series (catch up with part one and two), here are four ways to effectively boost security in the cloud.
1. Go data-centric.
As mentioned in the first article of our series, data-centric thinking is the number one strategy to reduce security incidents in the cloud. Why? Because data in motion is far more vulnerable in a cloud environment than on a private stack.
Consider the case of a sales professional sending customer data to an internal contact, an external partner and the cloud for storage. Sent internally, this information is protected by local firewalls and should be shielded from prying eyes. Outside the network—whether sent to a third party or directly to a cloud storage provider—insecure data is a tempting target. As a result, encryption becomes essential.
In many ways, this strategy is counterintuitive; after all, IT professionals have been trained to protect the network, not individual files. But when the network is no longer a unit of secure measurement, strategy must change.
2. Think contextually.
Another critical cloud security strategy focuses on defining not only who has access to data but when and why. IT admins logging in from their desktop at work should have full access to cloud resources and the permissions needed to make network-level changes. But this access standard changes when employees are outside the building using personal devices and public networks. The same trusted admin sitting in a restaurant on his mobile device needs to complete more authentication steps and have limited access permissions when on a shared network.
Taking this a step further, it’s also important to make sure unneeded cloud permissions are revoked. For example, if a manager who has access to employee personal records for a human resources project is moved to a new task that doesn’t intersect with HR, access to records should be removed. In addition, it’s important to define and classify data types to ensure users always receive proper permissions.
3. Take off the rose-colored glasses.
It’s also essential to install monitoring tools that let you see “through” the cloud and discover if specific users are abusing their privileges, along with security analytics solutions that monitor cloud perimeters in real time.
But even employing the best technology available, IT security comes with inherent risk. This is because motivated, malicious attackers will always be able to find a security gap—however small—and devise an exploit.
As a result, companies must not only devise strategies to protect against an attack, but also consider what happens after systems are compromised. What measures are in place to minimize damage or restore lost files? Who is responsible for getting the system back up and running, and how will loss be measured? What responsibility does your cloud provider bear, if any, for the breach?
By planning for the worst, companies can be prepared to respond no matter how large (or small) the incident.
4. Bring your own defense.
It’s impossible for businesses to ignore the bring-your-own-device trend, but many assume existing network security measures will catch mobile missteps. They won’t. Smartphones and tablets require specific defenses such as account takeover protection, compromised device detection and even biometric services such as fingerprints. With cloud access no longer limited to devices under company network protection, thinking outside the network becomes essential strategy.