Around a third of businesses (32% to be precise) report having cyber security breaches or attacks in the last 12 months, according to the latest DCMS’ Cyber Security Breaches Survey from July 2019. High profile breaches at British Airways and Marriott Hotels may hit the headlines but everyday, smaller companies fall victim to cyber criminals. Cyber crime is expensive and will likely damage a company's reputation. However, even with the growing complexity of cloud technology, securing your data in the cloud is straightforward when you follow best practice.
In this blog, we’re looking at the threat landscape and applying some hands-on, practical advice to help you secure your data in the cloud. Any queries on cloud security, don’t hesitate to get in touch with us – our experts are happy to assist.
The best practices that you have followed in-house should be followed in the cloud. As the famous phrase goes: there is no cloud; it’s just somebody else's computer.
Moving to the cloud may mean that you no longer have direct control over your infrastructure, but you still have control of your data. By relying on reactive cyber security rather than proactive security management, companies leave themselves open to the changing threat landscape.
Threats arise from several motivations – criminal gangs working for financial gain; state sponsored attacks aiming to cause disruption; opportunist script kiddies who randomly exploit weaknesses; and even disgruntled employees looking to inflict damage. Cyber criminals often steal, encrypt or destroy data, deleting large swathes of it during the 4,000 ransomware attacks that happen every day.
A common theme amongst recent cyber attacks is the increasing sophistication used by hacker groups. Hackers can operate inside a business’s network while remaining invisible. The damage is done long before the organisation has realised that they have an issue.
Taking a multi-layered security approach, often referred to as defence in depth, will protect your business data. Only coordinated defences working across multiple applications and protocols can protect you against the blended multi-pronged attacks that we see today.
The good news is that moving to the cloud helps with many of the security tasks you have been already undertaking, so securing your data in the cloud should ultimately be easier.
Now let’s get down to the nitty gritty – here are some hands-on processes, policies and things to consider when it comes to staying safe in the cloud.
Not all data is equal. Much of your data may be redundant, obsolete or trivial, such as users’ personal music files. Reducing the volume of data you hold minimises risk, as you can focus your security efforts solely on the data valuable to your company. Minimisation of customer data is a requirement under GDPR, however, the principle should be applied across your business for all data by having a defined and enforced data deletion policy.
When you move to the cloud you lose control over physical security, which is generally a good thing.
Very few companies can afford the manpower or resources to protect their data in house in the ways that a cloud provider can. Our data centres provide 24/7 manned security, CCTV and recording as well as biometric scanning of everyone entering the site. Data centres also protect against loss of data through natural disasters, power or connectivity outages and even human error.
Patch management can seem like a never-ending job but it is essential to keep software running securely. Vulnerabilities in unpatched software are open to exploitation. The large scale WannaCry attacks exploited a vulnerability in unpatched Microsoft XP software.
Patch management requires a process to check, verify, test and patch these vulnerabilities; most companies fail to do this consistently because of other pressing resource issues. A cloud provider will monitor and maintain these as a part of their service, keeping vulnerabilities to a minimum.
Firewalls now do more than just protect against network level breaches, blocking ports and IP addresses (layers 3-4 in the Open Systems Interconnection Model - OSI Model).
They are now able to look at the application layer (Layer 7), to protect against application level attacks by making decisions based upon SSL inspection, dynamic web traffic filtering, and other features such as Data Leak Prevention (DLP) – where sensitive data, such as financial information or document fingerprints, can be automatically blocked from leaving your network.
All interaction with your cloud services should happen over Secure Socket layer (SSL) transmission to ensure a high level of security. The SSL should terminate only within the cloud provider’s network.
All data stores should be encrypted securing your data in the cloud. If a breach occurred, then there would be no way access to your actual data. The same approach should be taken for local machines.
Restricting admin level access, such as who can install software or access all files, will reduce your risk to breaches as it reduces the number of vulnerabilities available to exploit.
Most people are familiar with 2 factor authentication through their banking applications, and where practical, this approach should be applied to securing your data in the cloud as it provides additional security to just username and password. This is particularly relevant for admins whose accounts have access to far more than that of a standard user.
A Distributed Denial of Service (DDoS) attack can bring your cloud services to a grinding halt by flooding them with internet traffic and requests. Check whether your cloud service provider has a tool that detect and prevent such attacks.
Intrusion detection solutions (IDS) monitor networks for unusual activities and flags them as potential threats. More complex IDS systems can take action directly against these threats.
All actions taken on your services should be logged. These logs will show when any malicious activity took place. Reviewing logs will enable you to make better decisions about what extra steps you may need to take to reduce your risk.
Your company should formally define a security policy and processes if it has not yet done this. These needs to be communicated throughout the organisation and it needs to be enforced.
The biggest security risk in a company comes from within. Most breaches are a result of someone doing something they shouldn’t have or not doing something they should have.
Staff need to be aware of security policies and where appropriate receive training. The growth in phishing attacks just shows that you need more than technology to keep your company safe and secure.
Sophisticated spear phishing attacks lure users into owning up vulnerabilities that could be breached. Making your staff aware of such threats is the only way to protect against these attacks.
A strong security approach combines technology, policy and people. Each of these three elements are needed to provide your company with multi-layered cyber security protection.
Technology will do most of the work, the policy defines what data is needed and who has access and the people, who are the heart of any company, need to enforce those policies and to ensure a secure approach to their daily workloads.
When you move your data to a cloud provider, you no longer control the infrastructure… but you still control the security of your data. The cloud will provide layers of security that are hard to achieve in-house but you need to apply best practice policies and processes to ensure you remain protected. Following on from this, Cloudhelix’s Chief Technology Officer, James Leavers, said “Customers and cloud providers have a shared responsibility to ensure a high level of security and compliance. What this looks like in real terms depends on the services being utilised but it’s a conversation to have up-front rather than during an emergency.”
“Apart from avoiding potentially awkward conversations at a critical time, it will also clear up exactly what security configuration or management tasks you, as a client, are responsible for in order to stay safe.”
Cloud providers understand the need for exceptionally tight security to protect their customers data. Your cloud provider should be able to explain their security policies that cover your platform and your data. These are conversations we regularly have with our customers, and we’re happy to have with you. For more information, get in touch with us today or check out our managed hosting services.