The cloud can seem scary: You’re moving your data outside of your home environment to a server you can’t see; details about data access and liability live in the fine-print of a contract with a third-party; cyberattacks are hitting everyone so wouldn’t a company whose business is storing data be a high-value target?—and the list goes on.
The reality is, however, the risks of a cloud environment are strikingly similar to those present on-premises, and what you can do to protect your data is strikingly similar to what you can do on-prem. In both your home environment and the cloud, you have to define your security baseline and appetite for risk. You have to configure your network, maintain your servers, update your operating system, and maintain third-party libraries. You have to collect detailed log files and implement strong identity and access management (IAM). In both environments, one of your greatest risks, if not your absolute greatest risk, would be an attacker getting admin privileges and wiping your data.
Really, the biggest difference in cybersecurity between the two environments is convenience. Cloud storage providers roll out many solutions to help secure data in their environment. So there’s less of a need to procure new tools from third-parties. Rather you may simply need to stay aware of what your provider offers, and to configure your network and their tools to your specific needs. Just as the cloud brought efficiency to scalable, redundant storage, so too has it brought efficiency to cybersecurity.
Here’s a quick list of cybersecurity efficiencies brought to you from many cloud providers and tips on how to use them.
Identity and access management tools: Access management is critically important in the cloud, as it is of course on-prem, and fortunately many cloud providers have fully featured IAM tools available. With these tools, you can set up a number of rules and policies for user accounts such as having multifactor authentication, forcing password changes, and rotating access keys (in AWS).
Tip: Be mindful however of how you handle cloud-based root access. When you first create an AWS account as the root account user, you create an access key with full, unrestricted privileges. Best practice is to avoid using that account and to instead create a lower-level admin account to avoid having keys to the kingdom in everyday use.
Easy provisioning and de-provisioning: In the cloud, it’s easy to provision and de-provision users, networks, services, and private clouds altogether. It’s also easy to seamlessly transfer your existing set-up to the cloud, including your configurations of security controls, tools, and technologies, allowing for fast and secure scaling.
Tip: Be mindful, however, if security on your existing network isn’t well-planned or controlled, these same systems may be insecurely deployed or systems administrators may have inappropriate levels of access control (i.e. deletion) over production systems.
Turn-key DDoS protection: In the cloud, it’s easy to protect your business from DDoS attacks with built-in, basic tools available on AWS and Google Cloud. And, of course, being in the cloud means the service provider will have more scale for you if you need it, but you’re going to pay for those resources.
Tip: For more coverage, if unavailability would be a real serious problem, like if you’re a streaming media or a gaming company, there are higher levels of DDoS protection available for a charge.
Alerts on deviations: Cloud providers often have services that can alert you when your data changes. Taking advantage of these tools can help you maintain your security baseline over a potentially vast pool of similar systems, allowing you to detect those that are not configured or operating as expected, whether due to an operational issue or an ongoing incident.
In the cloud with tools like these either built-in or clicks away, you’re likely in a safer place than had you kept your data in-house. But it’s still your responsibility to take advantage of the tools available and configure your infrastructure appropriately. Gartner predicts that 95% of cloud security failures will be the customer’s fault through 2020, due to lack of controls on the customer’s part. Incidents stemming from vulnerabilities caused by the cloud provider are rare. So take the leap to the cloud with confidence. Then use the time you would have put to sending out RFPs, scheduling demos, drawing up service agreements, and weaving together a complex stack to instead simply maintain awareness of what your cloud provider offers, optimize your network’s structure, and maybe even take a summer Friday.
For more information on Cloud Security, watch our recent TECH Talk webinar, Security in the Cloud: Do’s and Don’ts.