Cybercrimes are one of the biggest threats to the bottom line. Research from Accenture shows that the average cost of cybercrime to an organisation grew to $13m (£9.9m) in 2019, with the number of security breaches increasing by 67% over the last five years.
Moving from on-premise to cloud means handing over some degree of control of your enterprise data. As such, you may have less control over the cybersecurity risks. As cloud services become increasingly prevalent, it’s easy for the roles and responsibilities around data protection and security to become muddied.
But this doesn’t necessarily mean that cloud is inherently more dangerous, or that your provider is solely responsible for your cloud-hosted data and applications. It just means that organisations may need to take a different approach to cybersecurity.
This article provides some general tips and watch-outs that will help when considering the best ways to ensure data security in the cloud.
Understand How Data is Secured
If you’re using a public cloud or a private cloud via a provider, then establish how your provider is securing your data. Cloud providers will use a combination of security measures which may include any of the following:
- Firewalls – these may be simple, only checking the source and destination of data, or more advanced, examining the data itself
- Event logs – generally used by security analysts to detect threats, but if there is a breach, event logs can also help trace the source
- Intruder detection – basic detectors will flag when someone attempts to brute-force a password while more advanced ones will offer multi-level detection in case an attacker manages to breach the initial boundaries
- Physical security – certified data centres offer full physical protection including measures such as human guard patrols, 24-hour surveillance, and biometric locks
- Encryption – cloud providers generally encrypt data so even if it falls into the wrong hands, it’s of no value without the encryption key
Ensure Clarity of Roles and Responsibilities with Providers
The last point above about encryption illustrates the importance of having defined roles and responsibilities between your organisation and the cloud provider. Some cloud providers will give clients the encryption key, while others will retain them.
However, establishing a matrix of controls is critical for many reasons. It avoids redundancy, prevents issues and checks from falling through the cracks, and provides a basis for training and educating employees. In publicly-traded companies and public sector organisations, it’s likely to be required by auditors.
The Cloud Security Alliance is widely regarded to be the leading authority in the industry.
The CSA provides a comprehensive matrix of cloud security controls and associated documentation that can be tailored to any organisation, public or private, large or small.
The Accenture cybersecurity research highlights that people-based attacks are the fastest-growing types of attacks. From a cybercrime perspective, this means that your employees are one of the most vulnerable weak points for any organisation.
These kinds of attacks could fall under the category of “social engineering” like phishing or other deceptions designed to fool unwitting employees into divulging information. However, poor password practices can also lead to breaches. Employees may use unencrypted local files to store passwords or repeatedly use the same easy-to-guess combinations.
Make sure IT policy and practice cover employee education in data security and good housekeeping. Onboarding should include training in IT policies and practices, with regular refreshers. Send periodic reminders for employees to change their passwords and that they should use additional security measures such as two-factor authentication enabled wherever possible.
Use Role-based Permissions
Role-based permissions offer an easy way to limit the damage a hacker can do if an employee falls victim to a phishing attack or their account is hacked. They also offer protection against malicious insiders. Most providers and systems allow you to configure user roles into groups. System access should be assigned on a strictly need-to-know basis.
Permissions should be reviewed periodically to make sure the right people have access to the right roles. It can often be the case that someone moves role internally or leaves the company, but still has user permissions for a former position.
Penetration testing, or pen testing, essentially stress-tests the system by emulating the tactics an attacker may use. External IT security companies often offer this service on-demand and it can take place on multiple levels. The most basic will attempt an outside-in breach. More robust testing will examine the system architecture, looking for weak points.
Your cloud provider may do their own pen testing, in which case the type and scope can be defined in the cloud controls matrix mentioned above.
Reducing complexity is one way to take the headache out of cybersecurity. Smarter Integration provides Integration Connectivity-as-a-Service, enabling your cloud-based services and applications to communicate seamlessly. Our tried-and-tested library of reusable integration patterns and connectors offer a high level of security, based on best practices and common services. We adopt an API approach that ensures adherence to a single architecture and standard, reusable services.
All incoming connections to Smarter Integration utilise HTTPS using the latest TLS version. This ensures that all data coming from the client over the internet to the Smarter Integration servers is encrypted. Authentication and Authorization within any Smarter Integration service is via OAuth2 and AWS IAM (Identity and Access Management). Any user information required can be stored in an encrypted format.
To further secure the services enabled on Smarter Integration, a number of different measures can be implemented to not only ensure that the service is available 24/7 (e.g. throttling can be implemented to limit API calls) but is highly secure. The Smarter Integration APIs are installed on servers in virtual private cloud that have their own private subnets and the servers in the VPC are themselves protected by AWS security group. There is no direct access to any of these servers.
All of the above is then fronted by an additional Firewall and to further enhance the security Smarter Integration implements a whitelist so only known IPs are allowed to make requests. Other AWS tools like AWS Shieldare are used by Smarter Integration to provide further security.
Our approach as outlined above can fit seamlessly into your existing IT setup without introducing any additional security-induced headaches.