10 Easy Cloud Security Best Practices
1Create a policy around cloud services in your employee handbook that prohibits individuals from signing-up for business related cloud services at an individual level.
Instead, subscribe at the organization level and have your IT Staff manage all accounts. This does two things: it protects the organization from a security perspective and it helps in the ease administration of content control.
2Thoroughly understand a cloud provider’s architecture and how this applies to your organization’s objectives and security policy.
Some common questions to ask:
• Do they own their own cloud (data center space) or are they spinning up on someone else’s platform?
• What physical security is in place? You should look for secure access (badge, sign in, biometric, etc.), physical separation from underlying service provider and other third parties, proper data center infrastructure (diverse access, environmental control, backup power) and personnel policies, to name a few.
• What network security is in place to protect your applications and data? You should look for redundant firewalls with up-to-date software and policies, intrusion detection with trained personnel, VLAN and LUN separation where applicable, Security Event Systems that monitor and log traffic and Data Leakage Protection for highly sensitive applications.
• What security/regulatory certifications and accreditations does the service provider have? (CISSPs on staff, SOC Compliant, CSA Star Participant, HIPAA enabled, etc.)
• Do they allow security audits if necessary? This applies to application penetration testing, vulnerability analysis and also physical inspection.
3If you or your IT Staff are not thoroughly familiar with the differences between public and private cloud computing, you should be.
They each have various pros and cons and you should be aware of security limitations and precautions should your organization decide to use public computing for private, sensitive or mission critical applications. In the event you do decide to go in this direction, you should be aware of necessary security settings, plug-ins or third party applications.
4Make sure your web app service provider posts information on their web app security policies or will talk to you about them.
Make sure they follow an OWASP or PCI DSS type security framework to mitigate and remediate security vulnerabilities. Do they have a response to the most commonly posted top web app vulnerabilities like SQL Injection, Security Misconfiguration, and using known Vulnerable Components?
5 If your organization’s password policies are weak; you will be more susceptible in the cloud.
Reckless passwords wreak havoc in the cloud. Make sure you implement a strong password policy with random, long, alphanumeric passwords that change from time to time.
6If you or your IT Staff are not thoroughly familiar with terms like RTO and RPO and you are using cloud applications to run your business, you need to be.
Knowing your company’s Recovery Time Objectives and Recovery Point Objectives will define what type of cloud services you need and which are best suited to your organization or application.
7If you are using cloud storage services for sensitive data, make sure you are encrypting the data, particularly if using public cloud storage.
There are many solutions out there that are easy to implement and provide tools for your IT Staff to evaluate.
8In many cases users access the cloud through their client web browsers. Make sure your users employ strong client security tools where applicable and that your browsers are properly updated and protected from exploits.
Many cloud apps have “require secure sessions” options. This will enable encryption in transit via browser SSL.
9The fastest growing way your users are accessing the cloud is through their mobile devices.
No matter how secure your cloud app/data is, if your mobile device security strategy is poor, you are at risk. Have your IT Staff implement and install mobile security features on your users’ devices.
10Just because it’s in the cloud doesn’t mean it’s backed up. Many IaaS (Infrastructure as a Service) providers are just that; Infrastructure.
That means you and the administrator need to make sure you data is backed up. It is the same as with on-premise systems.
Want the Latest News?
Subscribe to our Newsletter.