Cloud Security - Best practices

Cloud Security – Best Practices

Security has been the biggest concern for enterprises considering a move to the Public cloud. The idea of running applications, transmitting customer data or storing data in infrastructure outside of their secure network, to which they don’t have full management control is a scary thought for many enterprises.

CloudPassage’s 2016 survey points out that 91% of whom were surveyed have moderate to severe concerns about Cloud Security. However, only 9% reported there was any actual security incidents. Even 9% is a scary number for some of the companies especially the FinTech companies. For these enterprises spending millions in private clouds is a viable solution rather than losing their brand values and customer trust. Thanks to the Cloud Service Providers (CSP), who invested heavily in security experts and the latest and greatest security technologies in the last few years, the expectation is that there will be a 60% reduction in the cloud security incidents by 2020.

Here are some best practices the enterprises can engage to further improve their public cloud security.

1.      Understand the Security Model: In a private cloud, the enterprise is responsible for all the security issues. But in public clouds, most of the CSPs have a shared security model. It means, CSPs are fully responsible for certain aspects, enterprises are responsible for certain aspects and some security measures are shared responsibilities. So it is apparent to understand the exact model well before considering a move to the public cloud. Ask all the security questions and concerns you have. Don’t assume the CSPs will handle all the security, however big their brand name is.

2.      Deploy an Identity and Access Management Solution (IAM): Unauthorized access and Account hijacking are the two major security threats to public clouds. But these security threats can be mitigated by a good IAM solution. These solutions let your enterprise set and enforce access policies use multi-factor authentication to address unauthorized access and so on. We need to train our staff to spot dangerous emails and security issues to avoid phishing and spear-phishing attacks. Also establish and enforce Cloud security policies, who will have access to cloud services, how will they access it and what data will be stored in the cloud vs in-house.

3.      Secure Endpoints: The cloud service and cloud security does not eliminate the need for strong endpoint security.  If you already have strong in-depth security and network with firewalls, anti-malware, intrusion detection, access control, and other measures, you probably already have the technology you need in place. Now the new move to the public cloud will give a chance to revisit those security measures to make sure they are adequate for the evolving threats.

4.      Encrypt Data: Encryption is one of the key parts of any cloud security. Not only we need to encrypt data while transmitting, we also need to make sure the cloud storage service and back up services are also encrypting data.

5.      Check your compliance requirements: Enterprises, especially the financial services sectors face strict regulations for their customer privacy and data security. They may also have special regulations based on geographic locations. So, it is important for organizations to review their compliance and regulatory requirements before considering a move to a public cloud.

6.      Conduct Penetration testing and auditing:  Make sure to conduct regular penetration testing to make sure your current cloud security is sufficient to safeguard your application and its data. Also, conduct regular auditing of your cloud security measures and compliance requirements regulation work.

7.      Monitor and Defend: Monitoring your cloud deployment and access, monitoring and analyzing your cloud and in-house security measures, coordinating and analyzing the infrastructure monitoring by CSPs are all critical steps by an enterprise.

As the threat vector evolves, the cloud security measures are also evolving and enterprises can use these best practices to reduce the threat and increase their public cloud security. This little article covers only the critical and basic best practices to be followed and by no means a complete set.