Expert Corner – How to Protect Cloud Content and Users – Part 2

security in the cloud

How to Protect Cloud Content and Users 

With users pouring into cloud computing, the industry is expected to grow from $371 billion in 2020 to a $831 billion in 2025, according to an article from the Global Newswire. 

With such enormous profits, expect cybercriminals to up their strategies and widen their net over the next few years, according to Jeff Gulick, CIO of inSOC.  

Gulick has several strategies for protecting your companies, clients, and data.  

Vet Cloud Providers 

Properly vetting CSPs (cloud service providers) is vital in ensuring that you are placing your critical services and data into demonstrably trusted and experienced CSPs, Gulick says.  

Some key things to consider when making this cloud security choice include: 

  1. Policies. Providers should have clearly defined data policies (remember… policy defines how the business is governed and a lack of policy means these policies are ad hoc, at best). Policies should describe their accountability, data usage and privacy, breach response and notification practices, and disaster recovery and continuity plans.
  2. Encryption. The CSP should ensure that your data is encrypted at rest, that is, when it is stored at the data center; and it should be encrypted when it is transmitted to and from the data center. Secure Sockets Layer (SSL) encryption technology is the industry standard for securing communications to and from a data center.
  3. Location and Redundancies. CSPs should fully disclose the locations of their data centers that store your information. The data you entrust to them should be backed up and redundantly stored at multiple centers in the event of an outage in one location.
  4. Data Availability and Usage. CSPs should make the following contractual representations: only you own your data, data can be extracted in a usable and non-proprietary format, data permanently deleted from the cloud should be disposed of and no longer available to any entity, and private information should be treated as confidential and viewed only by the provider with your explicit consent.
  5. Tenure. While still a very young market segment, CSPs should be able to demonstrate some level of experience and tenure. This should not be their “first rodeo”. Look for CSPs that have a track record and can provide appropriate references of client in your particular market or industry. 

“This is no different that selecting a bank, insurance company, or an HVAC vendor. You do not have to be an expert in technology to find CSPs that are capable of meeting your requirements and meet security best practices.” 

Harden Your Environment Following the CIS 20 

Gulick suggests partnering with a company such as inSOC to review and harden your own and your client’s work infrastructure by following the CIS 20 guidelines. inSOC, or a similar company, can review inventory, and establish control of hardware and software assets. From there, they can set up continuous vulnerability management.  

“Assume most people have information that has been compromised,” Gulick says. For example, most people don’t want to change passwords, Gulick says, so it is better to move to multi-level authentication to build the needed layers of protection for your stored information.  

Restricting access is another key safety measure. Without additional configurations to most cloud platforms, data can be accessed by authorized users from any device. This means that user may be able to use any machine (think hotel kiosk computers or Aunt Bessy’s personal) to access and potentially download data to unauthorized devices. The problem here is this data is no longer in your control and may now be sitting resident on a computer that is not adequately protected with anti-malware or is not encrypted. 

Gulick says,

 “It is important to limit access to cloud hosted data from unauthorized devices. Consider restricting the ability to download or synchronize data to devices that are not owned and controlled by the organization.” 

Gulick recommends backing up all data, and training employees on a regular basis. Then hardening the system is essential, including a process to block foreign countries not affiliated with the company or institution. Gulick also suggests reconfiguring default settings to protect everyone and the data.  

While all of this is time consuming, creating a regular process and training is vital. Companies such as inSOC can also help protect the company’s information and provide regular updates.  

Gulick has one last word of caution: data stored in the cloud always remains the responsibility of the organization, rather than the cloud provider. If a data breach occurs, the financial and reputational repercussions fall directly to the organization.   

Contact us for more information on how inSOC can help you fully secure your own and your clients’ cloud services.