Cloud services are used in enterprise environments for many purposes, from storing data in services like Box to accessing productivity tools through Microsoft Office 365 to deploying infrastructure IT in Amazon Web Services (AWS). In all of these uses, cloud services enable companies to move faster and accelerate their business with more agile technology, often at a lower cost.
However, any cloud service comes with the challenges and risks of data security in the cloud. The security of data created in the cloud sent to the cloud and downloaded from the cloud is always the responsibility of the cloud customer. Protecting cloud data requires visibility and control.
In the following steps, we have outlined a set of cloud security best practices that can guide organizations on the path to a secure cloud and resolve cloud security issues.
Phase 1: Understand cloud usage and risk
The first phase of cloud computing security is about understanding your current state and assessing risk. With cloud security solutions that enable cloud monitoring, you can take the following steps:
Step 1: Identify sensitive or regulated data
Your biggest risk is the loss or theft of data, resulting in penalties or loss of intellectual property. Data classification programs can categorize your data so you can fully assess this risk.
Step 2: Understand how sensitive data is accessed and shared
Sensitive data can be stored securely in the cloud, but you need to monitor who is accessing it and where it is going. Evaluate permissions for files and folders in your cloud environment and access contexts such as user roles, user location, and device type.
Step 3: Discover shadow IT (unknown cloud usage)
Most people do not ask their IT team before signing up for a cloud storage account or converting a PDF online. Use your web proxy, firewall, or SIEM logs to find out what cloud services are being used that you do not know about, and then perform an assessment of their risk profile.
Step 4: Review configurations for Infrastructure-as-a-Service (IaaS) such as AWS or Azure
Your IaaS environments contain dozens of critical settings, many of which can exploit vulnerabilities if misconfigured. Start by reviewing your identity and access management, network configuration, and encryption configurations.
Step 5: Uncover malicious user behaviour
Both careless employees and outside attackers can engage in behaviour that indicates malicious use of cloud data. User behaviour analysis (UBA) can uncover anomalies and mitigate both internal and external data breaches.
Phase 2: Protect your cloud
Once you know how your cloud security is, you can strategically protect your cloud services according to their risk level. There are several cloud security technologies you can use to implement the following best practices:
Step 1: Apply privacy policies
Now that your data is classified as sensitive or regulated, you can assign policies that define what data can be stored in the cloud, remove sensitive data found in the cloud, and train users if they make a mistake and violate your policies.
Step 2: Encrypt sensitive data with your keys
While the encryption available in a cloud service protects your data from outsiders, the cloud service provider still has access to your encryption keys. Instead, encrypt your data with your keys so that you can fully control access. Users can still work with the data without interruption.
Step 3: Set restrictions on data sharing
From the moment data enters the cloud, enforce your access control policies for one or more services. Start with measures like setting users or groups to viewers or editors and controlling what information can be shared externally through shared links.
Step 4: Prevent data from getting to unmanaged devices you do not know about
Cloud services allow access from anywhere there is an internet connection. However, access from unmanaged devices, such as a personal phone, presents a blind spot for your security measures. Block downloads to unmanaged devices by requiring a security scan of the device before downloading.
Step 5: Apply advanced malware protection to Infrastructure-as-a-Service (IaaS) such as AWS or Azure
In IaaS environments, you are responsible for the security of your operating systems, applications, and network traffic. Anti-malware technology can be applied to OS and the virtual network to protect your infrastructure. Apply application whitelisting and memory exploit prevention for single-purpose workloads and machine learning-based protection for general-purpose workloads and file stores.
Phase 3: Respond to cloud security issues.
As your cloud services are accessed and used, regular incidents need to be responded to either automatically or with guidance, just like in any other IT environment. Follow these best practices to get started responding to cloud security incidents:
Step 1: Require additional checks for high-risk access scenarios
If a user accesses sensitive data in a cloud service from a new device, it automatically requires two-factor authentication to prove their identity.
Step 2: Adjust cloud access policies as new services emerge
You cannot predict every cloud service that will be accessed. Still, you can automatically update web access policies, such as those enforced by a secure web gateway, with information about a cloud service’s risk profile to block access or display an alert. Achieve this by integrating a cloud risk database with your secure web gateway or firewall.
Step 3: Remove malware from a cloud service.
Malware can compromise a shared folder automatically synced to a cloud storage service, causing the malware to replicate in the cloud without user intervention. Scan your files in a cloud storage with anti-malware to prevent ransomware attacks or data theft.
As cloud services evolve, so do the challenges and threats you face when using them. Stay on top of updates to cloud provider features that affect security so you can adjust your policies accordingly. Security vendors will also adjust their threat intelligence and machine learning models accordingly. Several key technologies can be used in the above phases and best practices to achieve each step, often with cloud providers’ native security features.
For more assistance, you can take an expert’s advice at iSmile Technologies.