When it comes to cloud security, there are a few things that slip our minds.  

George Mateaki, CISSP, CISA, QSA, PA-QSA
By: George Mateaki
In recent years, cloud storage has become more popular with companies. Cloud applications, software, and infrastructures are incredibly useful and cost-effective when it comes to storing and managing data. But they do come with some risks that, if not properly addressed, could cost your company a lot.

The biggest concern with using the cloud is keeping your data secure and separate from other cloud environments. If your cloud data is made public, you could risk losing everything to data thieves.

cloud security
In the past, companies have said if you have data you can’t afford to lose, don’t put it in the cloud. However, more people are adopting cloud environments, and they can be secure.

Here are some cloud security risks that many companies may not have considered.

Assuming compliance 

While your company may be PCI compliant, there is no guarantee your cloud provider is compliant.
Tweet: While your company may be #PCI compliant, there's no guarantee your cloud provider is compliant. http://bit.ly/1OODfZG Tweet
It doesn’t matter how secure your company is; if your cloud provider has vulnerabilities, you risk losing valuable data. When talking to your provider, find out what they do in relation to PCI compliance:
  • Have they implemented best security practices
  • Are they limiting access? 
  • Do they have multiple layers of defense and controls?
  • Are they patching up vulnerabilities? 
  • Are they logging any suspicious activity?
  • Do they have the proper firewalls?
  • Do they monitor their employees? 
See Also: Does Your Third Party Vendor Put You At Risk?

Undefined responsibilities and policies

One big problem that companies run into with cloud security is the lack of defined responsibilities. For example, if the cloud provider assumes the company will provide a certain security, and the company in question assumes the provider will be doing that security, then the security measure isn’t taken care of and the cloud is vulnerable.  Defining responsibilities help ensure secure coverage and prevent potential liabilities in the event of a hack.

Read "PCI DSS Cloud Computing Guidelines" by the PCI Security Standards Council to learn more about defining responsibilities.

Your company also needs to have policies in place with the cloud, such as access, equipment use, network use, and incident response. There should be standards and responsibilities set up for not only the servers but also the virtualization technologies.

Just having the cloud doesn’t mean that you shouldn’t have policies for cloud use. Make sure you have documented policies and procedures to ensure cloud security.
Follow for more data security articles like this

Technology vulnerabilities

Just because the cloud itself may be secure, it doesn’t mean that the technology is secure.

Two significant hardware vulnerabilities include:
  • host system hypervisor vulnerabilities: if this system gets breached, hackers then have access to your data 
  • faulty server: if you don’t configure your server correctly, your cloud environment could still get breached
If you manage these systems, you'll want to have security policies and procedures in place. If your cloud provider manages them, you'll want to ensure that hardware is secure.

Lack of data breach protection

cloud data
Most companies want to do everything they can to prevent a breach in their Cloud, but what will they do if it does get breached? Do you know what steps you should take in the event of a breach? What if you lose valuable data?

Having cyber breach protection and recovery reimbursement to cover you in the case of a breach will help reduce costs if you do end up losing data. It’s good business practice, regardless of the technology.

See Also: Cyber Breach Insurance: How Much Does it Cost?

What you can do to protect your cloud

Just as there are ways cloud can get hacked, there are also ways you can prevent attacks. Here are my suggestions:
  • Limit access to those who need it, using role-based access
  • Make sure logging is working, and have 90 days of logs immediately available, and then a year of archives
  • Have a good conversation with your cloud provider to see how they’re protecting and segmenting their business environment. 
  • Have a Service Level Agreement. This is an agreement between you and the provider on what level of service they will provide 
  • Establish a documented standard for your cloud provider   
  • Regularly check your cloud provider to ensure they’re PCI compliant 
  • Incorporate and follow the standards for data encryption
  • Have risk analyses and assessments performed on your cloud 
See Also: 7 Hearty Tips to Avoid Costly Data Breaches

Don’t fall into the trap that many companies do and assume your cloud provider will provide all the necessary security to your cloud. You still need to establish security standards and protocols to keep your cloud data safe.

Using cloud storage can help you manage data better, but you need to have proper cloud security measures in place.

Don’t be afraid of the cloud; just be smart with it.

Need help securing your data? Talk with one of our IT security consultants!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 

SecurityMetrics data security learning center
Wednesday, October 21, 2015