When it comes to cloud security, there are a few things that slip our minds.
|By: George Mateaki
The biggest concern with using the cloud is keeping your data secure and separate from other cloud environments. If your cloud data is made public, you could risk losing everything to data thieves.
Here are some cloud security risks that many companies may not have considered.
While your company may be PCI compliant, there is no guarantee your cloud provider is compliant.It doesn’t matter how secure your company is; if your cloud provider has vulnerabilities, you risk losing valuable data. When talking to your provider, find out what they do in relation to PCI compliance:
- Have they implemented best security practices?
- Are they limiting access?
- Do they have multiple layers of defense and controls?
- Are they patching up vulnerabilities?
- Are they logging any suspicious activity?
- Do they have the proper firewalls?
- Do they monitor their employees?
Undefined responsibilities and policiesOne big problem that companies run into with cloud security is the lack of defined responsibilities. For example, if the cloud provider assumes the company will provide a certain security, and the company in question assumes the provider will be doing that security, then the security measure isn’t taken care of and the cloud is vulnerable. Defining responsibilities help ensure secure coverage and prevent potential liabilities in the event of a hack.
Read "PCI DSS Cloud Computing Guidelines" by the PCI Security Standards Council to learn more about defining responsibilities.
Your company also needs to have policies in place with the cloud, such as access, equipment use, network use, and incident response. There should be standards and responsibilities set up for not only the servers but also the virtualization technologies.
Just having the cloud doesn’t mean that you shouldn’t have policies for cloud use. Make sure you have documented policies and procedures to ensure cloud security.
Technology vulnerabilitiesJust because the cloud itself may be secure, it doesn’t mean that the technology is secure.
Two significant hardware vulnerabilities include:
- host system hypervisor vulnerabilities: if this system gets breached, hackers then have access to your data
- faulty server: if you don’t configure your server correctly, your cloud environment could still get breached
Lack of data breach protection
Having cyber breach protection and recovery reimbursement to cover you in the case of a breach will help reduce costs if you do end up losing data. It’s good business practice, regardless of the technology.
See Also: Cyber Breach Insurance: How Much Does it Cost?
What you can do to protect your cloudJust as there are ways cloud can get hacked, there are also ways you can prevent attacks. Here are my suggestions:
- Limit access to those who need it, using role-based access
- Make sure logging is working, and have 90 days of logs immediately available, and then a year of archives
- Have a good conversation with your cloud provider to see how they’re protecting and segmenting their business environment.
- Have a Service Level Agreement. This is an agreement between you and the provider on what level of service they will provide
- Establish a documented standard for your cloud provider
- Regularly check your cloud provider to ensure they’re PCI compliant
- Incorporate and follow the standards for data encryption
- Have risk analyses and assessments performed on your cloud
Don’t fall into the trap that many companies do and assume your cloud provider will provide all the necessary security to your cloud. You still need to establish security standards and protocols to keep your cloud data safe.
Using cloud storage can help you manage data better, but you need to have proper cloud security measures in place.
Don’t be afraid of the cloud; just be smart with it.
Need help securing your data? Talk with one of our IT security consultants!
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.