Top Cloud Security Controls Organizations Should Be Using.
In this post, we’ll review an incident from last year to demonstrate the breadth of controls that should be established, as well as the difficult position in which any security event can place you. Reviewing key controls gives you a specific path forward to secure your critical Cloud data.
Human error exposes personal data
In July 2017, Verizon experienced a security incident that made national headlines in the United States. While no hack took place and no customer information was taken, the data was publicly exposed. A partner of the organization was using a data set from the telecommunications company to test and suggest changes to a self-service portal. A member of the third party's staff mistakenly set up the data’s cloud storage to permit external access.
As far as security events go, this one may not seem important. Forensic analysis determined that only one unauthorized user viewed it – a researcher at UpGuard, who immediately alerted someone to the problem. However, Verizon still had to spend time and resources responding to the incident. Plus, thrust into the security news spotlight, Verizon may have lost some credibility by reporting that "there was a limited amount of personal data included." The notion of the personal data as “limited” was also used by the third-party provider, NICE systems, which called the data “limited information for a specific project."
Despite these descriptions, the data was that of 6 million unique customers, including their names, phone numbers, addresses, and account PINs. UpGuard noted that this information would’ve enabled a nefarious party to transfer a phone number to a new SIM card, among other possibilities.
This story is important because it demonstrates the effects of security incidents, regardless of whether the information is taken or not. Plus, as indicated by Fahmida Y. Rashid, the incident highlighted the fact that both cloud service providers (CSP) and companies must hold themselves accountable for cloud security.
Key cloud security controls
Misconfiguration is not the only issue that can arise when attempting to keep cloud systems secure. These six controls are key to protecting your customer data, as well as any other information, in cloud environments:
#1. Understand your responsibilities.
One initial concern is that organizations don’t understand their role in protecting customer data. For example, most infrastructure cloud service environments place responsibility on the customer to properly safeguard the information, configure the operating system, and manage apps. Ask your cloud hosting provider what your responsibility is related to each of these security controls.
#2. Audit business and operational processes.
Audits are critical to ensuring compliance with standards from your own policies and procedures, as well as those from government regulators and industry groups (think PCI compliance or HIPAA-compliant Hosting). You want to see a third-party auditor's report from your cloud provider; a typical report is a “Statement on Standards for Attestation Engagements 18” (SSAE 18, formerly SSAE 16) from the American Institute of Certified Public Accountants (AICPA).
The Cloud Standards Customer Council noted that "the level of access to essential audit information is a key consideration of contracts and SLA terms with any cloud service provider." Your expectation should be that you can quickly get access to audit logs, events, and documentation pertaining to your apps and data.
#3. Set up access controls.
Use the identity and access control mechanisms that are available through your CSP.
Keep permissions for users as low as you possibly can when you set up your access and identity control policies, temporarily bumping them up as needed. Tighten the focus of security groups, and utilize reference security groups IDs when you can.
#4. Protect the data.
Risk is the key consideration for data safeguards in the cloud, including the following:
- risk of retaining data beyond the necessary timeframe;
- risk of unauthorized changes to data;
- risk of data unavailability or loss; and
- risk of unauthorized disclosure or theft.
To explore this issue through prominent standards, see ISO/IEC 27002 and ISO/IEC 27017 from the International Organization for Standardization and International Electrotechnical Commission.
#5. Optimize your visibility.
You want to leverage all the monitoring and logging tools that are offered by your cloud service provider to give you immediate knowledge of unauthorized access. The information you can get from these tools typically includes: records of API calls, source IP addresses, times placed, and contents of the requests.
#6. Safeguard your keys.
Keep your cloud services access keys protected. Train developers so that leaks are avoided through forums such as source code repositories, Kubernetes dashboards, and public websites. You want a unique key for each cloud service, with access restricted to the minimum permissions possible.
Controlling cloud security
While it might seem complicated to protect cloud systems, it is possible to properly safeguard your ecosystem with the right set of controls. The importance of considering various controls is highlighted every time an organization exposes critical information. To bolster your defensive posture and avoid various costs and hits to your credibility that arise following a cloud security incident, focus on the above six controls.
Adnan Raja has been the Vice President of Marketing at atlantic.net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.