I can barely remember the last time I installed a physical server at a company. These days, most companies have switched the majority of their services and information over to cloud services. There are many reasons for this, ranging from cost to practicalities — like trying to avoid buying hardware that will later become obsolete or lose its value, avoiding the costs of maintenance and energy, or simplifying the work of the IT department. Another advantage, from the perspective of smaller businesses, is the ability to add a server or a specific service at the touch of a button.
While this – now not so new – solution has made things much simpler for small and large companies alike, it has also led to new discussions and considerations about security.
If you have migrated your services and information to the cloud, or are thinking of doing so, here are a few considerations to keep in mind that could help you avoid a bad experience.
1. Know your service provider
With so many cloud computing services on the market these days, the first step is deciding who to entrust with your company’s information and systems.
To make this decision, it isn’t enough merely to consider which services and platforms the various providers offer; rather, it is also important to take into account their reputation and to carefully read the terms of their contract. Is the company responsible with the information it handles? What security measures do they apply? Do they have security certifications? Have they had any incidents? If so, how did they handle them?
A more prestigious company’s services may be more expensive than those of a smaller, less known company. However, we need to be aware that the maintenance tasks involved in keeping an infrastructure secure, requires time and energy, and this often translates into a higher cost for the customer. Remember, when it comes to security, what appears to be cheap can turn out to be very costly.
2. Understand your business and your needs
We have applied this tip to countless circumstances: Designing a security policy, certification of a standard, backup models, and the implementation of new technologies. The point is, before you make any important decision, you always have to think about how it will affect your business, and consider what your company’s goals are.
If you need a fast connection without lag or latency between your office and the cloud services, you could be in for some disappointment. Perhaps the ability to store files in the cloud and access them from anywhere is a tempting solution, but if we are talking about database queries, the response time could have an impact on your business.
If you deal with large volumes of information in real time, it may be worth considering an optimization option before taking those services to the cloud.
3. Encrypt your information
Encrypt data stored in the cloud as well as data in transit; basically, encrypt everything that can be encrypted! While this may require extra effort and increase the complexity of operations, what is certain is that doing so adds an additional layer of security to all your confidential information.
Remember that if you decide to take out services in the cloud and deposit your data there, you will also be delegating, to a large extent, the protection of this information. As secure and reliable as a provider might be, it is not a good idea to be completely dependent on one, and it is never overdoing it to encrypt critical data so that, in the event of a security breach, the data is not exposed.
4. Control access to the cloud
Although your data and applications may no longer be located physically within your organization, it does not mean you can simply wash your hands of all management tasks. Your service provider may supply you with an array of security controls, and keep the infrastructure protected, but if you leave the door open, it will all be in vain.
Restrict access to the information, just as you would if it were located within your organization. Segregate functions and restrict user connections. In fact, it is highly recommended to use extra protection measures like two-factor authentication when starting a session on a cloud-based platform.
5. Back up your information
Today, backups are one of the most basic and fundamental protective measures in any security system. While this service tends to be included in the contract and forms part of the tasks performed by the provider, we must remember that it is not only a matter of safeguarding the information — but also of being able to recover it.
For this reason, it is recommended that you regularly restore the backed-up information. This way, not only will you be able to check that the provider is fulfilling this aspect of the contract, but also that the information will be complete and available when you need it.
6. Read the terms and conditions of service carefully
Pay special attention to the sections that talk about the handling of information, and about privacy and liability with regard to the information you store on the cloud. You would not be the first to come across phrases like: “You give us the right to access, retain, use, and divulge information from your account and your files for the purpose of providing you with support and resolving technical problems” or “We do not guarantee that your files will not be subject to misappropriation, loss or damage, and we will not be held liable if this should happen.”
Also check the response times and SLA (Service Level Agreement) promised by the provider and ensure that they are within the time frames and commitments you have with your customers. Avoid having these surprises crop up when an incident occurs, or when you make a complaint.
7. Remember: The cloud can get infected too
It is a common mistake to think that malware cannot affect equipment in the cloud. In fact, we have seen a number of variants of the Crisis malware, which infects equipment running VMWare systems. Just as there is malicious code out there that is designed for attacking virtualization platforms, like Venom, we also need to take into account the known threats that continue to spread through operating systems.
Having your infrastructure in the cloud does not exempt you from the need to use a good comprehensive security solution that includes protection for servers and services, as well as for the hardware which accesses that infrastructure.
Of course, the cloud can offer great advantages for your company, and it will depend on your individual business when it comes to the type of services and information you decide to migrate to this platform. Whatever your circumstances may be, don’t forget these tips to keep your information protected and to make your migration as secure as possible.
written by Cecilia Pastorino, ESET