Almost every major organization in the world is using the cloud to store their sensitive or essential data. The cloud is essentially a shared environment in a distinct geographical location where most users don’t have physical access. The end-users need not have to worry about the cumbersome task of managing and operating the entire cloud infrastructure, as it is the responsibility of the cloud service provider. But at the same time, it raises another important aspect of the privacy and security of the data stored in the cloud. In recent years, there have been frequent cloud computing attacks including account or service hijacking, denial of service, data loss, data breaches, and many others.
In December 2010, Microsoft’s hosted Business Productivity Online Suite (BPOS) service was left exposed online, which allows unauthorized users to access the employee contact info in their offline address books. In 2012, Dropbox was victimized by a massive data breach, which resulted in a compromise of credentials of more than 68 million of its customers. Several other industry giants, including LinkedIn, Apple and several others have had their data exposed in the cloud. And in most of such incidents, the common reasons for such issues turn out to be some unpatched security vulnerabilities, human error, or some malpractice by insiders, all of which can be avoided. To prevent such type of attacks, and protect data online, and avoid becoming a victim of a cloud data breach, organizations can follow these best practices:
Encrypt all data (at-rest and in-motion)
The first step to protecting yourself in the case of cloud data breaches in the cloud is fundamentally the same as protecting data outside of the cloud, which is encryption. In the process of encryption, readable data is encoded with a key, so it becomes unreadable for those without the unlocking key. This could be applied for data that is “at-rest” as well as data “in-motion.” The data at-rest is usually saved on local disks, SAN, NAS, or another storage medium. So the encryption at rest can generally be implemented in one of two ways — the entire disk or file-level encryption. The most commonly used encryption algorithms are Triple DES, RSA, Blowfish, Twofish, and AES.
Data is at more risk when it is moving from one location to another location, i.e., “in-motion.” When data is transmitted from one place to another, it passes through dozens of potential points of vulnerability across the data path where an intruder may attempt to sniff it. To protect data in such a situation, the datastream is encrypted at the source and then decrypted at the destination. The encryption can be performed using TLS/SSL or IPsec VPN tunnels for encryption. IPsec can be used to create a mutual authentication between endpoints and source, while the transport layer security (TLS) and secure sockets layer (SSL) encryption can be used to secure data transfer. In case of a new implementation or an upgrade, organizations can use TLS, which is more efficient and secure than SSL.
Ensure management and security of keys
One crucial factor in creating a data protection plan is whether encryption and decryption will take place locally and be distributed throughout the organization or will be done at a central location on a single-purpose encryption server. If encryption and decryption are distributed, the key manager must provide for the secure distribution and management of keys. There are three ways to protect keys for encrypted data in the cloud: The first is storing the keys in-house, within the secure servers of the organization. The second way is storing the keys in a hosted environment, and the last one is saving the keys in the cloud. Each of these options has its advantages and disadvantages. Based on the requirements and suitability, organizations can opt for suitable key management practices.
For on-premises key management, organizations can deploy hub-and-spoke architecture for distributed key management that allows encryption and decryption nodes toward any point within the enterprise network. Spoke key-management components could be easily deployed to these nodes and integrated with the local encryption applications. Once the spoke components are in use, all encryption and decryption of the formerly clear-text data are performed locally to reduce the risk of a single component failure. The key manager should manage the generation, rotation, export, secure storage, and retirement of the keys used for encryption at the spokes. Organizations may also take help from third-party vendors with expert knowledge of key management best practices for the cloud.
Exposed cloud applications
Having complete knowledge and security configurations of used cloud apps can help organizations find any exposed applications. Organizations should periodically test for vulnerability and any possibility for penetration inside their cloud environment. There are a large number of automatic and semiautomatic vulnerability scanning tools available that can help scan your cloud and web-space for any known vulnerabilities like SQL injections, command injections, cross-site scripting or insecure server configurations. A regular check of the network and the cloud for vulnerabilities can help locate the exposed apps, so that admins can take adequate steps to protect them, like updating an outdated application. Such regular checks also help organizations analyze the actual need for such apps. Organizations can change up and choose apps that best suit their business and their clients. If they find that apps no longer meet their criteria or are not secure enough, they can change or remove them. Today, there are so many applications to choose from, and switching over has become common.
Proactively assess the security offered by the cloud service provider
It is essential to understand and evaluate the security reliability and capability of your cloud service provider. Ideally, you should choose cloud providers that are more proactive than reactive about cloud security. The provider should be conducting regular investigations into the weaknesses and vulnerabilities in their platform and should take proactive actions against any potential threats. Organizations can ask their cloud provider for their security management policies, risk management structure, and third-party vendor risk assessment policies. Also, check the cloud provider’s reputation and see who its partners are. Find out its level of cloud experience and read reviews and talk to customers who are already using it.
Monitor and log all network activities
Even if the cloud vendors are providing good security (physical, network, OS, application infrastructure), it is the organization’s responsibility to protect and secure their data and prevent any unforeseen incidents due to any loose endpoints or intruder activities. Your security admins must have a good knowledge and tracking of all the data that is flowing in and going out of the cloud environment And they must know the context of the user activities with their accounts. Having a complete understanding of who is sharing what and with whom will help organizations employ proper policies to protect themselves.
Cloud data breaches: Prevention is better than cure
As the saying goes, it is better to be safe than sorry, even in the context of the security of your data stored in the cloud. You should have a clearly defined cloud-security standard, which must be checked against the security options available in the selected cloud environment. Also, there must be clearly defined contracts for the roles and responsibilities of all the stakeholders involved, including the vendors, partners, employees, and the cloud service provider. You must also ensure that the entire system remains compliant with the applicable government regulations. Awareness and proactive actions can help reduce security risks in the cloud.
Featured image: Shutterstock
