The increased reliance on cloud-based IT systems is requiring c-level executives, IT managers, CISOs and security professionals to take ownership of their security within their cloud activities. A recent survey which polled 400 IT decision makers across the US and Europe has uncovered that, on average, 40% of all organizations’ applications are deployed in the cloud and this number is expected to grow an additional 30% in the next year.
Security is now a priority because of this increased reliance on cloud platforms and the fact that organizations understand all too clearly the consequences of security breaches. The last year has seen substantial damage caused to large companies by such breaches and the potential for significant reputational, financial and operational impacts is now recognized.
One of the largest beaches in 2016 occurred at the UK mobile operator Three, when hackers successfully accessed its customer upgrade database simply by using an employee login. This occurred soon after another major breach at broadband provider TalkTalk where the details of more than 150,000 customers were stolen including the bank account details of around 15,000. The result was 95,000 lost subscribers, which cost the company approximately £60million.
Below are eight recommendations for ensuring cloud security. While these might seem a bit overwhelming, the alternative is even scarier – risky cloud use that leaves organizations vulnerable. With thorough planning and a new perspective on cloud security, your company’s data will be more secure in 2017.
- Don’t put a bullseye on your data. Think about approaches that minimize the target value of an organization’s data. Consider deploying services on virtual private clouds or internal/on-prem systems - entirely within a firewall, keeping information away from the spotlight of highly visible SaaS targets.
- Protect corporate user identities or metadata. User identities are subject to hacking; enterprises must protect their corporate user identities since loss of user identity is likely to result in loss of the user’s corporate data. Similarly, collecting evidence on the existence of data and its properties can pose a threat as much as losing the data itself. Some cloud storage solution providers do not adhere to this strategy and keep all of their customers’ metadata centralized in a public place. Thus, indirectly requesting enterprises to put their faith in them, which poses a significant risk to data confidentiality and integrity.
- Avoid risks associated with SaaS providers generating and/or managing encryption keys. Encryption keys generated in un-encrypted servers can provide attackers with easy access enterprise data.Similarly, having your SaaS provider manage your keys increases your susceptibility of losing control of your data. While cloud services providers boast high security, including physical protection of hosting facilities, electronic surveillance and ISO 27001 certifications, many provide no protection against government data requests, blind subpoenas, or clandestine spying. Make sure you own user identities, metadata, and encryption keys to ensure the highest levels of data privacy.
- Control your endpoints and offices. Use enterprise mobility management (EMM) tools to eliminate shadow IT and create secure productivity spaces within corporate-provided and BYOD devices. Encrypt all data at the source to ensure the greatest levels of access of file security.
- Lock down external collaborator access. Implement strict policies to enforce what data can and cannot be uploaded in a file sharing environment, control what domains/emails can and cannot be emailed to, audit all accesses to ensure there are no anomalistic events. Data loss prevention (DLP) tools can be used to restrict access behaviors.
- Improve password security. Set rigorous policies around password strength and refresh rates. Consider adding multi-factor authentication that will require the user to use a combination of something they know like a static password and something that they have such as a smart card or a token that generates a one-time password.
- Know your data protection options. Understand the limitations of cloud services to recover data lost in the event of an attack, user error, etc., as part of your vendor’s SLAs. Ensure that you protect data residing in the cloud – i.e. back up your SaaS applications, as well as services and applications running on public cloud IaaS – as part of a comprehensive organizational strategy for backup/recovery of data in all locations (on-prem and in-cloud).
- Investigate multi-cloud strategies. When organizations run applications on multiple cloud services rather than relying on a single vendor, they reduce the risk of a vendor’s service outage causing them significant issues and downtime. This is a critical component of a cloud strategy that enables organizations to preserve cloud optionality while strengthening their business continuity models.
If you would like to hear more the latest from the Telco Cloud space then don't miss out on Telco Cloud Forum 2017, 25-26 April 2017, at the Radisson Blu Portman, London. You can register for your free FREE OPERATOR PASS here or purchase a full ticket for the event HERE