Cloud computing has changed how so many businesses operate. In fact, nowadays almost all major companies and even startups are actively using cloud solutions rather than relying on expensive and rigid on-site infrastructure. In fact, 90% of surveyed organizations are using at least one cloud service, showing how cloud technology is no longer a luxury thing for tech-savvy businesses but is now mainstream.
However, it’s important to remember that these cloud solutions are online, and so they are prone to cybersecurity threats from hackers and/or cybercriminals. With how many businesses are now highly dependent on these cloud services to store and manage sensitive data (including their user’s data), they are now very attractive targets to hackers.
Thus, all businesses using these cloud solutions must understand the best security practices to ensure their data and information are sufficiently protected in these cloud environments. In this guide, we will learn how.
Let us begin, however, by discussing the concept of cloud security to ensure we are all on the same page.
What Is Cloud Security
Cloud computing security, or simply cloud security, is a set of policies, protocols, control procedures, and software/technologies that are integrated together to protect cloud-based data, infrastructure, and systems.
Cloud security is specifically configured to protect cloud data and/or user information while maintaining regulatory compliance. This will include setting authentication rules for all the devices that are connected to the cloud service, and also all the users that are going to use the service. Cloud security can be custom-tailored according to the exact needs of the business, for example by filtering traffic (to block/mitigate bot traffic) and authenticating access, among other functions.
There are various ways we can use to implement cloud security depending on the cloud service and security solutions available. However, the implementation should be a cooperative process between the solution provider and business owner.
Principles of Cloud Security
As discussed, security threats are constantly evolving. Malicious programs and automated bots have also evolved to be much more sophisticated than ever, and now they are very effective in targeting cloud-based services and solutions.
With that being said, we have to establish clear basic principles to help define our strategic approach to cloud security rather than detailing the specifics for each tactic.
1. Security approach should depend on the platform
We simply can no longer rely on a one-size-fits-all solution for all our cloud security needs. Different cloud services might require different security software solutions, not to mention open-source libraries and other cloud-based tools involved in the system.
It’s important to define and implement security controls at the lowest possible practical level, as close to the data storage location as possible. The challenge in this, however, is not solely about implementing security and maintaining data privacy, but also about implementing consistent controls and policies.
For example, when we apply different security policies for different components of your cloud systems, we have to consider the consistency of attention across all these different components.
2. Assume you are a target
Nowadays data breaches aren’t an issue exclusive for big companies and enterprises, but many cybercriminals are now actively targeting smaller businesses and even individuals. A good principle is to assume that you are indeed a target so you can always maintain security best practices at all times.
In practice, we should always regularly test our systems and all cloud services for potential vulnerabilities and continuously monitoring/analyzing our system for unusual activities that often indicate a threat.
3. Security is mostly about isolating your network
Performing security boundaries to isolate your network, mainly by implementing firewalls, are still very important. However, the best practice nowadays is to establish firewalls inside your system. This way, when the network has been breached and your cloud security is compromised, we can still prevent a single attack from compromising your whole network by establishing different security zones.
4. Sensitive data require sophisticated access controls
It’s very important to locate systems that store sensitive data and identify which data is risky (i.e. personally identifiable). We have to identify and label this sensitive data while ensuring access is carefully controlled: allowing the right users to see the right data while preventing all others from accessing it.
For example, the marketing team should only be allowed to view customer’s data that is relevant to the current campaign, not every customer’s data. We might also want to limit the customer’s financial information from employee’s access.
5. Security and business continuity should go hand-in-hand
On the one hand, we have to ensure the cloud security implementations don’t interfere with business continuity. However, in the event of an attack, we have to also ensure the whole business workflow’s availability. We have to implement a protocol where service can be restored as quickly as possible. The whole application must be back up and running ASAP, not only for the bare minimum of the system to get back to work.
Cloud Security Best Practices: Step-By-Step
In implementing cloud security best practices, we can differentiate the crucial steps into three different phases:
- Identifying your cloud usage state and the associated risks
- Protecting your cloud system
- Responding to attack vectors and security issues
Phase 1: Identifying cloud usage state and risks
In this first phase, we should focus on understanding the current state of your system and integrated cloud solutions while assessing risks associated with all the different elements. We can do this by executing the following steps:
Step 1: Identify sensitive data
Data is the lifeblood of modern businesses, and regulated data, when stolen, may result in legal penalties or even a loss of intellectual property. You have to correctly identify and label your sensitive and regulated data for this purpose.
You can use various data classification tools if necessary in this step.
Step 2: Identifying how this sensitive data is being accessed
Now that we’ve properly identified and labeled the sensitive data in our system, we have to monitor and analyze who accesses this data and how it’s being shared. Check for the access controls/permissions on files and folders in your cloud environment, and also monitor other relevant factors like user roles, location, device type, and so on.
Step 3: Discover unknown cloud usage
In an office environment, it’s common for employees to sign up for seemingly harmless cloud services like cloud storage (i.e. DropBox, Google Drive), online conversion tools (i.e. PDF converters, YouTube downloaders), and so on.
In such cases, the IT team might not be notified, resulting in unknown cloud services being used in your environment (and they carry potential risks). Discover these unknown services by monitoring your system usage.
Step 4: Check configurations for cloud services
Your cloud services might contain various important settings that may cause exploitable vulnerabilities when not configured correctly. This is especially important if you are using cloud IaaS (Infrastructure as a Service) solutions like Microsoft Azure or Amazon Web Services (AWS).
Check the configurations for encryption, network controls, and access/authentication management.
Step 6: Identify malicious usage
Monitor your system for signs of malicious usage of cloud data. They might be caused by attacks launched by cybercriminals, but it’s quite often the culprit is your ignorant/lazy employees with honest mistakes.
Monitor for anomalies and figure out key protocols to mitigate data losses (both internal and external) in various scenarios.
Phase 2: Protecting Your Cloud Environment
In this second phase, we’ve understood the risk profile associated with our cloud security, so we can start implementing protection to our cloud services according to their associated levels of risks.
In this phase, we can use various technologies to achieve cloud security best practices in the following steps:
Step 1: assigning protection policies
Now that you’ve identified your sensitive and/or regulated data, you should assign control and protection policies to determine which data can be stored in the cloud and which deserves more protection approaches.
You should also educate users about these policies, including the consequences when they break your policies and how to prevent common mistakes.
Step 2: sensitive data encryption
It’s best to use your own encryption keys when encrypting sensitive and/or regulated data. There are cloud services that offer their own encryption features but in such cases, the cloud service provider will still have access to these encryption keys. Even if you can trust your cloud service provider, in the event when their systems are compromised in an attack, your encrypted data might also be compromised.
So, encrypt your data with your own keys whenever possible so you have full control over who can access this data and be 100% sure of its security.
Step 3: set policies for data sharing
You should enforce your access control and sharing control policies as soon as any data enters the cloud. If you are using multiple cloud services, you’d have to implement control policies for each service.
You should especially control which users can share/edit the data, and which should be limited only as a viewer. Limit how users can share information externally via shared links.
Step 4: stop data sharing to unknown devices
One of the key benefits of using cloud services is the ability to access the service from any device, anywhere as long as there is an internet connection. However, this will also allow unknown, unmanaged devices (i.e. a personal smartphone) to access the service, which can be a security vulnerability that can be exploited. You can block access from these unknown devices by requiring security verification before this device can access/download the service.
Step 5: implementing anti-bot mitigation protection
Activities from malicious bots remain the top causes for cybersecurity breaches in cloud services, so it’s very important to implement a bot detection and mitigation solution to defend against these bad bots.
Services like DataDome can be a cost-effective and reliable solution for protecting your cloud environment. By utilizing AI and machine-learning technologies, DataDome can monitor and analyze traffic activities in real-time, and when it detects activities with malicious intent, it will mitigate the activity in autopilot.
Step 6: implementing advanced malware protection to
Similar to bot activities, malware is also a common reason for data breaches in cloud environments. Using a proper anti-malware solution on your OS and virtual network can help protect your cloud infrastructure.
It’s best to combine both static (whitelisting) approach with active (machine-learning behavioral detection) approach to protect your data storage while preventing memory exploit.
Phase 3: Responding To Attacks and Issues
In phases one and two, we have established the necessary protection measures so that our cloud infrastructure can run smoothly while being protected from cybersecurity threats.
However, even the best protection won’t 100% protect the system from malicious attempts, and this is why we must follow these best practices in responding to attack attempts and successful attacks:
Step 1: additional authentication control for high-risk access scenarios
Identify access scenarios that are determined as high risk, for example, when users access sensitive/regulated data from a brand new, unmanaged device. In such cases, you can require extra steps of verification and/or implementing multi-factor authentication to ensure it’s not an attacker posing as a legitimate user.
Step 2: add new policies for new cloud services
In cases where new cloud services are integrated into your existing infrastructure, you can automatically update access policies. For example, you can display information about the risk profile of a cloud service to block access or present a warning message that security protocols for this new cloud service haven’t been properly implemented. You can do this with a whitelisting approach using your firewall/secure web gateway and a cloud risk database.
As we’ve mentioned, there is no one-size-fits-all cloud security approach that will 100% protect your cloud environment. Different organizations might need different best practices according to many different factors from the cloud services used to the amount/type of sensitive data, and other factors.
To properly implement cloud security best practices, we have to implement them in three distinct phases: identifying sensitive data and risk profile, setting up protection for your infrastructure, and implementing response plans in the event of an attack.