By Massimo Bandinelli, Aruba Enterprise Marketing Manager
Chances are that your organisation migrated to the cloud to enhance security, reliability and reduce the resource burden on your IT staff. But while it’s true that cloud enables your organisation to be more efficient, secure and reliable, it doesn’t mean you can forget about security. In fact, this common misconception can leave organisations like yours vulnerable to cyber attacks and regulatory scrutiny.
Whether you’re selecting a public cloud provider, implementing a hybrid cloud solution or building your own private cloud – there’s a whole host of security factors to consider. With this in mind, let’s take a look at what should be on your cloud security checklist.
No matter which security measures you’ve put in place to protect your organisation’s cloud, the truth is that no measure can guarantee 100% security. That’s why back-ups are crucial – ensuring continuity of service and minimising business disruption in the event of a successful cyber attack.
When backing up cloud data, it’s suggested that organisations should adhere to the 3-2-1 model. This means keeping three copies of data on at least two devices, with one copy offsite. It’s helpful to have one ‘live’ back-up – as this updates automatically and can be restored in a matter of minutes when disaster strikes. At the same time, it’s important to have a ‘cold’ back-up – an offline back-up which isn’t connected to your live systems, and therefore can’t be tampered with by malicious actors.
Encryption is one of the most effective measures for securing data stored in the cloud. It involves converting your data into an unreadable format before it’s transferred or stored, so it stays unintelligible even if malicious actors gain access to it.
In particular, encrypting data when it’s ‘in flight’ is crucial – as this is when it’s the most vulnerable. This is particularly true for organisations using hybrid cloud solutions – in which data is regularly transferred between various applications and cloud services.
Data sovereignty is a legal principle which says that data is subject to the laws of the country in which it’s stored. Awareness of this concept is steadily increasing, as more organisations begin using public cloud solutions and public awareness of how organisations collect and store consumer data grows.
Data sovereignty is particularly relevant to EU or UK-based organisations who use largescale public cloud providers with US data centres. If your organisation’s data is stored in data centres outside your jurisdiction, it could be subject to local laws and can be accessed by local law enforcement – regardless of where your HQ is. This creates interesting legal tensions. For example, US laws like the CLOUD Act or FISA require US cloud service providers to hand over data to the US authorities if asked – even if the data is stored within the borders of another country. Meanwhile, EU GDPR legislation states that data can only be accessed by law enforcement based on requests arising under EU law – a clear conflict.
To protect against current and future legal conflicts, many organisations are turning to sovereign cloud solutions – which are designed to comply with local laws on data privacy, access, control and transfer. In practice, this means only working with local cloud providers, or building your own on-premises private cloud storage.
Identity and access management:
Unsurprisingly, poor password hygiene (using simple passwords, or reusing login credentials) is a top cause of cloud data breaches. Remember last year’s Colonial Pipeline hack? That happened because a single employee reused login credentials, which were then re-sold on the dark web following a completely unrelated data breach.
To secure your organisation’s cloud, it’s crucial that employees use complex passwords, and that multifactor authentication is enabled to avoid credential sharing. For enhanced protection, many organisations are turning to end-to-end identity and access management solutions. These take the responsibility for password management away from employees’ and enable organisations to centrally manage all employees’ digital identities.
In addition to implementing robust identity management, it’s important to think about who has access to your cloud applications and systems. Not all employees need high-level privileges, and the number of administrators should be kept to an absolute minimum.
Like with all software, it’s crucial to apply security updates and patches to your cloud solutions as soon as they become available – before malicious actors can exploit vulnerabilities.
If you’re working with a public cloud provider, make sure both parties understand who’s responsible for updating and patching software and applications. This will help to ensure that this vital work is done quickly, and nothing gets overlooked.
In a nutshell, redundancy is the practice of storing cloud data on multiple drives, in case of system failure. For companies operating in the cloud, ensuring redundancy is just as important as having multiple back-ups in place. But they aren’t the same thing! Back-ups are copies of data that can be restored in case of emergency, while redundancy is about ensuring reliability and uptime in the event of drive failure.
To explain this, let’s take a look at two contrasting examples. Situation one – a hacker deletes important data stored in your organisation’s cloud. In this instance, having a fully redundant cloud solution wouldn’t get you very far, as the data would simply be deleted across all locations. This is where having back-ups is essential. Situation two – a drive on one of your organisation’s cloud servers fails during the working day. Here, having a fully redundant cloud solution comes into its own, enabling you to continue working with no interruption.
Ensuring the security of your cloud data goes beyond the digital sphere. Increasingly, malicious actors are adding new, physical attack vectors to their already impressive arsenal. This includes the physical delivery of ransomware – where malicious actors gain entry to data centres either through stealth or deception, and feed in ransomware that can lay undetected until activation.
It’s imperative that organisations and data centre providers stay vigilant and implement a range of perimeter security measures to protect data centres, especially those organisations with on-premise facilities that wouldn’t otherwise implement the same level of security as perhaps a tier 4 data centre would operate.
This means a combination of CCTV, anti-intrusion sensors and bollards, in addition to sophisticated entry control systems, which require employees to authenticate themselves using biometrics. These might feel a bit Mission Impossible – but they’re becoming commonplace among reputable data centre providers.
The bottom line? There’s a lot to consider when it comes to cloud security. But with a common sense strategy in place and the right partners on-board, you’ll find it’s surprisingly manageable. If you haven’t already taken a holistic look at your cloud security, now is the time. After all, adopting a head in the sand approach is just waiting for problems to begin.