At least 6 of Deloitte clients affected by a high-profile cyber-attack. US Securities and Exchange Commission (SEC) suffers a system breach. 143 million US consumers affected in the Equifax breach.

With repeated cyber-attacks taking place within a single month, it is clear that anyone can be affected by cybercriminals.

But how do you even start with securing your data? What are the best practices to keep your data entirely secure in the cloud? 

To help you jump-start your cloud security strategy, we invited experts to share their top cloud security tips. Coming from renowned professionals in the field, these tips are something you do not want to ignore!

1. Maintain Availability In The Cloud

Dustin Albertson Veeam

Dustin Albertson, Veeam®

Cloud Security.  When most people think about the topic of cloud security, they tend to think about Networking, Firewalls, Endpoint security, etc.   As a matter of fact,  Amazon defines cloud security as:

Security in the cloud is much like security in your on-premises data centers – only without the costs of maintaining facilities and hardware. In the cloud, you do not have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.

But one often overlooked risk is maintaining availability.  What I mean by that is more than just geo-redundancy or hardware redundancy, I am referring to making sure that your data and applications are covered. Cloud is not some magical place where all your worries disappear; a cloud is a place where all your worries are often easier and cheaper to multiply.  Having a robust data protection strategy is key.  Veeam has often been preaching about the “3-2-1 Rule” that was coined by Peter Krogh.  

The rule states that you should have three copies of your data, storing them on two different media, and keeping one offsite.  The one offsite is usually in the “cloud,” but what about when you are already in the cloud? 

This is where I see most issues arise, when people are already in the cloud they tend to store the data in the same cloud. This is why it is important to remember to have a detailed strategy when moving to the cloud. By leveraging things like Veeam agents to protect cloud workloads and Cloud Connect to send the backups offsite to maintain that availability outside of the same datacenter or cloud.  Don’t assume that it is the providers’ job to protect your data because it is not.

Bio:

Dustin Albertson is the Senior Cloud Solutions Architect for the Cloud & Alliance Strategy Group at Veeam Software based in South Carolina, USA.

2. Choose a Cloud Provider With a Solid Security Plan

Nic O Donovan VMwareNic O’Donovan, VMware®

The Hybrid cloud continues to grow in popularity with the enterprise – particularly as the speed of deployment, scalability and cost savings become more attractive to business. We continue to see infrastructure rapidly evolving into the cloud, which means security must develop at a similar pace. It is very important for the enterprise to work with a Cloud Service Provider who has a solid approach to security in the cloud.

This means the partnership with your Cloud Provider is becoming increasingly important as you work together to understand and implement a security plan to keep your data secure.

Security controls like Multi-factor authentication, data encryption along with the level of compliance you require are all areas to focus on while building your security plan.

Bio:

Nic O’Donovan is a Solutions Architect and Cloud Specialist with the VMware Cloud Provider Program working with Cloud Service Providers.  Nic is an active blogger and works with CSPs to build new offerings across infrastructure, security and disaster recovery solutions.

3. Patch Your Systems and Servers Regularly

Adam Stern, Infinitely Virtual

Adam Stern, Infinitely Virtual

Business users are not defenseless, even in the wake of recent attacks of ransomware like WannaCry or Petya/NotPetya. The best antidote is patch management. It is always sound practice to keep systems and servers up to date with patches – it is the shortest path to peace of mind. Indeed, “patch management consciousness” needs to be part of an overarching mantra that security is a process, not an event — a mindset, not a matter of checking boxes and moving on. Vigilance should be everyone’s default mode. Spam is no one’s friend; be wary of emails from unknown sources – and that means not opening them. Every small and midsize business wins by placing strategic emphasis on security protections, with technologies like clustered firewalls and intrusion detection and prevention systems (IDPS).

Any business – or more pointedly, any business’s data – is considerably safer in the cloud than parked on equipment under someone’s desk. In addition to IDPS, any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures, and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, and round-the-clock monitoring.

Bio:

Adam Stern is a founder and CEO of Infinitely Virtual.

4. Learn How Cloud Security Works

Tom DeSot, Digital Defense, Inc

Tom DeSot, Digital Defense, Inc.

My number one security tip for businesses looking at cloud computing is to make sure that they educate themselves on what it means to move into the cloud before taking that big leap from running systems in their own datacenter.

All too often I have seen a business make a move to cloud computing without really having any knowledge about what it means to them and to the security of their systems.  They need to recognize that their software will be “living” on shared systems with other customers so if there is a breach of another customer’s platform, it may be possible for the attacker to compromise their system as well.

Likewise, cloud customers need to understand where their data will be stored, whether it will be only in the US, or the provider replicates to other systems that are on different continents.  This may cause a real issue if the information is something sensitive like PII or information protected under HIPAA or some other regulatory statute.  Lastly, the cloud customer needs to pay close attention to the Service Level Agreements (SLA) that the cloud provider adheres to and ensure that it mirrors their own SLA.

Moving to the cloud is a great way to free up computing resources and ensure uptime, but I always advise my clients to make the move in small steps so that they have time to truly gain an appreciation for what it means to be “in the cloud.”

Bio:

As CIO of Digital Defense, Inc., Tom DeSot is charged with key industry and market regulator relationships, public speaking initiatives, essential integration and service partnerships, and regulatory compliance matters. He also serves as the company’s internal auditor on security-related matters.  He holds NSA’s INFOSEC Assessment Methodology Certification and is trained in OCTAVE risk assessment.

5. Updated OS, Strong Passwords, 2-Step Verification

Brian Smith, Hushmail CTO

Brian Smith, Hushmail

Keep your operating systems up to date. The companies that create operating systems are always on the lookout for vulnerabilities in their systems. When they find weaknesses, they (usually) issue updates quickly to fix them. The irony, of course, is that when companies issue updates, it can be a signal to hackers that there is a weakness in the system. That is why it is so important to stay on top of updates as they come up and to automate their installation when appropriate.

Don’t use the same passwords for multiple sites. The reason for this is that if a website is compromised, attackers may be able to use the user IDs and passwords they steal to unlock valuable information on other sites or services. Using the same password for many products and services is like giving thieves a skeleton key to open your personal information across the web. Unique passwords make it difficult for bad guys to hurt you more than once. 

Enable two-step verification. Two-step verification is a feature many online services offer. It employs a two-stage process to authenticate your identity on new devices. It is helpful since passwords can be broken. Two-step verification makes it much harder for non-authorized parties to access your account. To get in, they would need to have access to your phone or alternate email address, in addition to your user ID and password. It is an added layer of security that has been shown to be quite useful in mitigating digital fraud.

Bio:

Brian was a co-founder of Hushmail in 1999 and has been CTO since 2002. He is responsible for technology architecture, software development, network operations, security, and compliance at Hushmail.

6. Always Backup Your Data

Scott Fcasni - 1SEO Technologies

Scott Fcasni, 1SEO Technologies

One of the most obvious, but overlooked, aspects of cloud computing are to always backup your data. The internet is the Wild West, and anything can happen. Having proper backups of all your data is the easiest way to ensure you always have control over your data, no matter what situation arises. Whether you have a small or large business, your data is essential to your operations.

According to the Kaspersky Lab, Malware Report ransomware has risen by over 250% for the first few months of 2017 and continues to trend in a very frightening direction. Regularly backing up your data is the ultimate insurance policy for your business and can save your company from the crippling effects of a major data loss. Everyone always thinks “It cannot happen to me,” but the reality is, no network is safe from ransomware and natural disasters. If I can give one piece of advice to any company out there, it is to ensure peace of mind with an effective backup strategy.

Bio:

Scott Fcasni is the President of 1SEO Technologies, an elite IT support and managed services company.

7. Enable Two-factor Authentication

TimothyPlatt VirtualOperations

Tim Platt, Virtual Operations

For the best cloud security, we prefer to see Two Factor Authentication (also known as 2FA, multi-factor authentication, or two-step authentication) used wherever possible.  What is this? 2 Factor combines “something you know” with “something you have.” If you need to supply both a password and a special code sent to your smartphone via text, then you have both those things. Even if someone knows your password, they still can’t get into your account. They would have to know your password and have access to your cell phone. Not impossible, but you have just dramatically made it more difficult for them to hack your account. They will look elsewhere for an easier target.  As an example, iCloud and Gmail support 2FA – two services very popular with business users.  I recommend everyone use it.

Why is this important for cloud security?

Because cloud services are often not protected by a firewall or other mechanism to control where the service can be accessed from. 2FA is an excellent additional layer to add to security.  I should mention as well that some services, such as Salesforce, have a very efficient, easy to use implementation of 2FA that isn’t a large burden on the user.

Bio:

Tim Platt has almost 25 years of experience in multiple areas of technology including programming, networking, databases, cloud computing, security, and project management.  He currently works as a VP of IT Business Services at Virtual Operations, LLC, providing technology consulting in the Orlando, FL area.

8. Be Proactive In Securing The Cloud

Adnan Raja, Atlantic.Net

Adnan Raja, Atlantic.Net

There are many steps that organizations can take to protect themselves from various cybersecurity attacks. On many occasions, these attacks succeed because employees have not been properly trained to recognize (and avoid) suspicious links or email attachments. Proper email security training, as well as establishing better rules for email attachments and assigning users that are allowed to run executable files and install software can go a long way toward bolstering your defenses against a cyber attack.

Multi-factor authentication helps ensure that only your authorized employees can access your network. Two-factor authentication should be applied not only to your VPN but also to your organization’s LinkedIn and Google accounts and other online accounts.

Better password management (including using password management tools such as KeePass) will also prove helpful in locking down your infrastructure.

Autonomous offsite backup is a must, and network monitoring solutions to throw up an alarm if thousands of files suddenly start modifying themselves in the middle of the night can alert you soon enough to head off the worst of the damages if a cyber attack hits you.

Constant vigilance and thoughtful, prudent, proactive security measures will keep your organization safe from cyber attacks. Organizations owe it to themselves, their employees, and their customers to keep their fingers on the pulse of cybersecurity and look for new exploits and threats to be aware of.

Bio:

Adnan Raja, Vice President, Marketing at Atlantic.Net

9. Know Where Your Data Resides

Vikas Aditya, QuikFynd Inc

Vikas Aditya, QuikFynd Inc

Be aware of where their data is stored these days so that they can proactively identify if any of the data may be at risk of a breach.

These days, data is being stored in multiple cloud locations and applications in addition to storage devices in business. Companies are adopting cloud storage services such as Google Drive, Dropbox, OneDrive, etc. and online software services for all kind of business processes. This has led to vast fragmentation of company data, and often managers have no idea where all the data may be.

For example, a confidential financial report for the company may get stored in a cloud storage because devices are automatically synching with cloud or a sensitive business conversation may happen in cloud-based messaging services such as Slack. While cloud companies have all the right intentions to keep their customer data safe, they are also the prime target because hackers have better ROI in targeting such services where they can potentially get access to data for millions of subscribers.

So, what should a company do?

While they will continue to adopt cloud services and their data will end up in many, many locations, they can use some search and data organization tools that can show them what data exists in these services. Using full-text search capabilities, they can then very quickly find out if any of this information is a potential risk to the company if breached. You cannot protect something if you do not even know where it is. And more importantly, you will not even know if it is stolen. So, companies looking to protect their business data need to take steps at least to be aware of where all their information is.

Bio: 

Vikas Aditya is an entrepreneur and an expert in software solutions, cloud services, and business strategy. He founded QuikFynd Inc, a company specializing in machine learning techniques to search and organize our personal data that is fragmented across several locations.

10. Do Your Due Diligence In Securing the Cloud

Ken Stasiak200x200Ken Stasiak, SecureState

Understand the type of data that you are putting into the cloud and the mandated security requirements around that data.

Once a business has an idea of the type of data they are looking to store in the cloud, they should have a strong understanding of the level of due diligence that is required when assessing different cloud providers. For example, if you are choosing a cloud service provider to host your Protected Health Information (PHI), you should require an assessment of security standards and HIPAA compliance before moving any data into the cloud.

Some good questions to ask when evaluating whether a cloud service provider is a fit for an organization concerned with securing that data include: Do you perform regular SOC audits and assessments? How do you protect against malicious activity? Do you conduct background checks on all employees? What types of systems do you have in place for employee monitoring, access determination, and audit trails?

Bio:

Ken Stasiak is the CEO of SecureState. He has consulted with hundreds of companies on business risk management and cybersecurity. Ken holds various certifications including CISSP, CISA, CGEIT, and CISM.

11. Set up Access Controls and Security Permissions

Michael R Durante

Michael R. Durante, Tie National, LLC

While the cloud is a growing force in computing for its flexibility for scaling to meet the needs of a business and to increase collaboration across locations, it also raises security concerns with its potential for exposing vulnerabilities relatively out of your control. For example, BYOD can be a challenge to secure if users are not regularly applying security patches and updates.

Make the best use of available access controls. Businesses need to utilize access controls to limit security permissions to allow only the actions related to the employees’ job functions. By restricting access, enterprises assure critical files are available only to the staff needing them, thus reducing chances of their exposure to the wrong parties. This control also makes it easier to revoke access rights immediately upon termination of employment to safeguard any sensitive content within no matter where the employee attempts access from remotely.

Bio:

Michael is a President of Tie National, LLC. He successfully built an IT operations team which supports 7,000+ client locations nationwide and an extensive subcontractor base of 5,000+ partners.

12. Understand the Pedigree and Processes of the Supplier or Vendor

Paul Evans.jpgPaul Evans, Redstor

The use of cloud technologies has afforded businesses of all sizes the opportunity to drive performance improvements and gain efficiency with more remote working, higher availability and more flexibility.

However, with an increasing number of disparate systems deployed and so many cloud suppliers and software to choose from, retaining control over data security can become challenging. When looking to deploy a cloud service, it is essential to thoroughly understand the pedigree and processes of the supplier/vendor who will provide the service. Industry standard certifications are a great place to start. Suppliers who have an ISO 27001 certification have proven that they have met international information security management standards and should be held in higher regard than those without.

Gaining a full understanding of where your data will be stored geographically, who will have access to it, and whether it will be encrypted is key to being able to protect it. It is also important to know what the supplier’s processes are in the event of a data breach or loss or if there is downtime. Acceptable downtime should be set out in contracted Service Level Agreements (SLAs), which should be financially backed by them provide reassurance.

Bio:

Paul Evans is a CEO of Redstor. Redstor is a fast-growing international, data management software as a service (SaaS) business focused on securely managing and protecting customer data throughout its lifecycle. Since 1998, we have been a trusted adviser to organizations across the accounting and finance sectors, specializing in backup, disaster recovery, and compliance solutions.

13. Use Strong Passwords and Multi-factor Authentication

Fred Reck, President of InnoTek Computer Consulting

Fred Reck, InnoTek Computer Consulting

Ensure that you require strong passwords for all cloud users, and preferably use multi-factor authentication.

According to the 2017 Verizon Data Breach Investigations Report, 81% of all hacking related breaches leveraged either stolen and/or weak passwords.  One of the most significant benefits of the Cloud is the ability to access company data from anywhere in the world on any device.  On the flip side, from a security standpoint, anyone (aka “bad guys”) with a username and password can potentially access the businesses data.  Forcing users to create strong passwords makes it vastly more difficult for hackers to use a “brute force” attack (guessing the password from multiple random characters.)

In addition to strong passwords, many cloud services today can utilize an employee’s cell phone as the secondary, physical security authentication piece in a multi-factor strategy, making this accessible and affordable for an organization to implement. Users would not only need to know the password but would need physical access to their cell phone to access their account.

Lastly, consider implementing a feature that would lock a user’s account after a predetermined amount of unsuccessful logins.

Bio:

Fred Reck is an Amazon #1 Best Selling Author, technology-industry speaker, and leading consultant based in Central Pennsylvania. Fred has advised over 1100 companies on technology issues through his business InnoTek Computer Consulting.

14. Enable IP-location Lockdown

Chris Byrne SensorProChris Byrne, SensorPro

My first cloud security tip for businesses, regarding access to the cloud applications they use, is to enable two-factor authentication and IP-location lockdown.

With 2FA, you add another challenge to the usual email/password combination by text message. With IP lockdown you can ring-fence access from your office IP or the IP of remote workers. If the platform does not support this, consider asking your provider to enable it.

In terms of actual cloud platform provision, my No1 tip is to provide a data at rest encryption option. At some point, this will become as ubiquitous as https (SSL/TLS). Should the unthinkable happen and data ends up in the wrong hands, i.e., a device gets stolen or forgotten on a train, then data at rest encryption is the last line of defense to prevent anyone from accessing your data without the right encryption keys. Even if they manage to steal it, they cannot use it… This, for example, would have ameliorated the recent Equifax breach somewhat.

Bio:

Chris Byrne is co-founder and CEO of Sensorpro.

15. Cloud Storage Security Starts With VPN’s

Eric Schlissel is the CEO of GeekTekEric Schlissel, GeekTek

Use VPNs (virtual private networks) whenever you connect to the cloud. VPNs are often used to semi-anonymize web traffic, often by viewers that are geoblocked by accessing streaming services such as Netflix USA or BBC Player. They also provide a crucial layer of security for any device connecting to your cloud. Without a VPN, any potential intruder with a packet sniffer could determine what members were accessing your cloud account and potentially gain access to their login credentials.

Encrypt data at rest. If for any reason a user account is compromised on your public, private or hybrid cloud, the difference between data in plaintext vs. encrypted format can be measured in hundreds of thousands of dollars. Specifically $229,000, the average cost of a cyber attack reported by the respondents of a survey conducted by the insurance company Hiscox. As recent events have shown, the process of encrypting and decrypting this data will prove far more painless than enduring its alternative.

Use two-factor authentication and single sign-on for all cloud-based accounts. Google, Facebook, and PayPal all utilize two-factor authentication, which requires the user to input a unique software-generated code into a form before signing into his/her account. Whether or not your business aspires to their stature, it can and should emulate this core component of their security strategy. Single sign-on simplifies access management, so one pair of user credentials signs the employee into all accounts. This way, system administrators only have one account to delete rather than several that can be forgotten and later re-accessed by the former employee.

Bio:

Eric Schlissel is President and CEO of GeekTek; a national managed IT/cyber security firm headquartered in Los Angeles, CA. Through GeekTek, Schlissel manages, secures and scales the IT architecture of businesses in law, medicine, manufacturing, and many other verticals. 

16. Be Aware of Data Protection Regulations

paul evans from redstorPaul Evans, Redstor

For organizations looking to utilize cloud platforms, there are security concerns to be aware of, who will have access to data? Where is data stored? Is my data encrypted? But for the most part cloud platforms can answer these questions and have high levels of security. Organisations utilizing the clouds need to ensure that they are aware of data protection laws and regulations that affect data and also gain an accurate understanding of contractual agreements with cloud providers. How is data protected? Many regulations and industry standards will give guidance on how organizations should store data.

Keeping unsecured or unencrypted copies of data can put it at higher risk. Gaining a knowledge of security levels of cloud services is vital. What are the retention policies, and do I have a backup? Cloud platforms can have widely varied uses, and this can cause (or prevent) issues. If data is being stored in a cloud platform, it could be vulnerable to risks such as ransomware or corruption so ensuring that multiple copies of data are retained or backed up can prevent this. Guaranteeing these processes have been taken improves the security levels of an organizations cloud platforms and gives an understanding of where any risk could come from

Bio:

Paul Evans co-founded Redstor with Tony Ruane, and in my current role, I am responsible for setting the strategic direction of the business and investigating and developing new business opportunities.

17. Beware of the Human Element

awyer, college professor at Bentley University where I teach White Collar CrimeSteven J.J. Weisman, Lawyer, and Professor at Bentley University

To paraphrase Shakespeare, the fault is not in the cloud; the fault is in us. Storing sensitive data in the cloud is a good option for data security on many levels. However, regardless of how secure a technology may be, the human element will always present a potential security danger to be exploited by cybercriminals. Many past data breaches in the cloud have proven not to be due to security lapses by the cloud technology, but rather by actions of individual users of the cloud.

They have unknowingly provided their usernames and passwords to cybercriminals who, through spear phishing emails, phone calls or text messages persuade people to give the critical information necessary to access the cloud account.

The best way to avoid this problem, along with better education of employees to recognize and prevent spear phishing, is to use dual factor authentication such as having a one time code sent to the employee’s cell phone whenever the cloud account is attempted to be accessed.

Bio:

Steve J.J. Weisman is a lawyer, college professor at Bentley University where he teaches White Collar Crime and is among the country’s leading experts in scams, identity theft, and cybersecurity.

18. Ensure Data Retrieval From Cloud Vendor

it tropilis cloud providerBob Herman, IT Tropolis

1. Two-factor authentication protects against account fraud. Many users fail victim to email phishing attempts where bad actors dupe the victim into entering their login information on a fake website. The bad actor can then log in to the real site as the victim, and do all sorts of damage depending on the site application and the user access. 2FA ensures a second code must be entered when logging into the application. Usually, a code sent to the user’s phone;

2. Ensuring you own your data and can retrieve it in the event you no longer want to do business with the cloud vendor is imperative. Most legitimate cloud vendors should specify in their terms that the customer owns their data. Next, you need to confirm you can extract or export the data in some usable format, or that the cloud vendor will provide it to you on request.

Bio:

Bob Herman is the Co-Founder and President of IT Tropolis.

19. Configure Cloud Environment Correctly

Anthony cloud security expert

Anthony Dezilva, PhoenixNAP

When we think of cloud, we think of two things.  Cost savings due to efficiencies gained by using a shared infrastructure, and security issues.  Although there are many published breaches that are attributed to cloud-based environment misconfiguration, I would be surprised if this number was more than, the reported breaches of non-cloud based environments.

Cloud providers have a vested interest in creating a secure multi-tenant environment.  Their aggregate spending on creating these environments are far more significant than most company’s IT budgets, let alone their security budgets.  Therefore I would argue that a cloud environment configured correctly, provides a far higher level of security than anything a small to medium-sized business can create an on-prem.

Furthermore, in an environment where security talent is at a grave shortage, there is no way an organization can find, let alone afford the security talent they need.  Resulting in the next best thing, create a business associate relationship with a cloud provider that not only has a verifiable secure infrastructure but also monitoring and incident response services.

Cloud Security: Need to know

  • Architect solution as you would any on-prem design process;
  • Take advantage of application services layering and micro-segmentation;
  • Use transaction processing layers with strict ACLs that control inter-process communication.  Use PKI infrastructure to authenticate, and encrypt inter-process communication.
  • Utilize advanced firewall technology including WAF (Web Access Firewalls) to front-end web-based applications, to minimize the impact of vulnerabilities in underlying software;
  • Leverage encryption right down to record level;
  • Accept that it is only a matter of time before someone breaches your defenses, plan for it.  Architect all systems to minimize the impact should it happen.
  • A flat network is never okay!
  • Robust change control process, with weekly patch management cycle;
  • Maintain offline copies of your data, to mitigate the risk of cloud service collapse, or malicious attack that wipes your cloud environment;
  • Contract with 24×7 security monitoring services that have an incident response component.

Bio: 

Anthony Dezilva is an Information Security/Assurance Leader (CISO), Global Management Executive, and Educator. As a  Development Manager of Security Services at phoenixNAP, he is helping take cloud security to the next level.

Interested in learning more about cloud security? Join our webinar with VMware and Intel to find out how you can make your company battle-ready!

Next Gen Cloud Security Webinar - Email 1.png