With repeated cyber-attacks taking place within a single month, it is clear that anyone can be affected by cybercriminals.

But how do you even start with securing your data? What are the best practices to keep your data entirely secure in the cloud?  How safe is cloud computing?

To help you jump-start your security strategy, we invited experts to share their advice on Cloud Security Threats and Risks.

1. Maintain Availability In The Cloud

Dustin AlbertsonDustin Albertson, Veeam®

When most people think about the topic of cloud-based security, they tend to think about Networking, Firewalls, Endpoint security, etc.   As a matter of fact,  Amazon defines cloud security as:

Security in the cloud is much like security in your on-premises data centers – only without the costs of maintaining facilities and hardware. In the cloud, you do not have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.

But one often overlooked risk is maintaining availability.  What I mean by that is more than just geo-redundancy or hardware redundancy, I am referring to making sure that your data and applications are covered. Cloud is not some magical place where all your worries disappear; a cloud is a place where all your worries are often easier and cheaper to multiply.  Having a robust data protection strategy is key.  Veeam has often been preaching about the “3-2-1 Rule” that was coined by Peter Krogh.  

The rule states that you should have three copies of your data, storing them on two different media, and keeping one offsite.  The one offsite is usually in the “cloud,” but what about when you are already in the cloud? 

This is where I see most cloud issues arise, when people are already in the cloud they tend to store the data in the same cloud. This is why it is important to remember to have a detailed strategy when moving to the cloud. By leveraging things like Veeam agents to protect cloud workloads and Cloud Connect to send the backups offsite to maintain that availability outside of the same datacenter or cloud.  Don’t assume that it is the providers’ job to protect your data because it is not.

Bio: Dustin Albertson is the Senior Cloud Solutions Architect for the Cloud & Alliance Strategy Group at Veeam Software based in South Carolina, USA.

2. Choose a Cloud Provider With a Solid Security Plan

Nic O Donovan VMwareNic O’Donovan, VMware®

The Hybrid cloud continues to grow in popularity with the enterprise – mainly as the speed of deployment, scalability and cost savings become more attractive to business. We continue to see infrastructure rapidly evolving into the cloud, which means security must develop at a similar pace. It is essential for the enterprise to work with a Cloud Service Provider who has a reliable approach to security in the cloud.

This means the partnership with your Cloud Provider is becoming increasingly important as you work together to understand and implement a security plan to keep your data secure.

Security controls like Multi-factor authentication, data encryption along with the level of compliance you require are all areas to focus on while building your security plan.

Bio: Nic O’Donovan is a Solutions Architect and Cloud Specialist with the VMware Cloud Provider Program working with Cloud Service Providers.  Nic is an active blogger and works with CSPs to build new offerings across infrastructure, security and disaster recovery solutions.

3. Patch Your Systems Regularly To Avoid Cloud Computing Threats & Vulnerabilities

Adam SternAdam Stern, Infinitely Virtual

Business users are not defenseless, even in the wake of recent Healthcare Cybersecurity threats like WannaCry or Petya/NotPetya.

The best antidote is patch management. It is always sound practice to keep systems and servers up to date with patches – it is the shortest path to peace of mind. Indeed, “patch management consciousness” needs to be part of an overarching mantra that security is a process, not an event — a mindset, not a matter of checking boxes and moving on. Vigilance should be everyone’s default mode.

Spam is no one’s friend; be wary of emails from unknown sources – and that means not opening them. Every small and midsize business wins by placing strategic emphasis on security protections, with technologies like clustered firewalls and intrusion detection and prevention systems (IDPS).

Bio: Adam Stern is a founder and CEO of Infinitely Virtual.

4. Learn How Cloud Security Systems Work

tom desotTom DeSot, Digital Defense, Inc.

Businesses need to make sure they evaluate cloud computing security risks and benefits. It is to make sure that they educate themselves on what it means to move into the cloud before taking that big leap from running systems in their own datacenter.

All too often I have seen a business make a move to cloud computing without really having any knowledge about what it means to them and the security of their systems.  They need to recognize that their software will be “living” on shared systems with other customers so if there is a breach of another customer’s platform, it may be possible for the attacker to compromise their system as well.

Likewise, cloud customers need to understand where their data will be stored, whether it will be only in the US, or the provider replicates to other systems that are on different continents.  This may cause a real issue if the information is something sensitive like PII or information protected under HIPAA or some other regulatory statute.  Lastly, the cloud customer needs to pay close attention to the Service Level Agreements (SLA) that the cloud provider adheres to and ensure that it mirrors their own SLA.

Moving to the cloud is a great way to free up computing resources and ensure uptime, but I always advise my clients to make a move in small steps so that they have time to truly gain an appreciation for what it means to be “in the cloud.”

Bio: As CIO of Digital Defense, Inc., Tom DeSot is charged with key industry and market regulator relationships, public speaking initiatives, essential integration and service partnerships, and regulatory compliance matters. He also serves as the company’s internal auditor on security-related matters.

5. Strong Passwords + 2-Step Verification

Brian SmithBrian Smith, Hushmail

Don’t use the same passwords for multiple sites. The reason for this is that if a website is compromised, attackers may be able to use the user IDs and passwords they steal to unlock valuable information on other sites or services. Using the same password for many products and services is like giving thieves a skeleton key to open your personal information across the web. Unique passwords make it difficult for bad guys to hurt you more than once.

Bio: Brian was a co-founder of Hushmail in 1999 and has been CTO since 2002. He is responsible for technology architecture, software development, network operations, security, and compliance at Hushmail.

6. Always Backup Your Data In the Cloud

Scott FcasniScott Fcasni, 1SEO Technologies

One of the most obvious, but overlooked, aspects of cloud computing is to always backup your data. The internet is the Wild West, and anything can happen. Having proper backups of all your data is the easiest way to ensure you always have control over your data, no matter what situation arises. You will be prepared with cloud disaster recovery. Whether you have a small or large business, your data is essential to your operations.

According to the Kaspersky Lab, Malware Report ransomware has risen by over 250% for the first few months of 2017 and continues to trend in a very frightening direction. Regularly backing up your data is the ultimate insurance policy for your business and can save your company from the crippling effects of a significant data loss. Everyone always thinks “It cannot happen to me,” but the reality is, no network is safe from ransomware and natural disasters. If I can give one piece of advice to any company out there, it is to ensure peace of mind with an effective backup strategy.

Bio: Scott Fcasni is the President of 1SEO Technologies, an elite IT support and managed services company.

7. Enable Two-factor Authentication

Timothy PlattTim Platt, Virtual Operations

For the best cloud server security, we prefer to see Two Factor Authentication (also known as 2FA, multi-factor authentication, or two-step authentication) used wherever possible.

What is this? 2 Factor combines “something you know” with “something you have.” If you need to supply both a password and a unique code sent to your smartphone via text, then you have both those things. Even if someone knows your password, they still can’t get into your account. They would have to know your password and have access to your cell phone. Not impossible, but you have just dramatically made it more difficult for them to hack your account. They will look elsewhere for an easier target.  As an example, iCloud and Gmail support 2FA – two services very popular with business users.  I recommend everyone use it.

Why is this important for cloud security?

Because cloud services are often not protected by a firewall or other mechanism to control where the service can be accessed from. 2FA is an excellent additional layer to add to security.  I should mention as well that some services, such as Salesforce, have a very efficient, easy to use implementation of 2FA that isn’t a significant burden on the user.

Bio: Tim Platt currently works as a VP of IT Business Services at Virtual Operations, LLC, providing technology consulting in the Orlando, FL area.

9. Know Where Your Data Resides To Reduce Cloud Threats

Vikas AdityaVikas Aditya, QuikFynd Inc

Be aware of where their data is stored these days so that they can proactively identify if any of the data may be at risk of a breach.

These days, data is being stored in multiple cloud locations and applications in addition to storage devices in business. Companies are adopting cloud storage services such as Google Drive, Dropbox, OneDrive, etc. and online software services for all kind of business processes. This has led to vast fragmentation of company data, and often managers have no idea where all the data may be.

For example, a confidential financial report for the company may get stored in a cloud storage because devices are automatically synching with cloud or a sensitive business conversation may happen in cloud-based messaging services such as Slack. While cloud companies have all the right intentions to keep their customer data safe, they are also the prime target because hackers have better ROI in targeting such services where they can potentially get access to data for millions of subscribers.

So, what should a company do?

While they will continue to adopt cloud services and their data will end up in many, many locations, they can use some search and data organization tools that can show them what data exists in these services. Using full-text search capabilities, they can then very quickly find out if any of this information is a potential risk to the company if breached. You cannot protect something if you do not even know where it is. And more importantly, you will not even know if it is stolen. So, companies looking to protect their business data need to take steps at least to be aware of where all their information is.

Bio: Vikas Aditya is an entrepreneur and an expert in software solutions, cloud services, and business strategy. He founded QuikFynd Inc, a company specializing in machine learning techniques to search and organize our personal data that is fragmented across several locations.

10. Do Your Due Diligence In Securing the Cloud

Ken StasiakKen Stasiak, SecureState

Understand the type of data that you are putting into the cloud and the mandated security requirements around that data.

Once a business has an idea of the type of data they are looking to store in the cloud, they should have a firm understanding of the level of due diligence that is required when assessing different cloud providers. For example, if you are choosing a cloud service provider to host your Protected Health Information (PHI), you should require an assessment of security standards and HIPAA compliance before moving any data into the cloud.

Some good questions to ask when evaluating whether a cloud service provider is a fit for an organization concerned with securing that data include: Do you perform regular SOC audits and assessments? How do you protect against malicious activity? Do you conduct background checks on all employees? What types of systems do you have in place for employee monitoring, access determination, and audit trails?

Bio: Ken Stasiak is the CEO of SecureState. He has consulted with hundreds of companies on business risk management and cybersecurity. Ken holds various cybersecurity certifications including CISSP, CISA, CGEIT, and CISM.

11. Set up Access Controls and Security Permissions

Michael R DuranteMichael R. Durante, Tie National, LLC

While the cloud is a growing force in computing for its flexibility for scaling to meet the needs of a business and to increase collaboration across locations, it also raises security concerns with its potential for exposing vulnerabilities relatively out of your control. For example, BYOD can be a challenge to secure if users are not regularly applying security patches and updates.

Make the best use of available access controls. Businesses need to utilize access controls to limit security permissions to allow only the actions related to the employees’ job functions. By restricting access, enterprises assure critical files are available only to the staff needing them, thus reducing the chances of their exposure to the wrong parties. This control also makes it easier to revoke access rights immediately upon termination of employment to safeguard any sensitive content within no matter where the employee attempts access from remotely.

Bio: Michael is President of Tie National, LLC. He successfully built an IT operations team which supports 7,000+ client locations nationwide and an extensive subcontractor base of 5,000+ partners.

12. Understand the Pedigree and Processes of the Supplier or Vendor

Paul EvansPaul Evans, Redstor

The use of cloud technologies has afforded businesses of all sizes the opportunity to drive performance improvements and gain efficiency with more remote working, higher availability and more flexibility.

However, with an increasing number of disparate systems deployed and so many cloud suppliers and software to choose from, retaining control over data security can become challenging. When looking to deploy a cloud service, it is essential to thoroughly understand the pedigree and processes of the supplier/vendor who will provide the service. Industry standard security certifications are a great place to start. Suppliers who have an ISO 27001 certification have proven that they have met international information security management standards and should be held in higher regard than those without.

Gaining a full understanding of where your data will be stored geographically, who will have access to it, and whether it will be encrypted is key to being able to protect it. It is also important to know what the supplier’s processes are in the event of a data breach or loss or if there is downtime. Acceptable downtime should be set out in contracted Service Level Agreements (SLAs), which should be financially backed by them provide reassurance.

For organizations looking to utilize cloud platforms, there are cloud security concerns to be aware of, who will have access to data? Where is the data stored? Is my data encrypted? But for the most part cloud platforms can answer these questions and have high levels of security. Organizations utilizing the clouds need to ensure that they are aware of data protection laws and regulations that affect data and also gain an accurate understanding of contractual agreements with cloud providers. How is data protected? Many regulations and industry standards will give guidance on the best way to store sensitive data.

Keeping unsecured or unencrypted copies of data can put it at higher risk. Gaining knowledge of security levels of cloud services is vital.

What are the retention policies, and do I have a backup? Cloud platforms can have widely varied uses, and this can cause (or prevent) issues. If data is being stored in a cloud platform, it could be vulnerable to loud security risks such as ransomware or corruption so ensuring that multiple copies of data are retained or backed up can prevent this. Guaranteeing these processes have been taken improves the security levels of an organizations cloud platforms and gives an understanding of where any risk could come from

Bio: Paul Evans is a CEO of Redstor. Redstor is a fast-growing international, data management software as a service (SaaS) business focused on securely managing and protecting customer data throughout its lifecycle.

13. Use Strong Passwords and Multi-factor Authentication

Fred ReckFred Reck, InnoTek Computer Consulting

Ensure that you require strong passwords for all cloud users, and preferably use multi-factor authentication.

According to the 2017 Verizon Data Breach Investigations Report, 81% of all hacking related breaches leveraged either stolen and/or weak passwords.  One of the most significant benefits of the Cloud is the ability to access company data from anywhere in the world on any device.  On the flip side, from a security standpoint, anyone (aka “bad guys”) with a username and password can potentially access the businesses data.  Forcing users to create strong passwords makes it vastly more difficult for hackers to use a “brute force” attack (guessing the password from multiple random characters.)

In addition to secure passwords, many cloud services today can utilize an employee’s cell phone as the secondary, physical security authentication piece in a multi-factor strategy, making this accessible and affordable for an organization to implement. Users would not only need to know the password but would need physical access to their cell phone to access their account.

Lastly, consider implementing a feature that would lock a user’s account after a predetermined amount of unsuccessful logins.

Bio: Fred Reck is an Amazon #1 Best Selling Author, technology-industry speaker, and leading consultant based in Central Pennsylvania. Fred has advised over 1100 companies on technology issues through his business InnoTek Computer Consulting.

14. Enable IP-location Lockdown

Chris ByrneChris Byrne, SensorPro

Companies should enable two-factor authentication and IP-location lockdown to access to the cloud applications they use.

With 2FA, you add another challenge to the usual email/password combination by text message. With IP lockdown you can ring-fence access from your office IP or the IP of remote workers. If the platform does not support this, consider asking your provider to enable it.

Regarding actual cloud platform provision, provide a data at rest encryption option. At some point, this will become as ubiquitous as https (SSL/TLS). Should the unthinkable happen and data ends up in the wrong hands, i.e., a device gets stolen or forgotten on a train, then data at rest encryption is the last line of defense to prevent anyone from accessing your data without the right encryption keys. Even if they manage to steal it, they cannot use it. This, for example, would have ameliorated the recent Equifax breach somewhat.

Bio: Chris Byrne is co-founder and CEO of Sensorpro.

15. Cloud Storage Security Solutions With VPN’s

Eric Schlissel, expert on cloud security threatsEric Schlissel, GeekTek

Use VPNs (virtual private networks) whenever you connect to the cloud. VPNs are often used to semi-anonymize web traffic, often by viewers that are geoblocked by accessing streaming services such as Netflix USA or BBC Player. They also provide a crucial layer of security for any device connecting to your cloud. Without a VPN, any potential intruder with a packet sniffer could determine what members were accessing your cloud account and potentially gain access to their login credentials.

Encrypt data at rest. If for any reason a user account is compromised on your public, private or hybrid cloud, the difference between data in plaintext vs. encrypted format can be measured in hundreds of thousands of dollars. Specifically $229,000, the average cost of a cyber attack reported by the respondents of a survey conducted by the insurance company Hiscox. As recent events have shown, the process of encrypting and decrypting this data will prove far more painless than enduring its alternative.

Use two-factor authentication and single sign-on for all cloud-based accounts. Google, Facebook, and PayPal all utilize two-factor authentication, which requires the user to input a unique software-generated code into a form before signing into his/her account. Whether or not your business aspires to their stature, it can and should emulate this core component of their security strategy. Single sign-on simplifies access management, so one pair of user credentials signs the employee into all accounts. This way, system administrators only have one account to delete rather than several that can be forgotten and later re-accessed by the former employee.

Bio: Eric Schlissel is President and CEO of GeekTek; a national managed IT/cyber security firm headquartered in Los Angeles, CA. Through GeekTek, Schlissel manages, secures and scales the IT architecture of businesses in law, medicine, manufacturing, and many other verticals.

16. Beware of the Human Element

Steven WeismanSteven J.J. Weisman, Lawyer, and Professor at Bentley University

To paraphrase Shakespeare, the fault is not in the cloud; the fault is in us.

Storing sensitive data in the cloud is a good option for data security on many levels. However, regardless of how secure a technology may be, the human element will always present a potential security danger to be exploited by cybercriminals. Many past cloud security  have proven not to be due to security lapses by the cloud technology, but rather by actions of individual users of the cloud.

They have unknowingly provided their usernames and passwords to cybercriminals who, through spear phishing emails, phone calls or text messages persuade people to give the critical information necessary to access the cloud account.

The best way to avoid this problem, along with better education of employees to recognize and prevent spear phishing, is to use dual factor authentication such as having a one time code sent to the employee’s cell phone whenever the cloud account is attempted to be accessed.

Bio: Steve J.J. Weisman is a lawyer, college professor at Bentley University where he teaches White Collar Crime and is among the country’s leading experts in scams, identity theft, and cybersecurity.

17. Ensure Data Retrieval From A Cloud Vendor

It Tropolis Cloud ProviderBob Herman, IT Tropolis

1. Two-factor authentication protects against account fraud. Many users fail victim to email phishing attempts where bad actors dupe the victim into entering their login information on a fake website. The bad actor can then log in to the real site as the victim, and do all sorts of damage depending on the site application and the user access. 2FA ensures a second code must be entered when logging into the application. Usually, a code sent to the user’s phone.

2. Ensuring you own your data and can retrieve it in the event you no longer want to do business with the cloud vendor is imperative. Most legitimate cloud vendors should specify in their terms that the customer owns their data. Next, you need to confirm you can extract or export the data in some usable format, or that the cloud vendor will provide it to you on request.

Bio: Bob Herman is the Co-Founder and President of IT Tropolis.

18. Real Time and Continuous Monitoring

Sam Bisbee, Threat Stack

1.Create Real-Time Security Observability & Continuous Systems Monitoring

While monitoring is essential in any data environment, it’s critical to emphasize that changes in modern cloud environments, especially those of SaaS environments, tend to occur more frequently; their impacts are felt immediately.

The results can be dramatic because of the nature of elastic infrastructure. At any time, someone’s accidental or malicious actions could severely impact the security of your development, production, or test systems.

Running a modern infrastructure without real-time security observability and continuous monitoring is like flying blind. You have no insight into what’s happening in your environment, and no way to start immediate mitigation when an issue arises. You need to monitor application and host-based access to understand the state of your application over time.

* Monitoring systems for manual user actions. This is especially important in the current DevOps world where engineers are likely to have access to production. It’s possible they are managing systems using manual tasks, so use this as an opportunity to identify processes that are suited for automation.

* Tracking application performance over time to help identify anomalies. Understanding “who did what and when” is fundamental to investigating changes that are occurring in your environment.

2. Set & Continuously Monitor Configuration Setting

Security configurations in cloud environments such as Amazon Direct Connect can be complicated, and it is easy to inadvertently leave access to your systems and data open to the world, as has been proven by all the recent stories about S3 leaks.

Given the changeable (and sometimes volatile) nature of SaaS environments, where services can be created and removed in real time on an ongoing basis, failure to configure services appropriately, and failure to monitor settings can jeopardize security. Ultimately, this will erode the trust that customers are placing in you to protect their data.

By setting configurations against an established baseline and continuously monitoring them, you can avoid problems when setting up services, and you can detect and respond to configuration issues more quickly when they occur.

3. Align Security & Operations Priorities for Cloud Security Solutions and Infrastructure

Good security is indistinguishable from good operations. Too often these teams are at odds inside an organization. Security is sometimes seen as slowing down a business— overly focused on policing the activities of Dev and Ops teams. But security can be a business enabler.

Security should leverage DevOps automation tools and testing,  moving from reactive to proactive security policy. They can fully integrate into the speed of business. Aligning on core priorities to security controls and monitoring inside an organization — across network management, user access, the configuration of infrastructure, and vulnerability management across application layer — will drive the business forward, reducing risk across the attack surface and maintaining operational availability.

Bio: As Threat Stack’s CSO, Sam is responsible for leading the Company’s strategic security roadmap for its continuous monitoring service, purpose-built for cloud environments.

19. Use Auditing Tools to Secure Data In the Cloud

Jeremy VanceJeremey Vance, US Cloud

  1. Use an auditing tool so that you know what all you have in the cloud and what all of your users are using in the cloud. You can’t secure data that you don’t know about.
  2. In addition to finding out what services are being run on your network, find out how and why those services are being used, by whom and when.
  3. Make that auditing process a routine part of your network monitoring, not just a one-time event. And if you don’t have the bandwidth for that, outsource that auditing routine to a qualified third party like US Cloud.

Bio: Jeremy Vance is the Vice President of Technology at US Cloud. He has been in the IT industry for 20-plus years in a variety of leadership positions and roles.

20. Configure Cloud Environment Correctly

Anthony Dezilva cloud security expertAnthony Dezilva, PhoenixNAP

When we think of the cloud, we think of two things.  Cost savings due to efficiencies gained by using a shared infrastructure, and cloud storage security risk.

Although many published breaches are attributed to cloud-based environment misconfiguration, I would be surprised if this number was more than, the reported breaches of non-cloud based environments.

The best cloud service providers have a vested interest in creating a secure multi-tenant environment.  Their aggregate spending on creating these environments are far more significant than most company’s IT budgets, let alone their security budgets.  Therefore I would argue that a cloud environment configured correctly, provides a far higher level of security than anything a small to medium-sized business can create an on-prem.

Furthermore, in an environment where security talent is at a grave shortage, there is no way an organization can find, let alone afford the security talent they need.  Resulting in the next best thing, create a business associate relationship with a provider that not only has a valid secure infrastructure but also provides cloud monitoring security solutions.

Cloud Security Threats: Need to know

  • Architect solution as you would any on-prem design process;
  • Take advantage of application services layering and micro-segmentation;
  • Use transaction processing layers with strict ACLs that control inter-process communication.  Use PKI infrastructure to authenticate, and encrypt inter-process communication.
  • Utilize advanced firewall technology including WAF (Web Access Firewalls) to front-end web-based applications, to minimize the impact of vulnerabilities in underlying software;
  • Leverage encryption right down to record level;
  • Accept that it is only a matter of time before someone breaches your defenses, plan for it.  Architect all systems to minimize the impact should it happen.
  • A flat network is never okay!
  • Robust change control process, with weekly patch management cycle;
  • Maintain offline copies of your data, to mitigate the risk of cloud service collapse, or malicious attack that wipes your cloud environment;
  • Contract with 24×7 security monitoring services that have an incident response component.

Bio: Anthony Dezilva is an Information Security/Assurance Leader (CISO), Global Management Executive, and Educator. As a  Development Manager of Security Services at phoenixNAP, he is helping take cloud data security to the next level.

New Call-to-action