What is cloud security?
Storing data in the cloud has many benefits, but failure to secure it can lead to very real consequences
The pace of digital transformation increased rapidly in 2020 due to the onset of the COVID-19 pandemic and the mass shift to remote working that followed. As a result, and due to the need for business continuity, factories, offices, and even restaurants and coffee shops tapped into cloud computing, taking our lives and our information even further online.
With more data being generated, processed, and stored, particularly by businesses that are new to the cloud, security is now more important than ever. What's more, cloud computing security isn't exactly simple.
From controlling which employees have access to which services, to securing each device they use, keeping a cloud environment protected from every potential entry point is a daunting task, not to mention the work that goes into making sure databases and storage systems are correctly configured.
Even the biggest providers of cloud technology have fallen foul of security mishaps. AWS, Google Cloud Platform, Microsoft Azure, and IBM offer a wide range of services and tools for cloud and security, but they also fight daily battles to protect customers from phishing, DDoS attacks, and unauthorised access.
This is why it is imperative that you and your organisation have strong security policies and guidelines from top to bottom. Everyone in the office needs to know how to protect their devices, their software services, and what to do in the very likely event of an attack. Because the threats facing your cloud environment are many and varied.
What is cloud security?
The cloud is a method of computing and storage that's accessible via the internet. It involves data travelling to and from you and your business to a datacentre to be processed or stored for certain tasks. For instance, when you ask an Amazon Echo device a question, that data is processed in a data centre and sent back to the device for Alexa to respond in real-time.
Cloud security is the protection of this data and also the applications and services you keep within a cloud environment, whether that be public, private, or hybrid. This could include implementing tools such as firewalls, VPNs, password managers and other controls that regulate access to data.
This is because it's not the cloud itself that needs to be secured, but the various points of entry there are, be it through login credentials for an app or restricting the number and variety of devices that can access the data stored there.
Why is cloud security important?
Cloud security is important because the information your business stores in the cloud is often highly valuable, particularly if it's customer data. AI technologies, targeted ads, prediction models with machine learning, they all require data, large swathes of it, and if your cloud isn't secure your data could be accessed by an unauthorised and potentially malicious third party.
Why you need to include the cloud in your disaster recovery plan
Preserving data for business successDownload now
What's more, not having a suitably secured cloud will leave your business in violation of GDPR, which came into force in May 2018. If a company is found to be in violation of this regulation and suffers a breach, it could face a potential fine of up to 20 million euros or 4% of global turnover whichever is higher.
The mere fact that your data is sitting on somebody else's infrastructure is no excuse, either. If you didn't take reasonable steps to secure the information stored on the cloud yourself, you could still be found in breach of GDPR.
In 2017, the US National Security Agency (NSA), part of the country's defence department, had 100GB of sensitive data exposed through poor security practices. An image of a virtual copy of one of its hard drives was left unprotected on a public Amazon S3 server. Anyone who knew the web address where the data was stored could freely access it, causing considerable embarrassment for an organisation that deals in security.
This isn't an isolated incident either, as unsecured S3 buckets are frequently at the centre of significant data breaches. In the same year, at least two million Dow Jones customers had their personal details exposed on the web in the same way.
Worse, this type of breach is also still happening. Security firm UpGuard revealed IT services firm Attunity had left at least 1TB of data belonging to high profile customers such as Netflix and Ford in several unsecured AWS S3 Buckets.
"If the right hand does not know what the left hand is doing, the entire body will be injured," said UpGuard cyber resilience analyst Dan O'Sullivan. "The Defense Department must have full oversight into how their data is handled by external partners and be able to react quickly should a disaster strike."
None of this is to say you shouldn't use the cloud at all. In fact, for most businesses, some of the larger providers will have significantly greater resources for securing data than they could ever reasonably have.
However, as the examples above show, simply opting for a well-established service cloud doesn't mean you can just sit back and do nothing. The responsibility to secure cloud environments still rests on the shoulders of the businesses using the platform. To ensure your cloud-hosted data is as safe as possible, there are some best practices you can follow.
Firstly, it's important to establish who can access your resources and from where. Responsibility for this rests squarely with the IT department and it's a good idea to give a couple of team members dedicated responsibility for this task. Blanket policies for access are also a bad idea. Security parameters should be set by role, so only those who need to can make changes to a data record (such as a database) and who only has viewing permissions -- and who has no access rights at all.
Secondly, while cloud computing enables access from virtually anywhere, it doesn't mean that should be the case. Measures should be taken to ensure only certain information can be accessed if the user is connecting via public Wi-Fi, for example, and it's also a good idea to restrict access for unrecognised or unsanctioned devices.
It's important to decide what is most valuable to your organisation. It's not wise to protect everything with the same controls as it won't be an effective use of your resources. Instead, it's advisable to focus greater security on the data that really matters.
Future-proofing is also crucial. The events of 2020 have taken all of us by surprise, but some organisations had the business resilience and agility to ride the wave of disruption more successfully than others. It’s been widely reported that cyber crime has been on the rise over the last few months – and a big reason for this is that criminals know full well that a black swan event like COVID-19 can leave businesses in chaos and their systems vulnerable.
What we can learn from this is not just the importance of prioritising securing your organisation to meet your current needs, but looking at contingency planning and agility too. While we may not have another year like 2020 for a long time, disruption is always a possibility, and organisations must be prepared for it. This means ensuring you have robust cloud security plans in place if your current setup changes. Is your system secure enough to manage employees working from home networks or public Wi-Fi? Have you got the means to be flexible with access if roles or working arrangements change? Do you have the tools in place to spot and adapt to new security threats?
Finally, do remember to ensure the data you store in the cloud isn't accessible via the open internet for anyone and everyone to see – your cloud provider will have information on how to do this if it isn't a default setting.
Edge-enabled mobility of the future
Turning vehicle data into valueDownload now
Modern networking for the borderless enterprise
Five ways top organisations are optimising networking at the edgeDownload now
Address multi-cloud configuration risks
Cloud security challenges and how to overcome themWatch now
The total economic impact of IBM Security Verify
Cost savings and business benefits enabled by IBM Security VerifyDownload now