The impact of the COVID-19 pandemic saw the adoption of digital transformation significantly increase in 2020, with businesses introducing new remote ways of working as a result. Part of this meant more and more of our work and information moved online with the additional surge in the use of cloud tools.
For those businesses new to cloud services, and those having to quickly adapt to the changing workplace, overlooking the importance of cloud security could mean damaging consequences. Even the biggest technology providers, including AWS, Google Cloud, Microsoft Azure and IBM, offer a variety of cloud and security tools and face regular attacks by hackers.
Keeping your cloud secure, as well as the devices that access it, can be complicated, so it’s essential that your organisation has strong security policies and guidelines. All staff need to be aware of their software services and how to correctly protect their devices, as well as what they should do if they are affected by an attack.
What is cloud security?
As cloud services involve data travelling to and from you and your business to an online data centre for processing or storage, cloud security is the protection of this information, as well as the applications within that cloud, whether that be public, private, or hybrid.
Cloud security could include implementing tools such as firewalls, VPNs, password managers and other controls that regulate access to data. This is because it's not the cloud itself that needs to be secured, but the various points of entry there are, be it through login credentials for an app or restricting the number and variety of devices that can access the data stored there.
Why is cloud security important?
Cloud security is important because the information your business stores in the cloud is often highly valuable, particularly if it's customer data. AI technologies, targeted ads, prediction models with machine learning, they all require data, large swathes of it, and if your cloud isn't secure your data could be accessed by an unauthorised and potentially malicious third party.
What's more, not having a suitably secured cloud will leave your business in violation of GDPR, which came into force in May 2018. If a company is found to be in violation of this regulation and suffers a breach, it could face a potential fine of up to 20 million euros or 4% of global turnover whichever is higher.
The mere fact that your data is sitting on somebody else's infrastructure is no excuse, either. If you didn't take reasonable steps to secure the information stored on the cloud yourself, you could still be found in breach of GDPR.
Patching leaks
In 2017, the US National Security Agency (NSA), part of the country's defence department, had 100GB of sensitive data exposed through poor security practices. An image of a virtual copy of one of its hard drives was left unprotected on a public Amazon S3 server. Anyone who knew the web address where the data was stored could freely access it, causing considerable embarrassment for an organisation that deals in security.
This isn't an isolated incident either, as unsecured S3 buckets are frequently at the centre of significant data breaches. In the same year, at least two million Dow Jones customers had their personal details exposed on the web in the same way.
Worse, this type of breach is also still happening. Security firm UpGuard revealed IT services firm Attunity had left at least 1TB of data belonging to high profile customers such as Netflix and Ford in several unsecured AWS S3 Buckets.
"If the right hand does not know what the left hand is doing, the entire body will be injured," said UpGuard cyber resilience analyst Dan O'Sullivan. "The Defense Department must have full oversight into how their data is handled by external partners and be able to react quickly should a disaster strike."
Best Practices
None of this is to say you shouldn't use the cloud at all. In fact, for most businesses, some of the larger providers will have significantly greater resources for securing data than they could ever reasonably have.
However, as the examples above show, simply opting for a well-established service cloud doesn't mean you can just sit back and do nothing. The responsibility to secure cloud environments still rests on the shoulders of the businesses using the platform. To ensure your cloud-hosted data is as safe as possible, there are some best practices you can follow.
Firstly, it's important to establish who can access your resources and from where. Responsibility for this rests squarely with the IT department and it's a good idea to give a couple of team members dedicated responsibility for this task. Blanket policies for access are also a bad idea. Security parameters should be set by role, so only those who need to can make changes to a data record (such as a database) and who only has viewing permissions -- and who has no access rights at all.
Secondly, while cloud computing enables access from virtually anywhere, it doesn't mean that should be the case. Measures should be taken to ensure only certain information can be accessed if the user is connecting via public Wi-Fi, for example, and it's also a good idea to restrict access for unrecognised or unsanctioned devices.
It's important to decide what is most valuable to your organisation. It's not wise to protect everything with the same controls as it won't be an effective use of your resources. Instead, it's advisable to focus greater security on the data that really matters.
Future-proofing is also crucial. The events of 2020 have taken all of us by surprise, but some organisations had the business resilience and agility to ride the wave of disruption more successfully than others. It’s been widely reported that cyber crime has been on the rise over the last few months – and a big reason for this is that criminals know full well that a black swan event like COVID-19 can leave businesses in chaos and their systems vulnerable.
What we can learn from this is not just the importance of prioritising securing your organisation to meet your current needs, but looking at contingency planning and agility too. While we may not have another year like 2020 for a long time, disruption is always a possibility, and organisations must be prepared for it. This means ensuring you have robust cloud security plans in place if your current setup changes. Is your system secure enough to manage employees working from home networks or public Wi-Fi? Have you got the means to be flexible with access if roles or working arrangements change? Do you have the tools in place to spot and adapt to new security threats?
Finally, do remember to ensure the data you store in the cloud isn't accessible via the open internet for anyone and everyone to see – your cloud provider will have information on how to do this if it isn't a default setting.
