The lack of an ‘edge’ that clearly defines the cloud environment that your organisation is considering sending your data to, can make it appear difficult to protect. In fact, security has been a major inhibitor to cloud adoption in ‘traditional’ businesses.
A cloud environment can provide a number of additional points of entry for an attacker. Insecure mobile phones are used to access your network. A contractor on your network uses a web application that has an embedded vulnerability. A database administrator at the cloud provider shares a password with someone. These are just some of the scenarios that keep your CISO awake at night.
Increasingly, staff, customers, suppliers and business partners want to access corporate applications and data via mobile devices and the cloud. Protecting the edge of the network is no longer enough. The traditional perimeter is disappearing, so what can you do help ensure security in the cloud.
1. Know Who Can Access What
Privileged users in your organisation, DB administrators and staff with access to highly valuable intellectual property or commercially sensitive information should be given training on securely handling data. They should be subject to stronger access control and receive a higher level of scrutiny in terms of logging and audit trails.
2. Limit Data Access Based on Role and Context
The level of access to data in the cloud should depend on who and where the user is and what device they are using. For example, a hospital doctor during regular working hours could have full access to patient records. However, when he is using his mobile phone from Starbucks during his lunch hour, he should have to go through additional sign-on steps and have more limited access to sensitive data.
3. Risk-Based Approach
Take a risk-based approach to securing assets accessed in the cloud. Identify areas of highly sensitive or valuable data and provide extra protection in terms of access control, encryption and monitoring around those assets.
4. Device Security
Extend security out to the device. Make sure that company data is isolated from personal data on mobile devices. Use a Mobile Device Management (MDM) solution to ensure that devices are always running the latest level of software and most recent security patches. The MDM solution should also have remote wipe capability. Be sure to scan mobile applications to check for vulnerabilities.
5. Network Protection
Add intelligence to network protection. The network still needs to be protected in the cloud. The network infrastructure may be virtual but the security requirements are the same as for on premise network infrastructure. Network protection devices need to have the ability to provide extra control in terms of segregation and access control with analytics providing insight into who is accessing what content and applications.
6. See Through the Cloud
Build in visibility, detailed logging and an audit trail. Implement security systems which validate user IDs and passwords and capture security data necessary for regulatory compliance and forensic investigation. The aim is to generate meaningful information about a potential attack or security risk from the ocean of security log data. The security analysis capability of an appropriate SIEM solution can prove invaluable. Adding this layer of advanced analytics will bring all your important security data together to provide real-time visibility into the both the data centre and cloud infrastructure.
Cloud infrastructure has an ever-evolving perimeter. Security is an important factor in cloud deployments and by building in the security capabilities described in the above steps, you can better manage and protect people, data and devices in the cloud.