Cloud security remains a sticking point for many companies. C-suite executives consistently list security among their top concerns when it comes to cloud migration or adoption, and millions of dollars are spent each year devising new techniques to thwart attackers. MIT researchers have even developed a chip-level method to conceal memory-access patterns and enhance cloud security. However, advanced precautions are meaningless if companies don’t effectively prepare their cloud infrastructure for cloud challenges.
Here are six tips for effective cloud security to help empower safety efforts:
The first step in robust cloud infrastructure security? Deal with the password problem. Left to their own devices, employees and executives alike will use easy-to-remember and easy-to-guess passwords and make these passwords the same across multiple services and devices. While this speeds access and eliminates the issue of forgotten passwords and help desk calls, it also gives malicious actors an easy way into the system. Brute-force password attacks take almost no time, and once a single set of login credentials has been compromised, hackers have access to the entire system.
To prevent this problem, develop a strong password policy before moving to the cloud. There are two schools of thought on the most effective type of passwords. The first is common practice — passwords should be at least 10 characters long and include a combination of letters and numbers, along with at least one symbol. You can also enforce the creation of pass-phrases, which are sets of seemingly unrelated words that are easy for users to remember but hard for hackers to guess.
No matter which method you choose, it must be applied across the enterprise and without exception. To streamline this effort, opt for password management software that automatically enforces the policies you create and manages all passwords across the enterprise as a whole.
Of course, passwords are just the beginning. The next step in securing cloud infrastructure is authentication: ideally, you want two factor or better. Passwords are first factor — something a user knows that allows him or her access. Second-factor tools include physical items such as tokens or USB drives: something a user has. Advancements in biometric security now make it possible to choose three-factor authentication software, which relies on fingerprints, iris scans or voice recognition: something a user is. This software allows you to set the threshold for entry of any system, giving you granular control over all network endpoints.
Beyond authentication and password protection is access. As noted by Cloud Tweaks, it’s not enough to simply protect your data and infrastructure — you need to know who’s accessing it, and why. This means leveraging software tools that allow you to manage access permissions on a per-user basis and remove or add new permissions as required. Users should only have access to files they need to complete tasks they’re actively working on, while all other access should be removed.
The same goes for C-suite executives; unless they’re directly involved in a project, access is not required. By taking the time to establish effective access policies backed by strong software before moving to the cloud, you start from a position of security rather than trying to retroactively rein in network access.
No cloud is perfect. Public clouds in particular come with the risk of security breaches through shared services, meaning it’s in your best interest to discover weak spots before they become gaping security holes. First, minimize the number of potential weak spots by using cloud service providers that meet basic standards such as ISO 27001, ISAE3402/SSAE16 or CSA STAR. This helps eliminate unexpected security issues and provides a starting point for recovery in the event of a breach.
Next, find a reputable and rigorous security software provider to run regular penetration tests and failure drills to see what crops up — and why. By identifying attack vectors before malicious actors have the chance, you can eliminate the element of surprise.
As noted by Business News Daily, businesses must prepare for the worst. This means prepping cloud infrastructure for the possibility of total failure at the hands of a natural disaster, malware infection or persistent attack, along with installing failure-mitigation software, which automatically creates and stores critical file backups.
Here, the idea is to choose a cloud provider that has robust disaster recovery services in place — such as hot-swap servers that can keep your business up and running even if local stacks fail entirely — along with spending on small-scale, on-site services to help bridge the gap as needed. Bottom line? Failure is failure, regardless of the cause. Planning to fail lowers the impact.
Finally, it’s important to move the edge of security into the cloud. Tech Radar describes this as “moving the perimeter,” which requires throwing out the notion that traditional firewall-based defenses are enough to handle the sheer number of new endpoints — everything from mobile devices to wireless sensors and third-party access requests. Your best bet? Tap security experts with cutting-edge software platforms. Many security products can now be delivered as a service, giving you both visibility and control over your cloud perimeter.
Bottom line? Any discussion of security in the cloud requires the expansion of traditional IT responsibilities, coupled with security expectations baked in to any cloud provider SLA. The perimeter has already shifted; corporate security needs to catch up.
Is your company ready for the cloud? Take a hard look at security: Passwords, authentication, access, weak spots, failure and new-edge protection are best handled before you make the leap.
Find more industry insights from top experts by visiting the Business-Software.com blog homepage. For additional resources on cloud security, check out our exclusive blog content on securing your business’s cloud infrastructure.
[Photo courtesy of Flickr user Perspecsys Photos.]