According to a recent report by McAfee, the average employee actively uses 36 cloud services at work, and a lot of the data that get stored using these services is sensitive (18.1%). Such data includes financial records, business plans, Social Security numbers, credit and debit card numbers, protected health information, and so on. The above figures highlight the importance of a tight cloud-security strategy. Below are some tips to help you get started:
Security Awareness Training & Policy Enforcement
According to a recent survey carried out by Oracle and KPMG, 97% of respondents said they require cloud services to be approved by the IT/security team, and as many as 82% of respondents are concerned that employees were violating those policies. With this in mind, it is crucial that organizations introduce an ongoing security awareness training program, which clearly explains the company’s security policies, and why it is important to adhere to them.
Encryption & Key Storage
It goes without saying that if you are going to store sensitive data in the cloud, it must be encrypted, both at rest and in transit. Doing so is not only a good security practice, but it is a regulatory requirement for most organizations. When storing encrypted data on the cloud, organizations must have control over their encryption keys. While most cloud service providers provide a number of easy-to-use solutions for encrypting data, it is still not advisable to store these keys in the same place as where the encrypted data resides.
Auditing & Reporting
Naturally, it is a good idea to audit and report on important changes to any sensitive data we store on the cloud. According to the above survey by Oracle and KPMG, 38% of respondents said they face issues detecting and reacting to threats in the cloud. While most popular cloud-service providers will provide some form of native auditing capabilities, they typically have limited functionality when compared to sophisticated DCAP (Data-Centric Audit & Protection) solutions. Not only that, but many companies use multiple cloud-services, which makes monitoring and correlating events more complicated.
Cloud Auditing Solutions such as LepideAuditor, are able to aggregate log data from multiple sources, such as AWS, Dropbox, Office365, and OneDrive, and display a summary of events via a single intuitive dashboard. Not only that but they provide real-time alerts, and a wide range of customized reports, which can be used to satisfy regulatory compliance requirements.
Passwords & Authentication
Most enterprises are still relying on the same password-based authentication methods that have been used since the dawn of multi-user systems. However, these authentications systems – even those that demand extra strong passwords – are sometimes breached. There are various encryption methods that can be used to help prevent brute-force passwords attacks, such as the use of a “salted hash”; however, it is still probably a good idea for organizations to use more advanced authentication methods when using cloud-based services, such as multi-factor authentication. As always, companies must adhere to the “principal of least privilege”, when assigning access rights, to ensure that employee’s only have access to the data they need to adequately carry out their duties.