“Cloud computing brings tremendous benefits to business, but these models also raise questions around compliance and shared responsibility for data protection”
When it comes to security on cloud, it is no more an individual / customer specific. It’s a shared responsibility model that the customer and the cloud service provider agree to establish.
- Security measures that the cloud service provider implements and operates including physical security.
- Security measures that the customer implements and operates, related to the security of customer content and applications that make use cloud services.
Common Threats
Environmental Security — The concentration of computing resources and users in a cloud computing environment also represents a concentration of security threats. Because of their size and significance, cloud environments are often targeted by virtual machines and bot malware, brute force attacks, and other attacks. Ask your cloud provider about access controls, vulnerability assessment practices, and patch and configuration management controls to see that they are adequately protecting your data.
Data Privacy and Security — Hosting confidential data with cloud service providers involves the transfer of a considerable amount of an organization’s control over data security to the provider. Encryption becomes crucial to protect the confidentiality and privacy of the data while in transit and in storage. Also you need to ensure that proper access and monitoring controls are in place.
Make sure your vendor understands your organization’s data privacy and security needs. Also, make sure your cloud provider is aware of particular data security and privacy rules and regulations that apply to your entity, such as HIPAA, the Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act (FISMA), or the privacy considerations.
Data Availability and Business Continuity — Should a disaster occur, organizations must ascertain what steps the provider will take to protect data and continue service. Does the provider have the ability to do a complete restoration of all data, and how long it will take? Customers should evaluate the provider’s business continuity capabilities and ensure they meet the requirements specified in the service level agreement.
Disaster Recovery — Hosting your computing resources and data at a cloud provider makes the cloud provider’s disaster recovery capabilities vitally important to your company’s disaster recovery plans. Know your cloud provider’s disaster recovery capabilities and ask your provider if they been tested.
Cloud Outages – There is no failure proof cloud in reality. Recent cloud outages at Microsoft, Amazon and others are alarming reminders that cloud services are not perfect. They can be interrupted despite the promises of skilled advertisers; meaning cloud computing risk management should also involve managing the risk of cloud outages.
Recommendations to establish a good cloud security model
Secure your Endpoints – Customer access points, also called API endpoints, should be secured using SSL/TLS certificates. Always allow secured HTTPS to your cloud applications.
Virtual Networks & Private Subnets – Virtual networks gives you complete isolation and access of your cloud resources. You can also add another layer of network security to your cloud resources by creating private subnets within your virtual network and even adding a VPN tunnel between your home network and your cloud network.
Use Firewalls – You can control access to your instances by configuring appropriate firewall rules. This is something which is vital for your cloud security. You should have clear control for all egress as well as ingress traffic
Data Encryption – Most of the cloud providers offer built-in support for encryption of data while transfer and data at rest. Plan and use them appropriately.
User & Access Management – You should establish control over the level of access, your own users have to your cloud infrastructure. Each user should have unique security credentials, eliminating the need for shared passwords or keys and follow the security best practices of role separation and least privilege.
Multi-factor authentication – Many cloud providers support built-in multi-factor authentication (MFA). Make use of it.
Audit Trial – log all user activity within your cloud account. You should be able to see what actions were performed on each of your cloud resources and by whom. All cloud providers provide the necessary tools for security analysis, resource change tracking, and compliance auditing.
Leave a Reply