From the very beginning of the cloud computing era, security has been the biggest concern among enterprises considering the public cloud. For many organizations, the idea of storing data or running applications on infrastructure that they do not manage directly seems inherently insecure.
CloudPassage’s 2021 AWS Cloud Security Report found that misconfiguration of cloud platforms (71 percent), exfiltration of sensitive data (59 percent), and insecure APIs (54 percent) are the top cloud security threats facing cybersecurity professionals. In addition, 95 percent of survey respondents confirmed that they are extremely to moderately concerned about public cloud security.
Those concerns are certainly justified. According to IDC’s 2021 State of Cloud Security Report, 79 percent of surveyed companies reported a cloud data breach in the last 18 months. Public cloud infrastructure as a service (IaaS) may be less vulnerable than traditional data centers, but that doesn’t mean it’s without its own set of risks. Enterprises that don’t want to be part of that statistic should understand and implement cybersecurity best practices when it comes to their cloud infrastructure.
What is cloud security?
Cloud security consists of all the technologies and processes that ensure an organization’s cloud infrastructure is protected against internal and external cybersecurity threats. As more enterprises look to the cloud as the future of business, cloud security is an absolute necessity to maintain continuity. Cloud security makes sure the lights stay on so businesses can focus on driving progress.
12 steps of the best practices for cloud security
Cloud security is constantly evolving, but a handful of best practices have remained constant for ensuring the security of cloud environments. Organizations that have existing cloud solutions in place or are looking to implement them should consider these tips and tools to ensure that sensitive applications and data don’t fall into the wrong hands.
Jump to each step of cloud security best practices:
- Understand your shared responsibility model
- Ask your cloud provider detailed security questions
- Deploy an identity and access management solution
- Train your staff
- Establish and enforce cloud security policies
- Secure your endpoints
- Encrypt data in motion and at rest
- Use intrusion detection and prevention technology
- Double-check your compliance requirements
- Consider a CASB vendor
- Conduct audits and penetration testing
- Enable security logs
1. Understand your shared responsibility model
In a private data center, the enterprise is solely responsible for all security issues. But in the public cloud, things are much more complicated. While the buck ultimately stops with the cloud customer, the cloud provider assumes the responsibility for some aspects of IT security. Cloud and security professionals call this a shared responsibility model.
Leading IaaS and platform as a service (PaaS) vendors like Amazon Web Services (AWS) and Microsoft Azure provide documentation to their customers so all parties understand where specific responsibilities lie according to different types of deployment. The diagram below, for example, shows that application-level controls are Microsoft’s responsibility with software as a service (SaaS) models, but it is the customer’s responsibility in IaaS deployments. For PaaS models, Microsoft and its customers share the responsibility.
Enterprises that are considering a particular cloud vendor should review its policies about shared security responsibilities and understand who is handling the various aspects of cloud security. That can help prevent miscommunication and misunderstanding. More importantly, though, clarity about responsibilities can prevent security incidents that occur as a result of a particular security need falling through the cracks.
2. Ask your cloud provider detailed security questions
In addition to clarifying shared responsibilities, organizations should ask their public cloud vendors detailed questions about the security measures and processes they have in place. It’s easy to assume that the leading vendors have security handled, but security methods and procedures can vary significantly from one vendor to the next.
To understand how a particular cloud provider compares, organizations should ask a wide range of questions, including:
- Where do the provider’s servers reside geographically?
- What is the provider’s protocol for suspected security incidents?
- What is the provider’s disaster recovery plan?
- What measures does the provider have in place to protect various access components?
- What level of technical support is the provider willing to provide?
- What are the results of the provider’s most recent penetration tests?
- Does the provider encrypt data while in transit and at rest?
- Which roles or individuals from the provider have access to the data stored in the cloud?
- What authentication methods does the provider support?
- What compliance requirements does the provider support?
3. Deploy an identity and access management solution
The fourth biggest threat to public cloud security identified in CloudPassage’s report is unauthorized access (and growing – 53 percent, up from 42 percent in 2020). While hackers’ methods of gaining access to sensitive data are becoming more sophisticated with each new attack, a high-quality identity and access management (IAM) solution can help mitigate these threats.
Experts recommend that organizations look for an IAM solution that allows them to define and enforce access policies based on least privilege. These policies should also be based on role-based permission capabilities. Additionally, multi-factor authentication (MFA) can further reduce the risk of malicious actors gaining access to sensitive information, even if they manage to steal usernames and passwords.
Organizations may also want to look for an IAM solution that works in hybrid environments that include private data centers as well as cloud deployments. This can simplify authentication for end users and make it easier for security staff to ensure that they are enforcing consistent policies across all IT environments.
Read more: Best IAM Tools & Solutions for 2021
4. Train your staff
To prevent hackers from getting their hands on access credentials for cloud computing tools, organizations should train all workers on how to spot cybersecurity threats and how to respond to them. Comprehensive training should include basic security knowledge like how to create a strong password and identify possible social engineering attacks as well as more advanced topics like risk management.
Perhaps most importantly, cloud security training should help employees understand the inherent risk of shadow IT. At most organizations, it’s all too easy for staff to implement their own tools and systems without the knowledge or support of the IT department. Without top-to-bottom visibility of all systems that interact with the company’s data, there’s no way to take stock of all vulnerabilities. Enterprises need to explain this risk and hammer home the potential consequences for the organization.
Organizations also need to invest in specialized training for their security staff. The threat landscape shifts on a daily basis, and IT security professionals can only keep up if they are constantly learning about the newest threats and potential countermeasures.
5. Establish and enforce cloud security policies
All organizations should have written guidelines that specify who can use cloud services, how they can use them, and which data can be stored in the cloud. They also need to lay out the specific security technologies that employees must use to protect data and applications in the cloud.
Ideally, security staff should have automated solutions in place to ensure that everyone is following these policies. In some cases, the cloud vendor may have a policy enforcement feature that is sufficient to meet the organization’s needs. In others, the organization may need to purchase a third party solution like CASB that offers policy enforcement capabilities.
Zero trust is one such technology that offers a refined control over policy enforcement. Tools in this category work with other systems to determine how much access each user needs, what they can do with that access, and what it means for the broader organization.
Read more: Best Zero Trust Security Solutions for 2021
6. Secure your endpoints
Using a cloud service doesn’t eliminate the need for strong endpoint security—it intensifies it. New cloud computing projects offer an opportunity to revisit existing strategies and ensure the protections in place are adequate to address evolving threats.
A defense-in-depth strategy that includes firewalls, anti-malware, intrusion detection, and access control has long been the standard for endpoint security. However, the array of endpoint security concerns has become so complex that automation tools are required to keep up. Endpoint detection and response (EDR) tools and/or endpoint protection platforms (EPP) can help in this area.
EDR and EPP solutions combine traditional endpoint security capabilities with continuous monitoring and automated response. Specifically, these tools address a number of security requirements, including patch management, endpoint encryption, VPNs, and insider threat prevention among others.
7. Encrypt data in motion and at rest
Encryption is a key part of any cloud security strategy. Not only should organizations encrypt any data in a public cloud storage service, but they should also ensure that data is encrypted during transit—when it may be most vulnerable to attacks.
Some cloud computing providers offer encryption and key management services. Some third-party cloud and traditional software companies offer encryption options as well. Experts recommend finding an encryption product that works seamlessly with existing work processes, eliminating the need for end users to take any extra actions to comply with company encryption policies.
Read more: Best Encryption Software & Tools for 2021
8. Use intrusion detection and prevention technology
Intrusion prevention and detection systems (IDPS) are among some of the most effective cloud security tools on the market. They monitor, analyze, and respond to network traffic across both on-premises and public cloud environments. When they encounter signature-based, protocol-based, or anomaly-based threats, IDPS solutions add them to a log, alert administrators to unusual activity, and block the threats so admins have enough time to take action.
These tools are important for round-the-clock monitoring and real-time alerts. Without IDPS, it’s nearly impossible to analyze network traffic for the telltale signs of a sophisticated attack.
9. Double-check your compliance requirements
Organizations that collect personally identifiable information (PII) like those in retail, healthcare, and financial services face strict regulations when it comes to customer privacy and data security. Some businesses in certain geographic locations—or businesses that store data in particular regions—may have special compliance requirements from local or state governments as well.
Before establishing a new cloud computing service, organizations should review their particular compliance requirements and make sure that their service provider will meet their data security needs.
10. Consider a CASB or cloud security solution
Dozens of companies offer solutions or services specifically designed to enhance cloud security. If an organization’s internal security staff doesn’t have cloud expertise or if the existing security solutions don’t support cloud environments, it may be time to bring in outside help.
Cloud access security brokers (CASBs) are tools purpose-built to enforce cloud security policies. They have become increasingly popular as more organizations have started using cloud services. Experts say that a CASB solution may make the most sense for organizations that use multiple cloud computing services from several different vendors. These solutions can also monitor for unauthorized apps and access too.
Read more: Best CASB Security Vendors for 2021
11. Conduct audits and penetration testing
Whether an organization chooses to partner with an outside security firm or keep security teams in-house, experts say all enterprises should run penetration testing to determine whether existing cloud security efforts are sufficient to protect data and applications.
Additionally, organizations should conduct regular security audits that include an analysis of all security vendors’ capabilities. This should confirm that they are meeting the agreed upon security terms. Access logs should also be audited to ensure only appropriate and authorized personnel are accessing sensitive data and applications in the cloud.
Read more: Best Penetration Testing Tools for 2021
12. Enable security logs
In addition to conducting audits, organizations should enable logging features for their cloud solutions. Logging helps system administrators keep track of which users are making changes to the environment—something that would be nearly impossible to do manually. If an attacker gains access and makes changes, the logs will illuminate all their activities so they can be remediated.
Misconfigurations are one of the most significant challenges of cloud security, and effective logging capabilities will help connect the changes that led to a particular vulnerability so they can be corrected and avoided in the future. Logging also helps identify individual users who may have more access than they actually need to do their jobs, so administrators can adjust those permissions to the bare minimum.
Cloud security requires the right tools
Experts emphasize that, in most cases, concerns about security should not prevent organizations from using public cloud services. Often, organizations actually have fewer security issues with cloud-based workloads than with those that run in traditional data centers.
If one thing is clear from our list of best practices, it’s that strong cloud security relies on having the right tools in place. By following cloud security best practices and implementing the appropriate security tools, businesses can minimize risks and take full advantage of the benefits cloud computing offers.
This article was originally published on May 24, 2017. It was updated by Kaiti Norton.