6 Common Cloud Security Mistakes
Most businesses realise that failing to adopt the cloud in some form will result in them missing out on opportunities for growth, increased productivity and in many ways improved security. However using the cloud is not without risk and many organisations make cloud adoption mistakes that could lead to expensive data breaches.
Here are 5 cloud security mistakes that could cost you. ...
Not Undertaking Due Diligence - There is a lot for a company to consider when moving to cloud-based services. It is vitally important that the company design a due diligence process to verify the security controls of the cloud service provider. The due diligence process must match the level of compliance and risk required for the type of service. An ISO27001 Certification or SAS70 can be a good starting point for the due diligence.
Storing Data On Unsecured Servers – Many companies assume their data is automatically protected. If your cloud provider is compliant on, for instance, PCI DSS, doesn’t that mean you are assured PCI compliance? Unfortunately, no. It is your responsibility to encrypt and secure your own data. To make your cloud data more secure 1) Protect data at rest using 256-bit encryption 2) Protect your encryption keys with a robust key management solution; and 3) Monitor and authenticate the roles assigned to each user with respect to data access.
Not Controlling Access to the Cloud – Organisations have failed to realise just how vulnerable their data can be. Any resources in the cloud absolutely must be protected by role-based access control. Once upon a time, this was an extreme security measure. In the cloud, this is a necessity. To protect your cloud resources from accidental or maliciously planned threat, keep at least two sets of credentials, or two-factor authentication, on all access points.
Lumping Everything Together - One of the main security benefits of the cloud is the ability to create separate, isolated infrastructures for each environment (Development, Testing and Production). Invest time in building templates and scripts to automate the creation of separate infrastructures so you can take advantage of network and account segregation.
Not Maintaining the Cloud – We see a lot of cloud infrastructures with no automated patching process – way more than we encounter this finding for on-premise infrastructures. Implement a regular process of updating your master images and replacing running instances with new, fully patched instances.
Managing Security Using Your Old Tools - The speed with which your company managed traditional security tools (AV, IPS, SIEM, etc.) were the stuff of legend. You are so comfortable with these old-school tools you decide to use the VM versions in your new cloud environment. Unfortunately, cloud concepts like auto scaling, immutable servers, and availability zones fundamentally break your old favourites. Time to learn a new set of security tools made specifically for cloud environments.