In light of the latest breach involving Capital One, which involved data in the cloud, there is a lot of debate around Cloud Security. This debate is nothing new and it generally revolves around the question, “Is Cloud secure enough for my data? I think this is the wrong question to be asking. With a few exceptions, IT Security best practices are generally no different for Cloud as they are for On-Prem. A big part of IT Security is understanding what you are getting into and the risk involved. Below are my general thoughts around keeping data secure in the Cloud. In this case, when I refer to Cloud, I’m referring to Amazon Web Services, but the thought is the same across all Cloud environments.
Keeping Data Safe in the Cloud
1. Know What You’re Getting Into!
2. Don’t Let Developers Outpace Your Security Team
Allow for time to correctly architect security the first time. Communicate and collaborate with your legal and security teams upfront. Give them the time they need to architect a secure solution. The primary benefits to Cloud are the speed at which you can deploy and automate solutions and the ability to scale up and down quickly.
However, I see too many companies pushing to get to the cloud too fast. They are deploying apps first then thinking about tightening up security second, which could ultimately lead to becoming the next bad headline.
3. Encryption of Data
Be sure to encrypt data in transit and at rest. Cloud providers give you tools to do this. You should also have a good encryption key management process.
4. Use the Right Security Tools
I see a lot of companies wanting to utilize the cloud provided native security tools. Yes, they are native and yes, they are probably cheaper or even free, but they are usually not as advanced.
Also, utilizing different tools in each environment leads towards inconsistency and demands that your security admins maintain knowledge in multiple products. Try to use the same security tools in each cloud environment that you utilize on-prem.
5. Zero Trust Model
Use a Zero-Trust model which means everything is denied until access is deemed necessary. This should be applied to both user permissions and firewall security policies. This is the “Never trust, always verify” approach which works towards everyone having the least amount of privilege they need to do their jobs effectively.
6. Visibility and Log Analysis
If you are an IT Security professional or have spoken to your IT Security staff, you hopefully realize what they are up against. HUGE amounts of data generated by the various security tools! In today’s security landscape it is very difficult and nearly impossible to sift through all of this security data without the use of intelligent, automated tools. Luckily many of today’s tools are utilizing Artificial Intelligence to make this task more accurate, quicker and easier.
Let’s face it, companies that don’t have adequate tools for visibility and analysis of their security data likely have no idea what is going on within their network. If you cannot keep up with this data and make good use of it, you could have breaches within your network that go on for months or even years. Here are a few recent high-profile breaches where this has happened.
CSO Online reported the following in their December 2018 article
- Marriot International was first breached in 2014 and attackers were not discovered until September of 2018
- EBAY was breached and hackers had inside access for 229 days
- Equifax breach was discovered on July 29, but the company thinks it started mid-May
7. Secure the API
This is a major shift between on-prem and cloud security. Most of the deployment, automation, and analytics of cloud is API based. You cannot overlook securing the API. There are tools available to secure the API and continually check that your cloud environment is configured securely.
When choosing the best way of protecting your information keep in mind how valuable that information is to your business and to what extent it is reasonable for you to protect it. Unfortunately, many organizations’ data is spread across multiple cloud storage environments and SaaS applications with varying levels of visibility and control, leaving the level of risk and exposure unknown.
Therefore, the first thing you should do is to define the level of privacy you need and thus a level of protection. I highly recommend tools like Palo Alto Networks, Prisma™, which enables discovery, classification, monitoring and protection of data with automated remediations before leaks can occur.
Review this datasheet and contact Hogan Consulting Group today so we can help protect your data from ending up in the wrong hands.