There are far more than three steps to securing cloud services, of course, but let’s start with three main ones. In no order of importance, they are passwords (or user authentication), encryption (stored data and connections to the cloud service), and updates (secure system management).
- Users are the hardest of the three to secure, and require constant vigilance to keep in line. Sorry, but your coworkers (and your bosses) only think about security when they actively hate security, such as when you tell them about security protocols. Passwords are either numbingly simple (‘password’ is the most popular password in stupid password lists most years) or forgotten (password calls are either the first or second most common call to help desks). Two factor authentication (something the user knows, and something the user has on them, like a token or fingerprint) are more secure, but expensive and aggravating to users. Basic passwords typed into a login screen are the best most company security officers can get approved, so don’t feel bad if you’re in that boat. But use what tricks you can, such as MAC ID’s for smartphones, laptops, or desktops, or geolocation services, to help screen the password hackers.
- Encryption happens in two places: at the front of your cloud data, and at the back end. For the front side, force users (you know, the ones whining constantly about security) to use HTTPS (Secure HTTP) for connection. Force admins to use encrypted connections as well. Force every other process and API that touches your cloud application to use encryption over the Internet or even local network. Encrypt more, apologize less, and sleep better at night. The second part of encryption, at the back end, is for data stored outside your data center (and even the inside data should be encrypted as well). Use an Infrastructure as a Service (IaaS) provider. Encrypt the data, encrypt transmissions, and encrypt the backups before they leave the IaaS provider. You manage the keys, you choose the encryption, and you control all security details.
- Finally, secure systems management means updating systems with the latest security patches sooner rather than later. Yes, there are zero-day exploits, where no patches exist to block an attack vector, but those are rare. There are thousands of known attack vectors that still yield results for hackers because unpatched systems abound, making them easy targets. Don’t be an easy target. If you are physically controlling the servers for your cloud, demand rigorous patch management. If another service hosts your servers, demand the same rigor in patch management. The most secure cloud application is the one with no users. Unfortunately, that’s also the most useless application. Since you have to have users, work extra hard on the other two steps, and keep reminding your users about security. You never know, one memo may make a dent, and users will start following security profiles and take down the password sticky notes. Just hope they don’t put them under their keyboards.