Many organizations are moving their applications and data to the cloud rather than incurring the costs of purchasing hardware and running/maintaining on-premises applications. Likewise, other organizations manage their data in on-premises systems but store their backups in the cloud. Regardless of which approach your organization chooses, you may still have many questions about cloud-based security. Is the cloud secure enough? Is my data safe? Is my data protected?
What is cloud security?
Cloud security is a set of policies, methods, and technologies that protects the infrastructure, data, and applications that are cloud-based, whether the cloud be private, public, or a hybrid. It is designed to keep data:
• Safe from theft, unauthorized deletion, and data leakage
• Protected from cyberattacks and unauthorized access
• Private and secure to support regulatory compliance requirements
Cloud security also authenticates role-based access and can be configured to meet the needs of any business.
Cloud data security vs. on-premises data security
Organizations can choose to back up and secure their data on-premises, in the cloud, or using a combination of both. For example, your organization can:
• Scenario 1: Run your IT operations on an on-premises system and back up your data to your on-site data center. This will require on-premises data security.
• Scenario 2: Run your operations on an on-premises system and back up your data to a private or public cloud. If the cloud is private, it will require cloud data security and a staff of in-house IT experts to manage the private cloud infrastructure.
• Scenario 3: Use cloud-based, SaaS applications and back up your data to a different public cloud or on-site system.
Whatever, backup strategy you choose, it is important that you follow the 3-2-1 backup rule: have three copies of your data (production and two backups), across two media, with one backup stored offsite, such as in the cloud.
Here is why:
• In Scenario 1, disasters, such as fire and floods, can wipe out your local systems and backups. Cyber criminals can also attack your endpoints and any devices connected to the company network, including on-site backups. Local backups can be a convenient recovery option, but they are vulnerable to local data loss events. Therefore, you want to be sure you have a second backup stored off-site, such as in the cloud.
• In Scenario 2, keeping a second backup that is stored off-site and isolated from your network ensures your data will survive any threat to your local endpoints, networks, or backups. Backing up to the cloud is more convenient, consistent, and secure than transporting drives of backup files off-site. A local backup is also necessary for redundancy and faster recovery in the event selected files/data needs to be recovered.
• In Scenario 3, it is important to remember the provider’s only responsibility is to make sure its infrastructure is available. So, while they will back up their infrastructure to comply with Service Level Agreements (SLAs), they do not back up your data. It is up to you to solve for the backup and recovery of your organization’s data.
The importance of cloud protection
Data security in cloud computing is just as important as data security for your on-premises systems. In early cloud computing days, many organizations refrained from moving their applications to the cloud because of the fear of data loss and data leakage.
Fortunately, cloud providers have demonstrated that their cloud security monitoring procedures keep data private and safe. In fact, they are even safer than the security of many on-premises systems – especially if your organization is a small-to-medium business. Cloud providers can hire the best security experts who can stay abreast with modern techniques that compromise data.
Your organization still has the responsibility to ensure that the security measures provided by the cloud providers are properly configured, however. A recent Gartner article talks to this issue by indicating that “The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.”
How does cloud security work?
There are a variety of technologies, policies, and processes that the cloud provider should use to ensure cloud data security. When considering what cloud providers to use, only consider those that base their security policy and procedures on universally accepted international security standards such as ISO 27001 and the National Institute of Standards and Technology (NIST) and consider the requirements of related local regulation frameworks such as Europe’s General Data Protection Regulation (GDPR) and HIPAA.
Here is a list of other technologies and procedures that your organization should follow and/or look for in a cloud provider:
1. File encryption. You should encrypt your data even before you send it to the cloud with government-approved AES-256 strong encryption. Your business sets up the encryption and only authorized users in your organization can access it. The cloud provider should not be able to see your data because the data is stored in encrypted cloud storage!
2. Secure communications. Metadata should be encrypted and all management communication between your systems and the provider’s cloud should run through secure channels with SSL encryption. This means that at any moment in time, all aspects of your data are secure.
3. Web application firewall. The provider should use a web application firewall (WAF), which includes instant protection against SQL injection, cross-site scripting, unauthorized resource access, remote file inclusion, and other OWASP (Open Web Application Security) threats.
4. Data center security. The physical data center must be highly secure using high fences, 24×7 security personnel, and video surveillance with 90-day archiving. Biometric hand-geometry scans and proximity key cards should be required for access.
5. Data center availability. The cloud provider’s infrastructure must meet high availability SLAs by maintaining a redundant infrastructure to minimize downtime and eliminate single points of failure. In addition, the electrical power systems located at the data centers must provide uninterrupted power supply to the entire infrastructure 24×7. Automatic uninterruptible power supplies protect against power surges in case of switching power lines and provides power support during the switchover to diesel generators. The data centers should also be powered by at least two independent power sources.
6. Regular backups. The cloud provider must run backups on a regularly agreed-upon timetable to make sure that your data is protected due to a major outage.
7. Professional best practices. The provider should also have implemented strict confidentiality, business ethics, and code of conduct policies for all employees – including background checks where appropriate, non-disclosure agreements, and principals of segregation of duties, need to know, and least privilege access – to protect against malicious or inadvertently dangerous acts by insiders. Strict access controls, multi-factor authentication, and ubiquitous activity logging ensure only appropriate access to sensitive systems.