Cloud computing has changed how many businesses operate. Almost all major companies and more and more SMBs are actively using cloud solutions rather than relying on expensive and rigid on-site infrastructure. In fact, 90% of surveyed organizations are using at least one cloud service, which highlights how cloud technology has become mainstream.
With cloud solutions being so prevalent, it’s important to remember that they can be prone to cybersecurity threats from hackers and cybercriminals. Because so many businesses now depend on cloud services to store and manage sensitive data, including their user’s data, these services have become very attractive targets to hackers.
All businesses using cloud solutions must therefore understand the best security practices to ensure that their data is sufficiently protected in their various cloud environments. In this guide, we will learn how. Let us begin with a brief overview of the concept of cloud security.
What is cloud security?
Cloud computing security, or simply cloud security, is a set of policies, protocols, control procedures, and software and technologies that are designed to protect cloud-based data, infrastructure, and systems.
Cloud security is specifically intended to protect cloud data and/or user information, thereby maintaining regulatory compliance. This will include setting authentication rules for all the devices that are connected to the cloud service, and also all the users that are going to use the service. Cloud security can be custom-tailored according to the exact needs of the business, for example by filtering traffic (to block/mitigate bot traffic) and authenticating access, among other functions.
There are various methods we can use to implement cloud security, depending on the cloud service and security solutions available. However, the implementation should be a cooperative process between the solution provider and the business owner.
Principles of Cloud Security
As discussed, security threats are constantly evolving. Malicious programs and automated bots have also evolved to be much more sophisticated than ever, and now they are very effective in targeting cloud-based services and solutions. We therefore have to establish clear basic principles to help define our strategic approach to cloud security rather than detailing the specifics for each tactic.
- Security approach should depend on the platform.
We simply can no longer rely on a one-size-fits-all solution for all our cloud security needs. Different cloud services might require different security or bot detection software solutions, not to mention open-source libraries and other cloud-based tools involved in the system.
It’s important to define and implement security controls at the lowest possible practical level, as close to the data storage location as possible. The challenge in this, however, is not solely about implementing security and maintaining data privacy, but also about implementing consistent controls and policies. For example, when we apply different security policies for different components of your cloud systems, we have to consider the consistency of attention across all these different components.
- Assume you are a target.
Nowadays data breaches aren’t an issue exclusive for big companies and enterprises. Many cybercriminals are actively targeting smaller businesses and even individuals. A good principle is to assume that you are indeed a target so you can always maintain security best practices at all times.
In practice, we should always regularly test our systems and all cloud services for potential vulnerabilities and continuously monitor/analyze our system for unusual activities that often indicate a threat.
- Security is mostly about isolating your network.
Creating security boundaries to isolate your network, mainly by implementing firewalls, are still very important. However, the best practice nowadays is to establish firewalls inside your system. This way, when the network has been breached and your cloud security is compromised, we can still prevent a single attack from compromising your whole network by establishing different security zones.
- Sensitive data require sophisticated access controls.
It’s very important to locate systems that store sensitive data and identify which data is risky (i.e. personally identifiable). We have to identify and label this sensitive data while ensuring access is carefully controlled: allowing the right users to see the right data while preventing all others from accessing it.
For example, the marketing team should only be allowed to view customer’s data that is relevant to the current campaign, not every customer’s data. We might also want to limit the customer’s financial information from employee’s access.
- Security and business continuity should go hand in hand.
On the one hand, we have to ensure the cloud security implementations don’t interfere with business continuity. However, in the event of an attack, we have to also ensure the whole business workflow’s availability. We have to implement a protocol where service can be restored as quickly as possible. The whole application must be back up and running ASAP, not only for the bare minimum of the system to get back to work.
Cloud Security Best Practices, Step By Step
In implementing cloud security best practices, we can differentiate the crucial steps into three different phases:
- Identifying your cloud usage state and the associated risks.
- Protecting your cloud system.
- Responding to attack vectors and security issues.
Phase 1: Identifying cloud usage state and risks.
In this first phase, we should focus on understanding the current state of your system and integrated cloud solutions while assessing risks associated with all the different elements. We can do this by executing the following cloud security checklist:
Step 1: Identify sensitive data.
Data is the lifeblood of modern businesses, and regulated data, when stolen, may result in legal penalties or even a loss of intellectual property. You have to correctly identify and label your sensitive and regulated data for this purpose.
You can use various data classification tools if necessary in this step.
Step 2: Identify how sensitive data is being accessed.
Now that we’ve properly identified and labeled the sensitive data in our system, we have to monitor and analyze who accesses this data and how it’s being shared. Check for the access controls/permissions on files and folders in your cloud environment, and also monitor other relevant factors like user roles, location, device type, and so on.
Step 3: Discover unknown cloud usage.
In an office environment, it’s common for employees to sign up for seemingly harmless cloud services like cloud storage (i.e. DropBox, Google Drive), online conversion tools (i.e. PDF converters, YouTube downloaders), and so on.
In such cases, the IT team might not be notified, resulting in unknown cloud services being used in your environment (and they carry potential risks). Discover these unknown services by monitoring your system usage.
Step 4: Check configurations for cloud services.
Your cloud services might contain various important settings that may cause exploitable vulnerabilities when not configured correctly. This is especially important if you are using cloud IaaS (Infrastructure as a Service) solutions like Microsoft Azure or Amazon Web Services (AWS).
Check the configurations for encryption, network controls, and access/authentication management.
Step 5: Identify malicious usage.
Monitor your system for signs of malicious usage of cloud data. They might be caused by attacks launched by cybercriminals, but quite often the culprit is an ignorant or lazy employee making an honest mistake.
Monitor for anomalies and figure out key protocols to mitigate data losses (both internal and external) in various scenarios.
Phase 2: Protecting your cloud environment.
In this second phase, we’ve understood the risk profile associated with our cloud security, so we can start implementing protection to our cloud services according to their associated levels of risks.
In this phase, we can use various technologies to achieve cloud security best practices in the following steps:
Step 1: Assign protection policies.
Now that you’ve identified your sensitive and/or regulated data, you should assign control and protection policies to determine which data can be stored in the cloud and which deserves more protection approaches.
You should also educate users about these policies, including the consequences when they break your policies and how to prevent common mistakes.
Step 2: Encrypt sensitive data.
It’s best to use your own encryption keys when encrypting sensitive and/or regulated data. There are cloud services that offer their own encryption features but in such cases, the cloud service provider will still have access to these encryption keys. Even if you can trust your cloud service provider, in the event that their systems are compromised in an attack, your encrypted data might also be compromised.
So, encrypt your data with your own keys whenever possible so you have full control over who can access this data and be 100% sure of its security.
Step 3: Set policies for data sharing.
You should enforce your access control and sharing control policies as soon as any data enters the cloud. If you are using multiple cloud services, you’d have to implement control policies for each service.
You should especially control which users can share/edit the data, and which should be limited only as a viewer. Limit how users can share information externally via shared links.
Step 4: Stop data sharing to unknown devices.
One of the key benefits of using cloud services is the ability to access the service from any device, anywhere as long as there is an internet connection. However, this will also allow unknown, unmanaged devices (i.e. a personal smartphone) to access the service, which can be a security vulnerability that can be exploited. You can block access from these unknown devices by requiring security verification before this device can access/download the service.
Step 5: Implement anti-bot mitigation protection.
Activities from malicious bots remain the top causes for cybersecurity breaches in cloud services, so it’s very important to implement a bot detection and mitigation solution to defend against these bad bots.
Bot protection services can be a cost-effective and reliable way to protect your cloud environment. By utilizing AI and machine-learning technologies, DataDome can monitor and analyze traffic activities in real-time, and when it detects activities with malicious intent, it will mitigate the activity on autopilot.
Step 6: Implement advanced malware protection.
Similar to bot activities, malware is also a common reason for data breaches in cloud environments. Using a proper anti-malware solution on your OS and virtual network can help protect your cloud infrastructure.
It’s best to combine both the static (“allow-listing”) and active (machine-learning behavioral detection) approach to protect your data storage while preventing memory exploit.
Phase 3: Responding to attacks and issues.
In phases one and two, we have established the necessary protection measures so that our cloud infrastructure can run smoothly while being protected from cybersecurity threats.
However, even the best protection won’t 100% protect the system from malicious attempts, and this is why we must follow these best practices in responding to attack attempts and successful attacks:
Step 1: Add authentication control for high-risk access scenarios.
Identify access scenarios that are determined as high risk, for example, when users access sensitive/regulated data from a brand new, unmanaged device. In such cases, you can require extra steps of verification and/or implementing multi-factor authentication to ensure it’s not an attacker posing as a legitimate user.
Step 2: Add new policies for new cloud services.
In cases where new cloud services are integrated into your existing infrastructure, you can automatically update access policies. For example, you can display information about the risk profile of a cloud service to block access or present a warning message that security protocols for this new cloud service haven’t been properly implemented. You can do this with an allow list approach using your firewall/secure web gateway and a cloud risk database.
As we’ve mentioned, there is no one-size-fits-all cloud security approach that will 100% protect your cloud environment. Different organizations might need different best practices according to many different factors from the cloud services used to the amount/type of sensitive data, and other factors.
To properly implement cloud security best practices, we have to implement them in three distinct phases: identifying sensitive data and risk profile, setting up protection for your infrastructure, and implementing response plans in the event of an attack.