What are the best practices when it comes to cloud security?
Always do your due diligence.
When you consider or use a cloud service, you should understand how your service provider’s applications and networks work. You must have a clear understanding of how they will be able to provide resilience, security, and functionality. After all, they may be doing all the work, but it is your applications, business, and reputation at stake if something does go wrong.
Due diligence should be done at all stages of cloud security deployment. From the time you are still planning your cloud deployments, to developing and deploying your applications to the cloud, to operating your apps, and finally to ending your relationship with your chosen cloud provider.
Here are the stages:
1. Planning. Successful deployments to the cloud start with choosing the right application or system to go to. This is easier said than done, especially if it is your first time to deal with cloud service providers.
Check out what others have done and be sure to create a cloud security migration framework. This should help you know how to identify and choose a service provider, and managing whatever tasks you need to do.
You should also educate your employees as to the basics of your chosen service providers’ service, architecture, tools, and other stuff associated with the deployment. Everyone involved should understand what their responsibilities are as well as the responsibilities of the service provider and how all these are going to affect the planned cloud deployment.
2. Developing and deploying. You should have a development and deployment team (experts in cloud security) who are expected to know how to use the service provider’s services in implementing applications. Your service provider should have a list of best practices and this team would be the ones who would benefit most from that, designing the applications using these best practices. If you are only migrating existing applications, then this team should be well versed about the service provider’s architecture and implementation guidelines.
This step should also include cloud security policies. You should review your security rules to see if the plans you have in place to secure your systems would work on the cloud. Then check if your service provider has tools and services that would secure your cloud deployments better.
Also, check for new security risks that you might encounter when you move to the cloud and try to find new cloud security protocols to help minimize risks.
3. Operating. Once you have deployed to the cloud, you must ensure that your systems and applications are secure. This may be a little different from securing your physical disks, servers, and network.
4. Decommissioning. There are times when you would need to leave your cloud service provider or take your application off the cloud. You should have a quick plan in place for this – without hitches.
5. You might also want to use multiple cloud service providers.
Access management for your cloud deployments should have three functions:
- Be able to identify and then authenticate your users. You should consider multi-factor authentication to help lessen the likelihood of data breaches even when passwords get stolen.
- Be able to assign access rights to users. Your access management should use roles, which allow different access levels to different users. Roles also ensure that no single person can do too much damage to your system.
- Be able to create resource access rules. You should be able to protect different types of resources or services, such as content delivery, virtual disks, and blog storage, among many others.
On top of access management, you should be able to protect your data. By data protection, we mean:
- Safeguarding your information against unauthorized access.
- Ensuring that critical data is always accessible, even during times of failures and errors.
- Preventing unintended disclosure of previously deleted data.
There are several ways to do all these, including:
- Encrypting data at rest, which involves encrypting the storage services you use and managing encryption keys.
- Creating backup and recovery processes for your data.
- Having policies in place to ensure that all copies of data are deleted if you want them deleted. This includes making sure that data placed in physical media such as solid-state disks and magnetic disks are also destroyed.
Monitor and defend your cloud deployments
It should be clear that the cloud service provider is only responsible for monitoring the infrastructure and services that they have. You would still be responsible for monitoring the applications and systems that you create on their platform.
The good news is that you can use the monitoring data from your cloud service providers and augment it with your own monitoring tools.
Be sure, however, to remember that on-premise and cloud monitoring may differ. This means that you will need to adjust how to use your service provider’s monitoring data and fine-tune your own monitoring approaches.
Once you have all the monitoring data you need, you would need to analyze both the cloud and on-premises data. This is especially true if you have a hybrid cloud where you keep some of your resources on premises while also tapping into the cloud. In this instance, you would need to combine both data from your on-premise monitoring with the data coming from your service provider.
Lastly, be sure to coordinate with the service provider to make sure that you can get alerted when there are issues that they detect, and vice versa. Remember also that responding to cyber attacks and other security-related events is a shared responsibility. Be sure that you know how much information your service provider would be able to share with you, how the information will be shared to you, and how much assistance they can extend.
* * *
The best practices in cloud security all have one thing in common: the need for you to understand the services that you are getting from your chosen cloud service provider and be able to use the security tools provided by the provider correctly. If you are a small business, you might want to rely on to bigger and established cloud providers that will make moving to the cloud easier.
Photo courtesy of Blue Coat Photos (Flickr).