Cloud Security Best Practices
As businesses and government agencies continue to move their data to the cloud, IT Security Professionals have to balance the benefits that the new platform allows and the concerns that continue to persist around the security of the data that is stored there. The data secured in the cloud can be some of the most critical to your organization or business. The high availability of the information may be a reason for the move of the data to the cloud, but maintaining the integrity of the information should be the focus of the IT Security Professional when selecting a service provider.
Some key features that will help in determining your organization’s use of the cloud should be:
- Encryption use for data in transit and at rest on the physical hardware.
- Security of the data in a multi-tenant environment with multiple tenants using the same hardware and the isolation of potential vulnerabilities.
- Access control management, who can access the data.
- Data storage time limits, how long will data be kept in storage and retrievable.
- Hardware maintenance and keeping the underlying operating system and hardware up to date and working smoothly.
- Physical access controls of the location where the data is physically stored.
- Compliance and auditing practices within the cloud.
Security Professionals continue to be skeptical about the benefits of the cloud, when there is so much that needs to be addressed in order to realize the benefits that the solution offers in the end.
Encryption from End-to-endAll interaction should happen via a secure connection over an SSL transmission (TLS 1.2) to guarantee that the data is secure. This should be accomplished with a direct connection either to the service provider’s network or via a VPN connection. The connection to the systems should terminate on the inside of the service providers network and not at the firewall. This provides you with direct access to your hardware that you are paying for and enabling you direct management of your hardware.
Encryption at Rest
The service provider should provide encryption of the data at rest. This will allow you to comply with regulatory requirements that call for secure storage of data and the protection of sensitive information. Whether you may be dealing with HIPPA or PCI/DSS requirements, it’s always a good idea to encrypt the data, even in the cloud. The physical hardware where the sensitive data is stored should also be encrypted using AES-256 with the master keys rotated on a regular basis in order to ensure the protection of the information in accordance with current cryptographic best practices.
Vulnerability Management MonitoringThe service provider should also be conducting vulnerability assessments. These should be on an on-going basis with a top of the line service provider. There should also be an automated process for finding vulnerabilities and addressing potential threats while conducting the assessments. The vulnerability scanning should address identifying critical threats as quickly as possible with a remediation process in place after the vulnerability has been identified.Vulnerability scans should also be able to be scheduled or automatically kicked off at specified dates or times. The service provider should also provide an on-demand feature that allows for manual starts to the scanning process. This will allow you to scan your systems on your time, and not that of the cloud service provider. On-demand scans are helpful when looking at the remediation efforts after the vulnerabilities were found during an assessment and measuring their effectiveness.
The service provider should provide the ability to limiting the access to your data in the cloud using role based access controls (RBAC) would allow you to target what information will be available to each individual in your organization who will access it. This also allows for an audit trail for when you start looking at a certification that requires it. The use of RBAC will allow you to specify what resources are available and have complete control over the process.
The data that is stored in the cloud should only be so for a specified time. After the specific date that is agreed upon (in the service contract) the service provider deletes the data as specified. The deletion process should be rigorously enforced with the service provider. Specific requirements should be clearly defined and expectations documented within the service agreement contract.While there are current regulations that require access to data over a set period of time (3 , 6, 9 months to 3, 5, and 7 years not being uncommon for some industries), active management of the information will allow you to take advantage of the ability to move the data around within the cloud infrastructure. Some service providers offer a cold storage capability that allows the data to be stored for a longer period of time at a reduced price.
Maintaining the Cloud
Maintenance of the cloud infrastructure should be invisible as much as possible to you and your team. The maintenance of the hardware should not affect your organization and the specific uptime or downtime requirements should be spelled out in the service contract. In order to protect your information, there will need to be some maintenance that will need to happen, but restricting how that impact your organization will be an important factor to work out.
Physical Security Controls
One of the key features for storing your data in the cloud may be the extra security measures that can be implemented by the service provider. With the skyrocketing costs of security these days, a little more protection could go a long way in protecting your data. A cloud service provider should have video monitoring of the server farm (as well as external security monitoring) and strict controls and processes for accessing it. The controls should also include how the data center is physically constructed and how security has been worked in from the floor to the roof.
Compliance and Auditing
Compliance and auditing should be something that is looked at as a differentiator in this field. Look for broad certifications such as ISO 27001 or SOC 2 compliance. These certifications mean that the service provider has been able to show that they are in compliance with the standards requirement controls. If you are in a highly regulated industry, make sure that the certifications that the service provider have (PCI/DSS, HIPPA), are compliment with what you are doing as well, and that the certifications are for the specific location where you have your data stored. (Some service providers will split where the certifications are good for since some controls are more stringent than others are). Identifying these issues ahead of time will save you a lot of heartache in the end.
While there are many benefits to utilizing the cloud infrastructure, there are also some issues that will need to be addressed prior to choosing your service provider. The great benefits of the flexibility of the service and the ability to access information and services from any location are a huge selling point. Nevertheless, if you understand that certain things need to be in place in order to make the transition from an on-premises infrastructure model to a cloud-based model. This will provide you with the enhanced capabilities that you need for your business and the flexibility to grow and add additional resources as your organization continues to grow.
Originally published at itsecuritypro.weebly.com.