This post was originally published by Martin Jones at Cox Blue
Photo by Unsplash
The importance of protecting and securing your data in the cloud
As your organization takes steps towards cloud-based functionality, how data is stored, secured, and accessed becomes a top priority. Protecting and securing your data (which can include sensitive information about your company’s finances, trade secrets, methodologies, and more) is essential.
Just as important is protecting customer or client data, particularly if your business operates in an industry that commonly handles personally-identifying information. If your company is a retail operation or exists in the realm of healthcare, BFSI, or other public-facing fields, you may routinely handle credit card numbers, social security numbers, or passwords that could permit hackers to access client-side accounts.
2019 has already been a red-letter year for hackers, with security breaches hitting all sectors, from social media to insurance companies to gaming sites. The most publicized exposure is arguably Capital One, with more than 100 million customers’ data compromised.
What steps can you take in protecting and securing your data and that of those who trust you? Here are 19 steps and best practices.
1. Choose your cloud provider with care
Any external cloud provider on your shortlist should be recommended by peers, approved by trusted veteran companies, and knowledgeable within your industry. Look for a tailored approach rather than one-size-fits-all, and consider how your needs and volume may change over time. Vet start-ups carefully. Not all start-ups can continue to deliver the desired results as you scale your company.
2. Be cognizant of your company data in the cloud
Review and document all confidential information you store. Additionally, determine who will ultimately be responsible for the data and what the consequences would be if it fell into the wrong hands. Remember: your company will take the hit if there is a breach, regardless of whether the vulnerability is on your side or that of your data storage provider.
3. Ask about provider’s processes in case of a breach
Your provider’s plan of defense and method of mitigation and support deployment in the event of a breach should be transparent and well-documented. A worst-case scenario should be that in the event of a breach multiple fail-safes and alarms are immediately set off, alerting to an intrusion or risk of exploitation, as well an immediate lockdown that happens before data can be extracted or unencrypted.
4. Consider outside regulatory demands
Your cloud data storage provider should have stringent security policies in place. They should be prepared to back up guarantees with tight security protocols that match or exceed your own. If you operate in a heavily regulated industry or location(s) with independent data security and privacy protection regulations, your cloud data storage provider will need to be fully compliant with these additional guidelines as well.
5. Identify security gaps between systems
Utilize security tools to help identify any gaps in security measures that you can address on your end. Security and compliance is always – always – a shared responsibility between your company and your cloud data storage provider. That means you have to be prepared to up your game. Guarantee that your storage provider silos different client databases, and ensure access on your end is appropriately firewalled.
6. Utilize file-level encryption
Even if your cloud provider uses encryption, double down on your end with comprehensive encryption at the file level. This will form the foundation for all of your cloud security efforts. Using a comprehensive encryption method on your data before uploading it to the cloud adds another layer of protection. You can also institute “sharding” to further break up and segment data, storing fragments in different locations, thereby making it difficult for hackers to assemble an entire file in the event of a successful breach.
7. Secure end-user devices
Even with the best cloud-based data security, the majority of breaches come through user error. All devices that access your cloud-based resources should be subject to advanced endpoint security. You’ll need to both set clear rules about who can access what data and from where. You’ll next need to monitor from a bird’s-eye level, ensuring employees are only accessing data necessary for them to perform their duties.
8. Institute password best practices
The age of the annoying, complicated, and easy to bypass password guidelines has ended. The National Institute of Standards and Technology (NIST) now recommends unique passphrases over passwords that require a capital letter, a lowercase letter, a number, and a special symbol. Instituting this type of individual security leads to better compliance on an employee level, the most common access point for hackers.
9. Implement two-factor authentication
Enhance personal security by enforcing two-factor authentication. This process adds a step to each login method requiring a password, more than doubling your protection. It forces those seeking sensitive data access to enter their password in addition to a single-use security code sent to their device before permitting secure login.
10. Transfer data securely
Ensure point-to-point security by insisting on extra encryption and utilizing an SSL for all communications. Secure email and file protection tools can allow you to track and control who sees messages about your data, how long they have access, and when & how access can be revoked (for all actions or specific tasks such as forwarding). For data that is transferred outside your organization, you can restrict the types provided. Limit allowable use of data, and ensure you and the recipient are complying with all relevant data protection laws.
11. Back up data consistently
Make copies of data at regular intervals and keep them in a separate location in case of vulnerability. This can help protect your company against significant losses in the event of a breach. A breach that could result in a data wipeout or a lockdown that takes time to clear. Consistent data backups protect you. With a copy of your data, you can remain operational even without access to real-time data in cloud storage.
12. Understand recovery options
If your latest data is compromised, deleted or lost, ask what provisions your cloud storage provider has in place for recovery and restoration. If they cannot restore your data, ask about restitution to help recoup any costs associated with rebuilding your databases. Meanwhile, examine other options from your stored backups to employee devices as potential options for data recovery in a crisis.
13. Educate employees
All employees (particularly, but not limited to, employees who have access to confidential information) should be mandated to attend data security training. The risks and consequences of a data breach should be fully covered, along with guidance for device usage, data access protocols, password choice, and two-step authentication. Make ramifications for employees who prove to be the source of a breach – from termination to potential prosecution – crystal clear.
14. Get C-suite buy-in
Executive cooperation is required for top-down compliance at all levels of your company. This is particularly important if your organization has multiple departments, in-the-field employees, and remote workers. Anyone and everyone with data access should be aware of, and engaging in, security best practices. And, the C-suite should be leading the way.
Most common causes of compromised data security
Some of the most significant data breaches of the past five years may have involved data stored in the cloud. But, using a cloud provider is not the top cause of data vulnerability. Company security lapses, typically at a low employee level, are still the most common way for hackers to gain data access. Protecting and securing data at all levels of your organization is essential.
A shocking number of security breaches happen because a hacker asked an employee for credential required to access sensitive information. Educating employees about common phishing attempts and encouraging them to always check with a superior before providing access should be a priority in any employee data security awareness program.
16. Password weaknesses
Weak or stolen credentials are right up there next to phishing attempts. By updating your company policy to the latest NIST standards and helping employees switch from passwords to passphrases, you can eliminate the temptation for employees to make passwords some version of P@ssw0rd.1
All applications can feature a technical vulnerability that makes them potential access points ripe for exploitation. Updating applications regularly to ensure release security patches are applied can reduce the risk of a hack origination from an app. You may also need to monitor employee devices used for work to ensure they aren’t running outdated applications that could permit access to their device – and therefore, to data.
18. The inside man (or woman)
A disgruntled employee who was terminated but still has access is one of the most dangerous threats to your data integrity. Ensure that every employee who is let go is put through a complete thorough exit process that includes stripping of all credentials (both virtual and physical – this includes keycards, USB drives and other items that can store data or encryption keys).
19. User error
Any employee – even a CEO – can unwittingly be the cause of a data breach. An act as innocent as hitting the wrong autocomplete field and including an unauthorized person in the CC of an email can be a way into your organization, putting your data at risk. Uploading a document to the wrong folder, or losing an internet-connected device such as a laptop, tablet, or smartphone can also be an invitation to a data breach.
True security in an age of cloud-based data storage begins at ground zero. Your employee training, real-time monitoring, and on-premise security must be impeccable. From there, you can expand your attention to other potential areas of exposure, from vendors to data storage providers.
Cloud services have rapidly become one of the top choices over traditional methods of onsite business data storage. While cloud data storage offers multiple benefits leading with cost savings and convenience, any upside can quickly be wiped out if the data is exposed. Having proper security protocols for protecting and securing your data in the cloud place must be a discussion that occurs long before a shift to the cloud occurs.
This post was originally published by Martin Jones at Cox Blue