Public Cloud Security: 10 Ways to Keep Your Applications Safe

Cloud Helmets 3.jpg
 

If you’re using the public cloud, there’s always a risk that your data can be accessed by someone without your permission. While public cloud providers use a high level of security, any time anything is sent over the public internet, there’s a chance of data leakage or breach.

If you are using the public cloud and cloud-based applications, you need to conduct an in-depth evaluation of your cloud provider’s systems and security protocols. You also need to understand what it takes to keep your applications safe in the cloud.

Your Cloud Security Strategy

In creating your cloud security strategy, here are 10 considerations for protecting your data and your organization:

  1. Assess your hardware, software, and data needs

  2. Determine what level of security is needed

  3. Choose a cloud provider that can meet your standards

  4. Evaluate your procedures and protocols

  5. Assess physical security

  6. Examine downtime and incident response policies

  7. Know your liability and recourse

  8. Negotiate your SLA

  9. Have an exit plan

  10. Implement best practices for security

1. Assess Hardware, Software, And Data Needs

Before you can adequately address your cloud security needs, you need to take inventory of what you already have and what you will need from your cloud provider.

A public cloud provider can save companies money by eliminating expensive hardware costs and outsourcing maintenance and management.

2. Determine What Level Of Security Is Needed

There are different levels of security needed for different types of data and different cloud solutions that need to be applied to your apps.

For example, if you handle credit card transactions, you likely need to comply with PCI DSS regulations. HIPAA rules will apply to medical and health information. Financial and governance may fall under Sarbanes-Oxley. Federal agencies and contractors are held to FISMA standards. Each of these hasstrict compliance regulations when it comes to storing, transmitting, and securing data. 

Your industry or organization may have its own set of rules that dictate specific security protocols.

3. Choose A Cloud Provider That Can Meet Your Standards

Not all cloud providers are the same. Make sure they can meet your requirements and standards. If you do have compliance regulations to deal with, make sure your cloud provider will certify that they comply. Failing to do so can create significant liabilities for your company. 

4. Evaluate Your Procedures And Protocols

In addition to the security your cloud provider implements, you should evaluate your own security to determine what additional procedures and protocols you need to put in place.

You should have guidelines for how your employees handle data, collection policies, what data can be stored in the cloud, and how data is handled and accessed. Your policies should address whether you need to encrypt your data and restrict access.

Have a plan in place for onboarding new employees and handling their terminations to avoid lapses.

5. Assess Physical Security

You are not only at risk from cyber-attacks. Many breaches and security lapses happen on-premises. Look at whether your employees or outsiders have the ability to pose a threat to your data by being able to physically access it (whether inadvertently or with malicious intent).

Servers-01.png

6. Examine Downtime And Incident Response Policies

When something goes wrong, downtime can be costly. Make sure you understand the responsibilities of your cloud provider to respond to incidents. This should include notification and guaranteed service response times.

In case of a breach or significant failure, make sure you are aware of your rights and obligations.  There should be a plan, including a security incident response team, to deal with breaches or cyber attacks. While your cloud provider needs a written plan, your organization does as well. There may be compliance obligations due to industry or data-handling regulations.

7. Know Your Liability And Recourse

If data is lost or stolen, you want to have a firm understanding of who is responsible and what recourse is available (if any).  Neither side really wants to assume liability in case of an incident, equipment failure, or data crash, but it’s better to have it all in writing before something happens.

Typically, there is little recourse if data is lost due to a breach or equipment failure unless there is negligence or if it is spelled out in the contract.

8. Negotiate Your SLA

While your cloud provider will have a boilerplate service-level agreement (SLA), you may be able to negotiate certain items. At a minimum, it should address any concerns you have about:

  • Uptime

  • Scalability

  • Data protection

  • Incident response

  • Data location (including mixing)

  • Repatriation

Pay particular attention to mobile app support services, including a vendor road map. Make sure your provider is required to maintain and manage mobile apps. This means staying on top of updates, patches, and fixes in continuous development cycles.

Make sure you know exactly what you are paying for, including both short-term and long-term costs.

9. Have An Exit Plan

Make sure you know what happens to your data at the end of your contract.  It’s your data, so it clearly belongs to you but it may not be in a usable state depending on how it has been handled.  Many cloud providers will use proprietary software that makes it extremely difficult to move to other providers (called “vendor lock-in”).

Spell out what happens at the end of the agreement before you start and mandate a decommission strategy to help you move data to a new vendor if you desire. This helps keep your data safe and can also help you take advantage of potential cost savings with other providers.

10. Implement Best Practices For Security

Implement best practices in your organization. These might include security protocols such as identity and credential management tools, fire encryption, and firewalls.

Check with the Cloud Security Alliance for more information on best practices and security controls.

Data Integrity Is Critical

With more data moving to the cloud every day, maintaining the integrity of your data is crucial.

Security is a shared responsibility between your cloud provider and your IT management team, employees, and organization. No matter how strong your cloud provider’s security is, you can’t delegate all of the responsibility. 

After all, if something happens to your data that impacts your customers, you may be liable as well. Even if you aren’t liable, a security breach or data loss may still cause irreparable harm to your records and to your reputation.