Public Cloud Security: 10 Ways to Keep Your Applications Safe
If you’re using the public cloud, there’s always a risk that your data can be accessed by someone without your permission. While public cloud providers use a high level of security, any time anything is sent over the public internet, there’s a chance of data leakage or breach.
If you are using the public cloud and cloud-based applications, you need to conduct an in-depth evaluation of your cloud provider’s systems and security protocols. You also need to understand what it takes to keep your applications safe in the cloud.
Your Cloud Security Strategy
In creating your cloud security strategy, here are 10 considerations for protecting your data and your organization:
Assess your hardware, software, and data needs
Determine what level of security is needed
Choose a cloud provider that can meet your standards
Evaluate your procedures and protocols
Assess physical security
Examine downtime and incident response policies
Know your liability and recourse
Negotiate your SLA
Have an exit plan
Implement best practices for security
1. Assess Hardware, Software, And Data Needs
Before you can adequately address your cloud security needs, you need to take inventory of what you already have and what you will need from your cloud provider.
A public cloud provider can save companies money by eliminating expensive hardware costs and outsourcing maintenance and management.
2. Determine What Level Of Security Is Needed
There are different levels of security needed for different types of data and different cloud solutions that need to be applied to your apps.
For example, if you handle credit card transactions, you likely need to comply with PCI DSS regulations. HIPAA rules will apply to medical and health information. Financial and governance may fall under Sarbanes-Oxley. Federal agencies and contractors are held to FISMA standards. Each of these hasstrict compliance regulations when it comes to storing, transmitting, and securing data.
Your industry or organization may have its own set of rules that dictate specific security protocols.
3. Choose A Cloud Provider That Can Meet Your Standards
Not all cloud providers are the same. Make sure they can meet your requirements and standards. If you do have compliance regulations to deal with, make sure your cloud provider will certify that they comply. Failing to do so can create significant liabilities for your company.
4. Evaluate Your Procedures And Protocols
In addition to the security your cloud provider implements, you should evaluate your own security to determine what additional procedures and protocols you need to put in place.
You should have guidelines for how your employees handle data, collection policies, what data can be stored in the cloud, and how data is handled and accessed. Your policies should address whether you need to encrypt your data and restrict access.
Have a plan in place for onboarding new employees and handling their terminations to avoid lapses.
5. Assess Physical Security
You are not only at risk from cyber-attacks. Many breaches and security lapses happen on-premises. Look at whether your employees or outsiders have the ability to pose a threat to your data by being able to physically access it (whether inadvertently or with malicious intent).
6. Examine Downtime And Incident Response Policies
When something goes wrong, downtime can be costly. Make sure you understand the responsibilities of your cloud provider to respond to incidents. This should include notification and guaranteed service response times.
In case of a breach or significant failure, make sure you are aware of your rights and obligations. There should be a plan, including a security incident response team, to deal with breaches or cyber attacks. While your cloud provider needs a written plan, your organization does as well. There may be compliance obligations due to industry or data-handling regulations.
7. Know Your Liability And Recourse
If data is lost or stolen, you want to have a firm understanding of who is responsible and what recourse is available (if any). Neither side really wants to assume liability in case of an incident, equipment failure, or data crash, but it’s better to have it all in writing before something happens.
Typically, there is little recourse if data is lost due to a breach or equipment failure unless there is negligence or if it is spelled out in the contract.
8. Negotiate Your SLA
While your cloud provider will have a boilerplate service-level agreement (SLA), you may be able to negotiate certain items. At a minimum, it should address any concerns you have about:
Data location (including mixing)
Pay particular attention to mobile app support services, including a vendor road map. Make sure your provider is required to maintain and manage mobile apps. This means staying on top of updates, patches, and fixes in continuous development cycles.
Make sure you know exactly what you are paying for, including both short-term and long-term costs.
9. Have An Exit Plan
Make sure you know what happens to your data at the end of your contract. It’s your data, so it clearly belongs to you but it may not be in a usable state depending on how it has been handled. Many cloud providers will use proprietary software that makes it extremely difficult to move to other providers (called “vendor lock-in”).
Spell out what happens at the end of the agreement before you start and mandate a decommission strategy to help you move data to a new vendor if you desire. This helps keep your data safe and can also help you take advantage of potential cost savings with other providers.
10. Implement Best Practices For Security
Implement best practices in your organization. These might include security protocols such as identity and credential management tools, fire encryption, and firewalls.
Check with the Cloud Security Alliance for more information on best practices and security controls.
Data Integrity Is Critical
With more data moving to the cloud every day, maintaining the integrity of your data is crucial.
Security is a shared responsibility between your cloud provider and your IT management team, employees, and organization. No matter how strong your cloud provider’s security is, you can’t delegate all of the responsibility.
After all, if something happens to your data that impacts your customers, you may be liable as well. Even if you aren’t liable, a security breach or data loss may still cause irreparable harm to your records and to your reputation.