Under Armour. Saks Fifth Avenue. Lord & Taylor. Panera. Delta. Best Buy.
No, this isn’t a list of great places to buy gift cards ─ although you can buy them from these organizations. Rather, these are some of the big-name companies that suffered data breaches in 2018.
Cloud security advances continue to be made but, as the ever-growing list of data breach victims demonstrate, even large corporations with deep pockets seem unable to fully protect their data. So what chance does a company with less resources have for keeping its cloud environment secure?
A “good chance” is the answer ─ if you incorporate the right security measures.
Growing Security Intelligence
With each large-scale cyber-attack and every less-publicized strike, the IT community is expanding the depth and breadth of its security knowledge. Existing vulnerabilities are being identified and fixes for them rolled out. More advanced monitoring services and diagnostics tools are preventing many of so-called “bad actors” actors from being successful in their exploits.
Best practices are being developed, repeatedly tested and shared. IT security vendors and others in the IT infrastructure supply chain are working closer with their customers ─ and with each other ─ to develop stronger cloud defenses.
To create a more secure cloud environment requires tapping into this growing body of security knowledge. While there isn’t a simple “just do this” approach to cloud security, there are many things your organization can do to enhance the security of its cloud environment(s).
Your Cloud Security “To-Try” List
If your company has an on-premises cloud environment, have its security evaluated by an outside company. A private cloud is inherently more secure than a public cloud, but it’s still not 100% secure. A third-party company that specializes in assessing cloud security can help you identify vulnerabilities and recommend enhancements.
Ideally, you want an assessment conducted by a company that not only specializes in security but also in overall IT resource and service portfolio optimization. The most secure cloud environment might not serve your company very well if it makes day-to-day business cumbersome or if it’s so expensive you can’t invest in other much-needed IT resources.
If you’re considering procuring cloud services from a CSP, opt for those certified to meet PCI DSS or HIPAA compliance requirements ─ even if your organization isn’t in an industry that requires compliance with those standards. PCI- and HIPAA-compliant cloud environments employ infrastructure and processes that enable them to meet very stringent security requirements. That translates into a more secure cloud environment.
If your organization is using cloud services that aren’t PCI- or HIPAA-compliant, ask your CSP to provide detailed information on their security measures and how they plan to address potential issues in the future. How often are they updating their security measures? Do they test them? Can they meet stringent security requirements even if they choose not to undergo compliance certification? Can they verify the security measures they say they have in place are in place ─ and effective?
Check your service level agreement. If it’s not specifying the level of security you want, you may want to consider other options and vendors before renewing any contracts.
Implement cloud security best practices. Cloud security best practices can’t guarantee your data will be 100% secure, but they have proven effective for many IT professionals. You’re safer with them than without them.
For example, put comprehensive logging and reporting in place. Make sure that your “golden image” virtual machines and VM templates are hardened and clean. Protect sensitive data wherever it might be ─ in motion, at rest or in use. Maintain an optimal security posture by holding the encryption keys.
Create a transparent process that controls who can see the information you are storing and/or processing in the cloud, and then create a “self-destruct” policy for sensitive information that does not need to live indefinitely outside of the confines of your organization.
Again, consulting with an outside company that understands IT security and IT optimization can help your organization identify and implement the best practices most well suited to its needs.
Layer on more security. You can never have too much security, so opt for managed security services from your CSP or a third-party IT security vendor. You’ll be able to better cover all endpoints and potential vulnerabilities.
Bonus: Managed security, offered a security as a service, means access to the latest and greatest security technologies without upfront capital expenditures or the need for in-house security expertise.
Include data protection, backup and recovery as part of your cloud security plan. A secure environment doesn’t mean a cyber attacker can’t find a way to at least slow down your operations or corrupt your data. The right data protection, backup and recovery tactics can help ensure that if your cloud security doesn’t stop an attack, the data and applications you need most will still be accessible and usable.
Accept there is no such thing as a 100% secure cloud environment. When you assume your cloud environment is impenetrable, it’s easy to become lax about security best practices, regular audits, employee security awareness training, and other elements. Cyber thieves count on this.
New cyber threats are constantly emerging and others evolving. What protects against them today may not work against what they’ll morph into next month. Working with a CSP or managed security company that stays on top of the latest threats is important. But it’s equally essential for your IT staff to keep pace with what’s happening on the security front as well. Follow a few blogs written by trusted security experts or cloud companies. Attend IT security webinars. Take advantage of information provided by vendors and technology partners.
Make Security a Group Effort
Don’t make securing your cloud environment a “solo” effort. Tap the expertise of others, such as US Signal. Whether you choose to maintain an on-premise private cloud, go with a hosted private cloud, migrate to a public cloud service or implement a hybrid strategy, US Signal’s solution architects and security specialists can offer you options for building out a more robust, cost-effective cloud security strategy. Call 866.2. SIGNAL or email us at: [email protected].
For more recommendations on cloud security, take advantage of US Signal’s free eBook.