Here are a few risk mitigation strategies for the cloud from the cloud security experts at US Cloud.
Use an auditing tool so that you know what all you have in the cloud and what all of your users are using in the cloud. You can’t secure data that you don’t know about.
Why, who, when
In addition to finding out what services are being run on your network, find out how and why those services are being used, by whom and when.
Make that auditing process a routine part of your network monitoring, not just a one-time event. And if you don’t have the bandwidth for that, outsource that auditing routine to a qualified third party like US Cloud.
There is a cloud-specific risk in the assumption that the cloud provider handles everything. It is still your responsibility to patch when using infrastructure as a service (IaaS) and to perform appropriate identity and access management regardless of IaaS, platform as a service (PaaS), or software as a service (SaaS). In particular for IaaS (AWS, Azure, or Google Cloud Platform), you need to be diligent about patch management and endpoint protection of your hosts.
And regardless of whether you’re using IaaS, PaaS, or SaaS, you must be aware of credentials access and you must use multi-factor authentication because those are the keys to your kingdom. You need to know what all cloud services are being used on your network and you need to know which credentials are being accessed.
Approach risk mitigation for cloud services no different than on-premises. Credentials management and patching are still critical, and backup is even more important in the cloud.
Multi-cloud approach works well for SaaS, but not for PaaS and IaaS. For SaaS, you will choose the platforms which meet the requirements of the end user while balancing the overall cost of licensing spend. In PaaS and IaaS, the organization needs to keep in mind the skill sets of the internal organization and where the components of the application architecture sit in relation to each other. An application running in one cloud platform with the data being housed in another cloud platform will be subject to severe latency and performance issues which will affect end users.
The 3-2-1 approach is the most important strategy to cloud related disaster recovery. Three copies of your data in two different places, including one off-site.
Learn from mistakes
Everybody is talking about Equifax and patching, but even more rudimentary lessons to take away is the awareness of putting things under lock and key. The AWS S3 bucket that was left unprotected last summer and exposed personal information of thousands of military personnel is the biggest breach event that should change risk management. That really reinforces best practices. Databases need to be password protected, regardless of where they live, cloud or on-premises. The greatest information security risk remains human error. That was not a platform issue with that AWS breach, it was an admin issue.
The other part of risk management is behavior of cloud management. Google and Microsoft are analyzing all data stored on their platforms for anything deemed offensive, which they will remove. How do you know what they are doing with your trade secrets stored there?
Contact the cloud security and dedicated hosting experts at US Cloud to help roadmap your security posture.