Cloud Security Best Practices – Are Privacy And The Cloud Mutually Exclusive?
Contents
Security and privacy concerns are sometimes a barrier to adopting cloud services. The concern is certainly reasonable; you’re moving data offsite and trusting someone else to keep it safe. It’s important to be diligent when choosing a cloud provider and setting up services, but the right choices can provide a better level of safety than many on-premises systems.
Where The Cloud Gives Better Security
Small and medium businesses often don’t have the staff and facilities to monitor their networks against all threats and to prevent all physical intrusions. A reputable cloud provider provides security advantages that many businesses won’t easily match:
- The network will be monitored at all times
- Professionals trained in security will configure the routers and firewalls
- Security personnel will maintain physical security, keeping all unauthorized visitors away from the machines
- Security software will always be up to date
What’s critical is to make sure that a cloud provider actually does these things well. The service agreement specifies what measures the provider commits to. If they aren’t sufficient, or if the provider doesn’t have a record to match the promises, look elsewhere.
The Client’s Obligation For Cloud Security
Even with the best providers, the client has responsibilities that it can’t pass off. Some are basic security practices that apply to any computer system; others are important because of the off-premises location.
- Manage users carefully. Give users only the authorization they need. Only one or two people should have management-level privileges. If the software allows giving users different access according to what they need to do, take advantage of that.
- Maintain a strong password policy. Easily guessed passwords are one of the biggest weaknesses in online computer systems. Require long, strong passwords — at least ten characters — including upper and lower case letters and numbers. Discourage password reuse.
- Never store sensitive information in unencrypted form. This includes Social Security numbers, credit card numbers, personal health information — anything that would cause trouble if the wrong people got their hands on it. Use encrypted fields for this kind of information.
- Never transmit sensitive information without encrypting it. Use a secure protocol, such as HTTPS or SSH. Snoopers can intercept passwords or personal information if they’re sent as raw text.
- Never store passwords. Not even in encrypted form. A database should store only a one-way hash of passwords. That is, it can apply the hash function to a password to determine if it matches the value in the database, but it shouldn’t be able to determine the password from the stored hash value.
The amount of responsibility your business has to take depends on the level at which you’re using the service. This discussion assumes you’re using Software as a Service (SaaS) and perhaps Database as a Service (DaaS); in other words, you’re licensing the use of applications and a database server.
If you’re using Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) then you have more control over all aspects of the service, and therefore more responsibility for managing security.
Best Practices For Hybrid Approaches
Using cloud services doesn’t have to mean putting everything on the cloud. A hybrid approach, with some functionality on on-premises systems and the rest on a cloud service, can balance the advantages of the cloud with the security of locally maintained systems. The local systems can hold the most sensitive information and processing, as well as software which isn’t available on any cloud service.
Another option is a private cloud.
“Private clouds are data center architectures owned by a single company that provides flexibility, scalability, provisioning, automation and monitoring.” – Asigra
With a normal public cloud service, you share hardware with customers you don’t know.
“Examples of public clouds include Amazon Elastic Compute Cloud (EC2), IBM’s Blue Cloud, Sun Cloud, Google AppEngine and Windows Azure Services Platform.” – TechTarget
Your data and processes are shielded from those of other customers, but there’s at least a hypothetical risk from sharing a computer. With a private cloud, you reserve a set of machines just for your own business. You still get dynamic allocation of resources, but only from your own pool of hardware. This will cost more than the public cloud, but it can help to satisfy critical security requirements.
You can use a private cloud for the critical functions and the public cloud for the rest; this is called the hybrid cloud strategy, and it’s become very popular in the past few years.
“The hybrid cloud is the combination of a public cloud provider (such as Amazon Web Services, Google Cloud, or Joyent Compute) with a private cloud platform — one that’s designed for use by a single organization.” – ZDNet
Cloud services can provide an acceptable level of security in many situations. To make sure of it, though, a business has to hold up its end and avoid risks as far as possible.
Kelley Create can provide the cloud services that will meet your security requirements.