Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
Most organisations embrace the cloud today, with the speed and flexibility of as-a-service offerings proving irresistibly attractive.
And even those who believe their organisations should remain stubbornly out of the cloud will often find cloud services in use somewhere within their own networks.
Whether it's employees using their personal DropBox accounts to enable seamless home and office work, or perhaps people sharing corporate files via their own Gmail accounts when the corporate email goes down, it's almost impossible for any sizable organisation to stay completely cloud-free.
But one commonly-cited issue with corporate cloud use is security, with many firms uncomfortable with the idea of someone else having at least partial responsibility for their data.
So with that in mind, Computing spoke to the experts, and compiled their best advice into easily digestible sections below.
Here are the top tips from the experts.
First, once you've decided to take the plunge, it's important to work out which applications or data will best fit the cloud, what to move first, and where it is likely to reside.
Rob Norris, director of enterprise and cyber security in EMEIA at Fujitsu.
"Businesses should first focus on critical data. This should be done by identifying the data that needs to be protected, where it's going to be moved to and used within the cloud, and then ensure that the controls available to businesses through cloud providers are sufficient.
"Businesses must understand where their data resides at a national level, who could view that data, and what is contractually in place to control that access, to properly address legislation around protecting personal data - as that will always be present in the cloud."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
How to find the right cloud provider Choosing between the myriad services on offer from a huge array of providers is mind boggling. Here are a few tips from the experts on how to select the right offerings for your needs.
Stuart Aston, chief security adviser, Microsoft UK
"Look for a cloud provider that will allow you flexibility over your operating environment and control over your data. A good provider should offer public, hybrid and private hosted cloud options; provide evidence of how the service is governed and managed; and enable you to take your data with you should you decide to leave."
Orlando Scott-Cowley, independent cybersecurity and cloud expert
"There's a lot of flat-earthing going on about the cloud; when it was a new concept no one trusted it, but today it's a different story albeit for a few doubters. The majority of technology pros and enterprises trust the cloud, in fact most businesses are using the cloud in one form or another. Even those who don't trust it and don't think they're using it.
"Trusting the cloud is about knowledge, so before you sign on the line make sure you've done the due diligence on your chosen cloud provider so you know exactly how and where your data is stored, how it's encrypted and how much more secure it would be, than if you stored the data yourself. Trust the your cloud service, but only once you've verified it's suitability and reputation.
"The cloud IS secure. Too many organisations still consider the cloud as insecure. The fear of their data being on 'someone else's computer' is often too much and paralyses them into not advancing their technology into the cloud world. In reality, we know now that the cloud is far more secure than equivalent on-premises services, and certainly more available and better protected. So don't fall for this scare tactic; look for reputable cloud vendors who have a long list of ISO certifications, and can demonstrate their security to you in order to overcome the fear paralysis.
"Find the balance. Lots of enterprises are going ‘whole-hog' when it comes to cloud. i.e. shutting down all their on-premises applications and moving everything into the cloud, almost over a weekend. This type of IT bankruptcy might work for you, but can be a challenge to implement in one hit. A better approach is to find the balance between what needs to be in the cloud and what could stay on-premises, with a view to 'on-ramping' everything into the cloud over time. This managed migration approach will also fit with your budget and end users' expectations better."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
How to find the right cloud provider (2)
Nick Delewski, managing consultant, security consulting, Spirent Communications
"If you're in the public cloud, know your provider's penetration testing policy. While many providers understand the need for penetration testing and application assessment, some are more open to the idea than others. Most will require you to submit discovered infrastructure vulnerabilities for remediation, which is a good thing for everyone. However, some place greater restrictions on the types of tests they allow.
"Evaluate cloud usage policy and purpose. While the cloud offers a continuum of performance, monetary savings, and flexibility, the organisation should be clear on the goals of purchased cloud services. Is the cloud suitable for test/dev but not production? Could the company benefit from bursts of compute power without the capital commitment for a full private cloud solution?
"These are examples of questions that should be asked and answered, before giving the company credit card to the cloud. There's something to be said for modest exploration to try new things as part of any research and development programme, but routine cloud usage should still be policy driven and preserve the value proposition.
"Cloud vendors may be experts on technology and scalability, but they are not immune to market forces. History is filled with accounts of promising new companies with useful products and growth potential which fold due to grievous mismanagement or missed opportunities. It's also filled with acquisitions hoping to bring a solution to new heights of prominence only to be shut down after a talent exodus.
"This advice goes just as well for those interested in purchasing private clouds as it does for public cloud consumers: do your homework and be sure your cloud solution/provider is going to be around for the long haul. Then pick a backup solution and make sure that you have data redundancy and a migration path in case you need it. In these fairly choppy market waters, your business could literally sink if you're not careful."
Richard Gardener, solutions architect at Six Degrees Group
"Selecting the correct service is vital for a successful and secure cloud provision. Services that don't meet expectations are one of the key frustrations of IT teams today, wasting both time and money, as well as reducing security effectiveness.
"It is important to take the time to really consider what you want your cloud to do, and ensure that security is built into every layer of applications."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
How to find the right cloud provider (3)
Ian Trump, global security lead at LOGICnow"Make sure the cloud vendor supports two factor authentication (2FA) or can supply a reliable add-on for 2FA. If you are using cloud services and not using 2FA, you are at high risk of being hacked.
"Ensure the cloud vendor has an audit log for user activity and compliance purposes. Without that it will be impossible to re-construct an insider or outsider breach.
"Ensure the cloud vendor has password expiry capability and a stale user report, unused accounts should be disabled and only removed after the data for that user has been archived in some manner.
"Ensure the cloud vendor has robust encryption for data in transit and any sensitive data such as user IDs and passwords are stored in an encrypted manner.
"Ensure the cloud vendor has both a mechanism and requirement in the T&Cs to alert you if a security breach of your account has taken place.
"Ensure the cloud vendor has procedures in place to verify a password reset request using an out of band mechanism, such as a phone call and account verification, to defeat social engineering attacks or malicious insider activity.
"Ensure the cloud vendor's storage and processing facilities are located in a country with the same or more robust privacy and data protection requirements as your own country.
"Ensure the cloud vendor requires your written authorisation to use your meta-data or data for any third party purpose."
Martyn Williams, managing director of COPA-DATA UK
"Slowly but surely, industry is starting to outline and implement cyber security standards to make industrial networks, devices, software, processes and data more secure. For example, the NIST Cyber Security Framework published in the US compiles leading practices from several standard bodies. There is no such thing as a foolproof formula, but NIST is a good place to start."
David Meyer, VP of product at OneLogin
"Businesses need to ensure that the vendor they choose supports industry standards. Such standards have their security aspects vetted publicly, unlike proprietary approaches some vendors use. Also, it's vital to ensure the vendor is up to date on certifications and third party reviews."
Jamal Elmellas, technical director at Auriga
"Be wary of thinking 'we're safe because the CSP is PCI, SOX, ISO certified'. That's untrue. They will have a specific instance such as an application, basic platform or application that may well be, but the chances are that you will be procuring a blend of services. Make sure you know what is and isn't part of that scope. For example, if you procure a tightly scoped card/payment processing application via SaaS, PCI may cover it. If you shift your entire ICT infrastructure into a CSP that claims they are ISO27001, it is highly unlikely their scope will cover your business and processes. You will need to adjust your own ISO27001 scope."
Sam Mager, commercial director at Krome Technologies
"Be cynical, not all cloud providers are made equal. Do your due diligence and understand the fundamentals of physical security - where is your data, who has access to the servers and how are they protected? Also, where else could they be? If your cloud provider has multiple data centres and replicates data for redundancy and protection, where is your data at any given time?"
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
The importance of training It's easy to overlook the culture change for internal staff when moving traditional on-premise infrastrcuture or applications to the cloud. Keeping employees informed as to what's going on, and especially how their responsibilities change, particularly with regard to security, is essential.
Craig Downing, senior product marketing director, Epicor Software
"Hacks and data leaks can often stem from a lack of employee understanding or vigilance, whether that's around your security processes or the implementation of systems. Remember that while business growth is to be celebrated, with growing numbers of users comes a growing risk that someone is going to do something careless. Education is the key to ensuring that employees aren't the weak link in your security chain and putting training and best practices in place can mitigate this threat."
Nick Delewski, managing consultant, security consulting, Spirent Communications
"Just because the marketing material says that you can be up and running in 15 minutes doesn't mean you should be. Your administrators, analysts, developers, and executives still need to understand your cloud solutions in order to work together and monetise your investment. Would you ask your staff to fly a plane with 15 minutes of training? Of course not. Give them the time and resources they need to do their jobs securely."
Simon Schofield, head of security and compliance at Adapt
"Train your users to be aware of possible threats and use critical thought when reading emails or using the web."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
You can't outsource responsibility You may have thrown all your infrastructure in the bin and outsourced everything, but you're still ultimately responsible for security, and the safe operation of your business.
Rik Ferguson, VP security research, Trend Micro
"There' a great temptation to outsource due to the lack of realisation that you can't outsource accountability. People think they can offload both the work and the responsibility, but you can't. People need to understand that to be compliant [with regulation], they still need to be part of the process."
Jamal Elmellas, technical director at Auriga"Don't fall into the trap of thinking 'we don't need to worry about security, our cloud service provider (CSP) does this for us'. Even if you went for a complete managed end-to-end service, you will still need to take responsibility for your organisation's security. Ultimately the buck stops with the customer.
"The analogy we use with our customers is this: if you use a bus to make a journey to work, you still need to ensure you get to the bus stop on time, safely board the bus, know where your stop is and get off, as well as making sure your belongings are safe. This is similar to CSP management. A lot of CSPs will offer security products as part of their service catalogue, but it is still your responsibility to either configure the software/products appropriately or procure that additional service. Once the product is procured and configured it is still your responsibility to manage it."
Mark Ebden, strategic consultant, Trustmarque"Remember that cloud security isn't the provider's problem. A provider can have all the certifications in the world, but you still need to overlay your corporate policies to ensure compliance - don't believe that they will write the policy for you. It's easy to take comfort from a list of impressive industry certifications, but businesses can't forget to apply their own security standards, as they usually would in their own environment - as this kind of complacency gives rise to risk and exposure."
David Meyer, VP of product at OneLogin
"Unless you are a security expert, leave storage of secrets to professionals. Do not fall for the myth that on-premises is safer; do your research and use a trusted vendor in the cloud."
Rob Norris, director of enterprise and cyber security in EMEIA at Fujitsu
"It's important to understand what security responsibilities are a company's: for instance, does the business have to keep the operating systems of its virtual servers fully patched, even if the original server images came from the cloud provider?"
Paul German, VP EMEA, Certes Networks
"One of the biggest errors made by organisations is assuming that the cloud and its users can be trusted. In reality, this isn't the case. The cloud increases the attack surface significantly so organisations must deploy a security strategy that assumes a breach will happen, and limits the scope should a breach occur. Application isolation, role-based user access control and cloud-friendly segmentation are some examples of techniques that can limit a hacker's access to sensitive applications."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
You can't outsource responsibility (2)
Dave Worrall, CTO, Secure Cloudlink
"Identity management is arguably the biggest security issue that enterprises need to address when selecting a cloud partner. A lot of organisations make the misconception that outsourcing data means handing over security credentials and user identities. This is not the case and it should never be.
"When you're choosing a cloud partner, it's important to ensure that your enterprise's identity is not being compromised. In other words, you need to make sure that your cloud partners are not replicating this information and not storing that outside of your organisations, as you are ultimately responsible for protecting and controlling your users' identity.
"As an enterprise you should have the ability with a single click to stop that identity from being used anywhere outside of the business. Achieving this might come from removing passwords or implementing step-up authentication depending on the sensitivity of information and not relying on just a single-sign-on process. By not having such processes in place you invariably lose control of your identity and are essentially putting it into the hands of your cloud partner to keep it safe. While they might offer assurances it is imperative you conduct the necessary due diligence to prove this.
"For addressing this, it is important to have sight across any potential partner's service level agreements. Caution should be taken against terms such as ‘service as is' and you need to avoid lock ins. You don't want to end up stuck in a service that fails to account for your fluctuation in data usage and unable to exit. Ensure that you review the SLAs provided and understand what are the break-terms. "
Simon Schofield, head of security and compliance at Adapt
"When working with a security partner or managed services provider, it's vital to approach security provision in a structured way. Shared responsibilities need to be understood by all parties. Don't assume security is built into managed service provision - make your expectations clear in the selection process."
Libby Phillipps, marketing manager at License Dashboard
"Be mindful that a cloud solution may involve signing an agreement that grants permission to the cloud vendor to carry out any software changes on their behalf, and that they take no responsibility for any changes effecting the licensing of that software. That means that in the event the vendor contravenes their own licensing or any third party licensing, you as an organisation become liable for any adverse consequences. You, as the customer, are responsible for maintaining compliance, even if non-compliance is due to the cloud vendor."
Richard Gardener, solutions architect at Six Degrees Group
"Cloud partners should be managed the same way as traditional vendor relationships commercially to ensure that security is always a top priority.
The lines of communication between cloud partners and internal IT and developer teams with businesses should also always be open, the best cloud partners are seen as an extension of IT teams, and are always available to offer tailored advice and support.
"It is also important to keep in mind that business can transfer responsibility but not accountability should anything happen to their data."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
Managing and monitoring is key Much as the fact that you can't outsource responsibility, it's important not to simply throw data and services into the cloud and hope for the best. I'ts necessary to continue to manage and monitor not just your own network, but the operations and performance of your cloud services.
Josh Bressers, security strategist at Red Hat:"If you look at one of the biggest legacy data centre problems it's keeping track of and managing the resources inside the building. You can't secure what you don't know you have. Cloud computing gives us the ability to add resource with the click of a mouse, but if you have allocated resources you're not using and cannot see, unpatched software, or badly configured systems, you miss out on one of the main advantages to the cloud. Now we have to manage the resources inside our building, as well as outside our building! The key to avoiding this trap is to invest in cloud management tools. When used correctly the cloud can be secure, fast, and economical - at the same time."
Andreas Jensen, EMEA director at WinMagic"The Dropbox hack highlights a number of risks for organisations that use enterprise file sync solutions either as their primary storage for corporate data, or that allow employees to put corporate data on their personal accounts.
"Companies need to think about the controls they have in place to control the way data moves to and from cloud services, and how is it protected whilst on them. We've seen a password isn't enough. Any data that you would fear losing, or is sensitive in anyway, should always been encrypted at source, and have that enforced automatically through security policy. It may not stop a hacker gaining access to an account but it will prevent the data itself from being disclosed because encryption is the very last line of defence in terms or protecting your intellectual property."
Professor Avishai Wool, CTO at AlgoSec
"It's important to have good visibility across your cloud infrastructure, as well as the ability to automate processes that involve changing security policies for key business applications that run across both the cloud and on-premise components of a hybrid network. This ensures that you can maintain security and compliance, while handling all the complex changes and tasks involved in managing a hybrid environment
"Hand in hand with visibility is security automation. Automation is the key to effectively migrating to and managing a hybrid environment - especially since you will be expected to manage security at the 'speed of cloud'. When you're trying to manage hundreds or even thousands of policy rules, automation is the only way. You'll not only help reduce business outages and speed up application deployments in the cloud, but you'll also get all the teams working together, harmoniously for the benefit of business agility."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
Managing and monitoring is key (2)
Nick Delewski, managing consultant, security consulting, Spirent Communications"Remember the basics. Vulnerability management and auditing are critical. Cloud services offer automation and operational efficiency, but they don't do it all for you. Operational security, application security, and auditing are still critical to security in the cloud. Layered security and patching are made easier by the tools at our disposal; the time you save racking and stacking could be spent on staying on top of the latest threats and ensuring that your cloud provider has regular patch and vulnerability management program in place. Plus performs periodic third party penetration tests and compliance security audits.
"You also need an inventory of your security toolset. Ever wanted to build a network of honeypots for early warning, but you didn't have the time/rack space/hardware to do it right? Now might be your chance. Whether your infrastructure cloud is public or private, spinning up a new instance should only take a few minutes. Plus, if you're only being billed for shared processor time, a honeypot system should be fairly cheap. What other new tools are at your disposal that take advantage of IaaS?"
Ian Muscat, product communications manager at Acunetix
"When most people think of information security within an organisation, it is usually centred on defending the perimeter and protecting endpoints. However, in today's world, an organisation's network perimeter is no longer limited to physical machines on a corporate network, it now increasingly incorporates the cloud.
"More importantly perhaps, web application security has become the number one threat surface organisations are exposing. Since organisations are constantly shipping web applications to satisfy their business requirements, vulnerabilities are not slowing down - so much so that new research shows 55 per cent of websites have high-severity vulnerabilities.
"Tackling this challenge, especially with limited resources, could be challenging, which is why cloud-based web security scanners make things quick and easy to get started."
David Meyer, VP of product at OneLogin
"Consider a cloud vendor an extended part of your infrastructure. You need to be as comfortable with their internal processes as you are with your own."
Paul Burns, chief technology officer at TSG
"Define/agree responsibilities. Establish who will manage alterations and security updates to the hosted firewalls and VPN set-ups at your chosen data centre/cloud provider and examine how will change management be validated/implemented. Often these basic questions are left unanswered until a hole is discovered during a security compliance audit."
Cloud security: The top tips from the experts
Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
Remember the changing regulatory landscape Moving data and services into the cloud can create a compliance headache, with different rules applying in different jurisdictions. And some providers will be coy at best when it comes to clarifying exactly where data is held. The best advice is to ensure you've had proper legal advice before taking the plunge.
Jaspreet Singh, CEO of Druva
"There's a growing amount of data getting stored on mobile and personal devices because the services used to create that data are based in the cloud. There is more awareness around this due to the forthcoming GDPR compliance deadline. It's a cloud security problem because not all cloud services offer equivalent security measures. While this might be fine for general business data, it's a serious problem for confidential or regulated data.
"Things like Personal Identifiable Information and Personal Health I information can much more easily be compromised if they are not monitored. Typically companies use multiple clouds, not just one, which makes that job of monitoring much more difficult."
Sam Mager, commercial director at Krome Technologies"Understand how your compliance regulations transpose into the cloud provider's architecture and ensure that they can prove beyond contestation that your data is stored in the right location and will not cross borders (if this is a requirement).
"Spend time with the architects of your cloud provider and have them demonstrate to you that their solution meets your business requirements. The risk of 'believing the brochureware' is too large to leave to chance. Have them demonstrate, document and sign off on your solution so that you are covered in the event of a breach in compliance that is out of your control."
Nick Delewski, managing consultant, security consulting, Spirent Communications
"The laws of math don't change. The law of the land does. Operating across borders and overseas has always been a complex legal proposition and cloud computing does little to solve that particular problem. Sometimes, it may be difficult to determine which government(s) even has jurisdiction over cloud operations. Be sure to get legal advice on cloud computing before jumping into the cloud(s)."
Jamal Elmellas, technical director at Auriga
"Your data could end up in any nation, and of particular concern is data ending up in a nation with minimal data protection legislation. This is what's commonly referred to as ‘data sovereignty' and there's been some real scaremongering over this concept but in reality this will be in the commercial terms, where the CSP details where the data may ‘live'. If not always ask for it in writing.
"The CSP market should be more open and upfront in terms of what they do and don't take responsibility for. Most customers would rather they knew what they were and weren't buying. And for this to happen there will need to be some form of standardisation or self regulation. There are already discretionary codes of practice such as the APMG CIF, which requires suppliers to lay out terms simply and clearly and we've seen this being mandated in the banking world. But will we see it in the Cloud? Maybe.
"For now, the organisation needs to perform its own due diligence. Look for a supplier who voluntarily signs up to these types of codes of practice. Consider also the CSP's reputation. How has the supplier managed security and compromises in the past? This is crucial in understanding how they will behave in a worst-case scenario. Establish where your responsibility starts and finishes, so you know what you should and shouldn't provide as part of your side of the deal.
"Also, know where your gaps are. For example, if the supplier cannot provide encryption for data at rest or certificate management, you know there is a risk there that you decide to open negotiations on or accept.
"Without knowing those risks, and ascertaining if they are acceptable, you may end up unduly pointing the finger following a compromise."
Paul Burns, Chief Technology Officer at TSG
"Understand ownership. This is often a complex area, especially when someone else is entrusted with your systems and data. You need to know they are following proper process, the basics like ISO 27001 should be a given, but find out how they security vet staff. Also, establish if your data carries specific restriction criteria.
"Consult your industry appropriate guidelines like the "FCA Guidance for Outsourcing to the Cloud" but more importantly, if you don't understand it, get a security partner that can guide you through the process. Ignorance is no defence for a data breach."