7 Considerations for Data Security in the Cloud
Look for these seven things when identifying a cloud services provider or determining if your current hosted infrastructure is secure or not.
Articles published September 8, 2017 by Steve Simpson
Has your organization moved any applications or data to the cloud? If so, how secure is the hosting infrastructure?
As more and more organizations adopt cloud strategies and move their physical environments into virtual cloud environments, the need for strong security increases. If you have data or applications in the cloud, ensuring you’re using a secure service provider is vital and will minimize your data security risks. This goes for a nationwide provider, such as Microsoft or Amazon Web Services, or a local hosting company.
Recently, we talked about how to manage your cloud security and asked nine key questions to help you elevate your current security posture.
So, how do you ensure data security in cloud environments and remote data centers? Here are seven things to look for when identifying a cloud services provider or determining if your current provider is secure or not.
1. Approach to Data Security
In an age where cyberattacks are increasing and always evolving, you need to ensure that wherever your data is, it’s secure. When deciding on a provider or examining your current provider’s security features, discuss with them how they secure your data and information. This is more than security policies and encryption; it’s also about cybersecurity, network security, audits and logging, security design, and threat management.
Microsoft is a good example of a cloud service provider that is upfront about how they protect their customers’ data. Check out their Trust Center for more information on their approach to security.
2. Data Encryption
For maximum protection, it’s best practice to encrypt your data while in transit and at rest. Data in transit is data that’s moving from one location to another, either across the internet or a private network. Data at rest is data that’s not moving and is stored somewhere.
Encrypting data means information is rendered unreadable when accessed without proper authorization, whether it’s in transit or at rest. Having a process in place to ensure sensitive devices and data are encrypted and that files and emails are being properly sent is imperative.
Does your cloud services provider offer encryption? To what extent?
3. Data Security Standards & Policies
While encryption is essential for your organization, it’s also important for your provider to have established standards and policies around data security.
These include firewalls, anti-virus detection, and routine security audits. You should also ask exactly what employees will be able to access your data at the cloud service provider, so you have a clear picture as to who might come in contact with your data.
Since your data will be in the cloud service provider’s hands and located in one of their data centers, it’s important to identify how your data will reside in the data center. For instance, how are they separating your data from other organization’s data? What are the defined walls of tenancy? Is your data separated from others?
In addition, you should also create a data security policy and communicate it to your employees, or ask if the cloud service provider has one for you to review. This should be used to define approved methods to securely transfer or share data and define restricted methods to help stop the use of unsupported or unsafe services and applications. Policies should be very specific on what will be accepted by the service provider.
4. Data Backups
How many versions of backups are available?
Your cloud service provider will usually keep a data backup, but normally it’s only the most recent version. Additionally, most providers can’t guarantee a complete restore of your data. Ask all potential providers their policies on backup and data restoration.
With that in mind, your hosted data should be backed up regularly to ensure no data is lost if an attack or disaster occurs. This can be backed up with or without your cloud service provider, and helps guarantee business continuity and peace of mind that your data can be recovered, if needed.
5. User Security
For businesses, user security is everything. If just one employee is careless with their password, it could have devastating consequences to your organization. To stop this from happening, organizations should have complex password requirements and communicate to employees how to be secure.
Depending on the application or cloud service, you may or may not have control over enforcing password policies. However, you should ask any potential providers what their password requirements are. If they have complex requirements and use two-factor authentication, then you are set.
If you do have control, here are some tips for creating an effective password:
- Enforce password best practices, such as a minimum length of eight characters, no password hints, and a common password ban list.
- Require a unique passphrase with special characters, so that it’s more difficult to crack.
- Set up a policy limiting the number of consecutive incorrect access attempts.
- Consider using two-factor authentication (2FA).
6. Two-Factor and Multi-Factor Authentication
Two-Factor Authentication (2FA) is a process designed to ensure the security of sensitive information by requiring users to provide two forms of identification when attempting to access an account. One way may be something the user knows, like a password, the other may be something like a one-time token or a fingerprint. This is just another way to ensure the person accessing the account is the right person. Many cloud service providers are going this route because it increases data security and can decrease the chance of getting hacked.
To take it a step further, you can also use multi-factor authentication. Common layers to multi-factor authentication include:
- Receiving a text message, phone call, or email with an access code
- Having to type in the associated phone number or email
- Answering security questions
- Choosing the correct image
- Typing in a phrase from an image
- One-time token or fingerprint
7. Compliance Certifications
When choosing a cloud service provider or evaluating your current one, check to see if they abide by data compliance certifications, such as SOC2 level certification. Being SOC2 certified ensures the cloud service provider enforces strict standards that have been evaluated and approved through a rigorous audit process using an independent party.
The Health Insurance Portability and Accountability Act (HIPAA) is another regulation to make sure your cloud service provider complies with. To ensure this, see if the provider will sign a business associate agreement (BAA) with you. A BAA ensures that your health care data is in compliance with HIPAA guidelines.
HIPAA compliance is also important when it comes to the location of the service provider’s data centers. If your data is housed in another country, it may not be protected by HIPAA, which means your health care data isn’t safe. Make sure your health care data stays in the country, so it’s enforceable within the law.
Microsoft is a good example of a provider who documents this. They state that their customers’ health care data stays in U.S. data centers and is supported by U.S. support agents.
Ask the service provider where their data centers are and if you can restrict where your health care data is.
Secure Your Hosted Infrastructure & Succeed
These seven steps will get on the path to choosing a cloud service provider who will keep your data safe from potential attacks. Knowing your data is secure with your service provider gives you peace of mind, and allows you to focus your time and efforts on your core business.
How secure is your hosted infrastructure?