Managing Cloud Security: 9 Key Questions To Help Elevate Your Security Position
With an increasing amount of data moving to the cloud, it's essential for organizations to evaluate their remote data security risks.
Articles published December 13, 2016 by Ben Killion
With an increasing amount of data moving to the cloud, it’s essential for organizations to evaluate their remote data security risks. The following questions and answers (along with some of my own thoughts and observations) from the Microsoft Business Blog are designed to help bolster your cloud security and get you thinking about areas where your organization could improve.
As cloud computing and the Internet of Things (IoT) continue to transform the global economy, securing enterprise data must be viewed as an ongoing process. Securing the ever-expanding volume, variety, and sources of data is not easy; however, with an adaptive mindset, you can achieve persistent and effective cloud security.
The first step is knowing the key risk areas in cloud computing and IoT processes and assessing whether and where your organization may be exposed to data leaks. File sharing solutions improve the way people collaborate but pose a serious point of vulnerability. Mobile workforces decentralize data storage and dissolve traditional organizational perimeters.
SaaS solutions turn authentication and user identification into an always-on and always-changing topic. Second, it’s worth developing the habit—if you haven’t already—of reviewing and adapting cloud security strategy as an ongoing capability. To that end, here are nine key questions to revisit regularly.
1. Is Your Security Budget Scaling Appropriately?
Security teams routinely manage numerous solutions on a daily basis and typically monitor thousands of security alerts. At the same time, they need to keep rapid response practices sharp and ready for deployment in case of a breach. Organizations must regularly verify that sufficient funds are allocated to cover day-to-day security operations as well as rapid, ad hoc responses if and when a breach is detected.
2. Do you Have Both Visibility Into and Control of Critical Data?
With potential revenue loss from a single breach in the tens of millions of dollars, preventing data leaks is a central pillar of cloud security strategy. Regularly review how, when, where, and by whom your organization’s data is being accessed. Monitoring whether permissions are appropriate for a user’s role and responsibilities as well as for different types of data must be constant.
3. Are you Monitoring Shadow IT Adequately?
Shadow IT is any hardware, software, or application that isn’t approved or endorsed by an organization’s IT department. Sometimes users will violate policies, or go around what’s been approved, and attempt to access or download unapproved applications on their own.
Today, the average employee uses 17 cloud apps, and mobile users access company resources from a wide variety of locations and devices. Remote and mobile work coupled with the increasing variety of cloud-based solutions (often free) raises concerns that traditional on-premises security tools and policies may not provide the level of visibility and control you need. Check whether you can identify mobile device and cloud application users on your network, and monitor changes in usage behavior. To mitigate risks of an accidental data breach, teach current and onboarding employees your organization’s best practices for using ad hoc apps and access.
4. Is Your Remote Access Security Policy Keeping Up?
Traditional remote access technologies build a direct channel between external users and your apps, and that makes it risky to publish internal apps to external users. Your organization needs a secure remote access strategy that will help you manage and protect corporate resources as cloud solutions, platforms, and infrastructures evolve. Consider using automated and adaptive policies to reduce time and resources needed to identify and validate risks.
5. Do you Have Security Solutions to Protect you From Insider Attacks?
IT aims to help employees who aren’t aware of data security risks—or how they contribute to them—to learn best practices to mitigate risk factors, like using multi-pronged approaches for sharing sensitive information and how to detect malicious emails.
To expand on this, a lot of breaches can be prevented if all employees are educated and trained on different ways hackers might try to manipulate them. There are numerous strategies to evaluate and implement, but here are two that are very effective:
Security Awareness Training
Making security awareness training a mandatory event for employees will be a huge benefit over time. Let this training time be a place where employees not only learn about the different kinds of cyber and social engineering attacks, but also show them how to thwart the attacks. Give concrete examples of actual threats, and possibly set up a test/false attack to identify employee behaviors and then additional training based on the outcomes. Once employees know how to stop these strikes before they even happen, the risk of a cyberattack decreases, and will validate the criticality of your organization’s data.
Another method to create awareness with employees is to post signs around the office with cyber tips and information. Short bullet points that get their attention posted on doors and within common areas, such as break rooms or kitchen areas, can keep this information top of mind.
Social Engineering Assessment
An additional way to make sure you’re protected from social engineering attacks is to have an external social engineering assessment done. Aureon Technology can aid in these assessments by sending security consultants to perform exploratory research. The consultants use the internet and other investigative methods to gather a great deal of organization and employee information. They then perform a series of tests to see how easy it is to gain access to the organization’s data.
All of these tests are done to determine how and where an organization is vulnerable to a social engineering attack. After the assessment is completed, organizations can take the necessary steps to mitigate exposure to many of the most common types of cyberattacks on their systems, communicate to employees how to make their workplace more secure, and reiterate the information through additional training sessions as needed.
6. How do you Protect From Identity Compromise?
More often than not, attackers access your network by compromising user credentials. User and entity behavioral analytics can help you identify suspicious activities that could indicate a breach.
7. Do you Have Additional Security to Identify Users of Mobile Devices and Cloud Applications?
Mobile users access corporate resources from various locations and devices, so it’s difficult to ensure who’s accessing your organization’s resources in the cloud. In fact, 35 percent of respondents said Two-Factor Authentication (2FA) is a company-wide requirement for employees’ devices, but another 31 percent said it is used only for certain applications or levels of employee access.
2FA is a process designed to ensure the security of sensitive information by means of requiring users to provide two forms of identification when attempting to access an account. Examples of 2FA include:
- Receiving a text message, phone call, or email with an access code.
- Having to type in the associated phone number or email.
- Answering security questions.
- Choosing the correct image.
- Typing in a phrase from an image.
- Using a one-time token.
- Asking for a fingerprint.
This is just another way to ensure that the person accessing the account is the right person.
8. Is Monitoring and Logging Good Enough?
Many tools provide insights into possible threats, but getting huge amounts of raw data, even if consolidated in monitoring tools, requires time and people to identify and validate the risks, and act for every piece of information. It’s stated that 79 percent of global organizations are interested, planning, or already have a risk-based/context-based authentication solution.
But there’s a better way to deal with advanced threats: By using automated, risk-based adaptive policies, you can respond to threats before they start and more effectively allocate your resources.
One example of an automated solution like this is Advanced Threat Protection (ATP), which is a combination of different security solutions designed to prevent cyberattacks, malware, and hackers from stealing private and sensitive data. There are some differences in ATP solutions, depending on the company, but the most common solutions include:
- Network devices.
- Email gateways.
- Centralized management console.
- Malware protection.
- Endpoint agents.
An effective ATP can prevent, detect, and mitigate threats, so you don’t have to constantly be on the lookout for potential breaches and threats.
Another option is to actively monitor your network activity for security threats. Security Information and Event Management (SIEM) is one effective strategy that delivers a centralized view of all network data. From that data, it can identify any threats and track them throughout your organization’s system. SIEM consolidates all logs and provides a clearer picture of what’s happening on your network.
Fortunately, SIEM isn’t something that you have to handle on your own. Managed security service providers (MSSP), like Aureon, offer 24/7 security monitoring that’s affordable and effective. These services let you know right away when security incidents occur, and include log monitoring reports and network analytics, to help you see exactly what’s going on in your organization’s network.
9. Is Your IT Department Able to Stay on Top of Everything?
It’s very easy for IT departments to get bogged down with day to day user requests and reactive activities. This might hinder their ability to respond to issues in a timely manner. It might also impact their ability to focus on more strategic activities, which may involve larger projects that align with the long-term vision and direction of the company.
Some IT teams can benefit from supplemental resources to keep the day to day activities moving along. A Managed Service Provider (MSP) can help take on these activities at a predictable monthly cost, and the services can often be scaled up or down to match the ebbs and flows of your organization.
The goal of these questions is to provide a guide to follow when it comes to your organization’s cloud security, and give you a list of solutions that you could start implementing right away.
Can Aureon answer your cloud security questions?
Petosa Law LLP Case Study