As enterprises move their applications and data to the cloud, executives increasingly face the task of balancing the benefits of productivity gains against significant concerns about compliance and security.
Security in the cloud is not the same as security in the corporate data center. Different rules and thinking apply when securing an infrastructure over which one has no real physical control.
When leveraging cloud services, enterprises need to evaluate several key factors, including:
- Data encryption capabilities for both data in transit as well as data at rest
- Data security, especially in a multi-tenant cloud environment in which access to your data and how it is isolated from vulnerability from other systems is unclear
- Privacy controls on who can access your data, how long it may be used, stored, etc.
- Maintenance and management controls and other measures the service provider has taken to ensure that the system is always protected and kept up to date with the latest software, server and operating system security patches, etc.
Many security professionals are highly skeptical about the securability of cloud-based services and infrastructure. In this post, we will discuss some best practices and guidelines that can be used to securely leverage the benefits of the cloud by using its strengths to overcome issues that have traditionally been labeled as weaknesses.
1. Encryption of data in transition must be end to end
All interaction with servers should happen over SSL transmission (TLS 1.2) to ensure the highest level of security. The SSL should terminate only within the cloud service provider network.
2. Encryption is important for data at rest, too
Encryption of sensitive data should be enabled at rest, not only when data is transmitted over a network. This is the only way you can confidently comply with privacy policies, regulatory requirements and contractual obligations for handling sensitive data.
Data stored in disks in cloud storage should be encrypted using AES-256, and the encryption keys should themselves should be encrypted with a regularly rotated set of master keys.
Ideally, your cloud service provider should also provide field-level encryption. Customers should be able to specify the fields they want to encrypt (e.g., credit card number, SSN, CPF, etc.).
3. Vulnerability testing should be rigorous and ongoing
The cloud service provider should employ industry-leading vulnerability and incident response tools. For example, solutions from these incidence response tools enable fully automated security assessments that can test for system weaknesses and dramatically shorten the time between critical security audits from yearly or quarterly, to monthly, weekly, or even daily.
You can decide how often a vulnerability assessment is required, varying from device to device and from network to network. Scans can be scheduled or performed on demand.
4. Have a defined and enforced data deletion policy
After a customer’s data retention period (as specified in a customer contract) has ended, that customer’s data should be programmatically deleted.
5. Add protective layers with user-level data security
The cloud service should provide role-based access control (RBAC) features to allow customers to set user-specific access and editing permissions for their data. This system should allow for fine-grained, access control-based, enforced segregation of duties within an organization to maintain compliance with internal and external data security standards.
6. Get a virtual private cloud and network
Instead of leveraging a multi-tenant instance, your cloud storage or software as a service (SaaS) provider could spin a cloud environment that is used only by you and in which you have complete control and access to the data. Amazon Web Services (AWS) refers to this as a virtual private cloud (VPC). Customers can connect securely to your corporate datacenter – all traffic to and from instances in their VPC can be routed to their corporate data center over an industry standard, encrypted, Internet Protocol security (IPsec) hardware VPN connection.
7. Insist on rigorous compliance certifications
The two most important certifications are:
- PCI DSS: To achieve this certification, a SaaS provider has to undergo detailed audits to ensure that sensitive data (e.g., credit card data) is stored, processed and transmitted in a fully secure and protected manner. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
- SOC 2 Type II: Helpful in internal risk management processes, regulatory compliance oversight, as well as vendor management programs, SOC 2 certification confirms that a cloud service is specifically designed and rigorously managed to maintain the highest level of data security.
Both of these certifications can offer useful comparative information for the cloud service providers you may be considering.
The above are just some of the key security provisions that any cloud service provider should build into its cloud service. Defense in depth is traditionally a matter of strict design principles and security policies distributed across a number of departments and areas of expertise.