The short answer to the question is— yes, your data it should be safe in the cloud.
There is a much longer answer, and you’re about to get that too.
There are still areas where security data breaches happen, and they’re what we’re going to look into. It’s part of what we do after all.
More and more of our business operations happen on Cloud Servers—the bulk of our data is held there too. When it comes to data governance, we’ve had a few years implementing EU regulations concerning GDPR, so now nobody can go online without clicking consent buttons on almost every website they visit.
The press continues to thrive, reporting the most significant leaks. It’s big news in a society where we’ve been programmed to think that those breaches will give the hackers of the world access to our bank accounts and hard-earned cash. Even though that’s not quite the case in almost all instances, the media makes its money by grabbing our attention, and what better way to do it than to incite a little fear into its readers, viewers or followers?
We need to be able to trust the web with our data. Our lives depend on it—well, financially they could—so it’s more important than ever, with so much of how we live happening online, that our data is kept safe.
In this topic you’ll discover:
- The 5 biggest data breaches over the last 5 years
- How does that affect small businesses
- Cloud-related security fails are becoming harder to find
- It’s the Cloud customer that’s too often the weak link in the chain
- It’s a job for a professional
- Your cloud security controlled by Managed IT Service Providers
- What are the critical areas of control required for complete cloud security?
- The infosec issues that demand your protection
- Implement security at the beginning of the chain
- Ongoing monitoring
The 5 biggest data breaches over the last 5 years
- Yahoo – over 3 billion accounts affected (2013–14)
Initially claimed losses were disclosed at 500 million, but by 2017 Yahoo confessed to data loss, including passwords and security questions of all of its users had been affected.
- FriendFinder – 412 million accounts affected (2016)
A dating website lost 20-years worth of usernames, passwords and email addresses.
- Marriott-Starwood – 383 million accounts affected (2104–2018)
The high-end hotel Marriott bought Starwood in 2014. For the following 4 years, hackers stole records, including phone numbers, email addresses, and more concerning passport data and credit card details.
In 2018 Marriott announced that 500 million accounts had been affected, but by 2019 retracted the number to 383 million.
- MySpace – 360 million accounts affected (2016)
MySpace was at its most popular in the late 2000s; a time when Internet security wasn’t operating as it does today. Email addresses and passwords were accessed, attributed to Russian cyber hacker ‘Peace’, and posted to a hackers’ forum.
- Under Armour – 150 million accounts affected (2018)
In 2018 Under Armour announced that 150 million MyFitnessPal user accounts were hacked. Again, the data contained usernames, passwords and email addresses. Immediately, their stock dropped 4% during after-hours trading, showing what an attack can do to market confidence.
We’re not associating any of these to issues to the Cloud; what we’re saying is that security is incredibly important, and even the biggest players are open to vulnerability if they don’t give their security systems their fullest attention.
How does that affect small businesses?
Small businesses won’t have the same level of resources to plough into every angle of their business as their larger counterparts do. So many assume because they farm out services and storage to outside providers, that it’s somebody else’s responsibility to make sure those servers are safe and protected.
Cloud-related security fails are becoming harder to find
The excellent news for web-users and business security is that the number of data breach cases to happen on cloud-based servers is very low.
The reputation of Cloud Service Providers is strong when it comes to security. Where there were breaches, few were due to providers, but the management of security configurations by the customer.
It’s the Cloud customer that’s too often the weak link in the chain
The main Cloud Service Providers deploy robust security features as standard when offering their services to the masses. The problem is in how they’re managed and controlled.
Cloud computing is a complex beast, and the rise of multi-cloud operation has introduced further challenges for those managing inter-connected spaces. This is a crucial area where business owners and managers need to be aware and vigilant of their operations.
It’s a job for a professional
For example, servers with their own protection need to be just as secure in their connections. A cloud environment must implement the correct security over their entire network, however they choose to do it. HTTPS is a standards solution for simple applications or fully WAN-enabled access for more crucial operations, and of course, there also needs to be correctly configured firewalls and both ends of the network.
A specialist company offering managed IT support services would be an ideal partner in protecting your data. With the knowledge and experience to make sure everything is configured and supported as it should be, all of that sensitive information is in the hands of someone you can trust.
Your cloud security controlled by Managed IT Service Providers
Why use a managed service provider? Most of the controls required for your Cloud services are nothing new to information security professionals. They’ll be more than adequately experienced in handling access management, data encryption and network security—all areas relative to setting up your secure environments. It’s what they do—day in, day out.
Making sure everything gets configured correctly is part of what we do. If left to the end customer, that’s where the problems can occur and breaches made. Managed IT support offers a host of benefits; keeping you safe in the cloud is only one of them.
And as one of the most reputable Managed IT Services Providers in the UK, we’re happy to add to our clients’ confidence in every angle of their digital operations.
What are the critical areas of control required for complete cloud security?
Your information isn’t automatically secure
Your Cloud Service Provider will automatically offer a host of security features, but, as we’ve already said, it’s up to you (or your trusty team of security minions) to keep everything in check.
It’s down to the customer to apply best practices in:
- Multi-factor authentication
- Access management
- Key management
- CIA security controls (confidentiality, integrity and availability)
Many business operatives are confused by what it takes to manage their data securely and have openly admitted to not knowing what does and doesn’t make the grade. Just try speaking to them about GDPR, and you’ll see a lot of faces glaze over immediately.
However, that list includes the areas your IT department, staff member or service provider will cover, yet there are still areas you can assist with that will add to your overall Cloud security.
The infosec issues that demand your protection
Data breaches, as you’d expect, are the number one priority. To discover your level of threat, you need to understand the value of your data to hackers. What can they gain from access to it, and how would they use it? Losing any business data leads to serious damage. Nobody needs that.
Given this is the most likely area of Cloud security to fail, it’s not surprising that it should be high on the list of areas where you need to protect yourself.
Weak data management and access control
Security breaches caused by inadequate access management are growing. Protecting your business from poor access management means taking better care of credentials, cryptographic keys, passwords, certificates, scalability, authentication and more. Accounts need securing via two-factor authentication, root account use should be limited, and accounts ought to be segregated depending on their level of privilege.
Hijacking and insider threats
Hijacking is more than just access via phishing. There are various ways an unauthorised user can hijack an account, and it’s a rising problem for Cloud stored data users.
An attacker will try and gain access through social engineering practices, but also they’ll utilise issues in the Cloud Service setup itself wherever they can.
If they can access your data through a legitimate account, there’s no end of disruption they can create. If that threat comes from a trusted source, for example, a disgruntled or ex-employee, a business partner or contractor, they can cause just as much damage as someone who’s gained access through a backdoor.
Weak interfaces and associated programs
Interfaces and APIs caused a lot more problems over previous years, which is a sign that the industry is becoming more aware and better protected against the associated issues. However, they’re still creating issues for many users.
One example outlined how Facebook suffered a breach of over 50 million accounts in 2018, through one of its vulnerable API features.
Fragile control planes
Your control plane manages data duplication, migration and storage. The plane becomes weak when there are architectural blind spots and weaknesses in the data flow, and can lead to leakage and corruption.
Tips to help you improve your Cloud security
Here are a few areas we’d advise you to familiarise yourself with, covering essential areas where you can be proactive while leaving the heavy lifting to us—your Managed IT Support specialists!
Create a fully visible infrastructure
As your business grows and the services you offer become increasingly complicated, you’re likely to operate more of your functions online. Given the growth of the hybrid cloud environment, it’s likely to spread over multiple cloud services.
For anyone managing your information, its encryption, the keys for every data group and security policy, it can be too easy to lose of track of what’s where and who’s who.
A clear picture of the full operation is a must for anyone working within your network. The top issue with IT and cybersecurity professionals when dealing with Cloud workloads, was with visibility into infrastructure security.
When dealing with Cloud security, human error rears its head time and time again.
Poor access, phishing, or the area we’re discussing primarily here, misconfiguration—they’re all down to operative errors.
How do you avoid those flaws? With education.
If your team have the skills and tools to know what they’re doing, and the confidence that they’re doing it right, then so many typical issues can be eliminated.
Train them in security hygiene, configuration, access control, where phishing is most likely to occur, the risks of malware and how to block it, and having a policy that includes reporting issues immediately so they can be dealt with ASAP, ideally, before further damage is done.
Ask your Managed Service Provider about their training schedules. They want you and your staff to make their life as easy as possible, so getting you up-to-speed will be high on their agenda.
Implement security at the beginning of the chain
It’s one of our golden rules in life and business, more so than ever in IT security, prevention is always better than cure.
Trying to resolve situations that have occurred down the line, where patches of fixes have been inserted ad-hoc, is scruffy, inefficient and unprofessional. Put those barriers in place at the top of the process, and you shouldn’t have to worry about them further down the line.
Make sure your plan, your Cloud security system design, and your team efforts to protect your data are covered as early as possible.
That way, adopting new processes, software and web-tools will be far easier to implement within your secure network, than it would into a selection of patched together spaces.
Monitoring your systems to remain vigilant, to understand where your data is at all times and how it’s operating, is crucial practice.
You’ll be able to flag up suspicious behaviour, spot malicious infiltration and unauthorised access.
Spotting possible threats early give you the chance to respond before damage is done and to put practices in place to prevent them from happening again.
Due diligence testing is another way of finding the areas of your network that could be infiltrated—and better that you find them than an attacker looking to get their hands all over your data.
If you lose your data, you could be subject to regulatory fines as well as the dip in customer confidence your company will suffer. If the worst were to happen, you should have a managed backup and disaster recovery policy in place, to limit damage and recover your regular business practices as soon as possible.
Regular testing with an appropriate feedback loop will hopefully help you spot weaknesses and deal with them.
You need to be sure that your system is continually evolving with your business needs and practices—and that it’s also growing with the evolution of the Internet.