Safeguarding data cloud
By the end of this year, having a 'no cloud' policy will make as much sense as having a 'no internet' policy, according to a recent report by industry analyst Gartner. But what steps do organisations need to take to keep their data safe once it's in the cloud.
Since the advent of the pandemic, Twitter has moved to remote working forever, and Slack is evaluating doing the same. Many other organisations, large and small, are weighing up the pros and cons of making similar choices. And as remote and home working become increasingly commonplace, cloud platforms are coming into their own.
Cloud platforms are scalable, they allow organisations to reduce their own data centre footprints (and all the associated overheads), and they help to make data and applications easily accessible from multiple locations and devices. In fact, the cloud is becoming such an intrinsic part of everyday life, a Cisco 2020 CISO Report estimated that cloud data centres will process 94% of workloads in 2021.
Although many of the original barriers to cloud adoption have been overcome, cloud security remains an area that needs careful consideration — alongside other aspects, such as the pricing and usage structure. Not all clouds are the same, so you need to understand the environment you plan to move to and the partner you'll be working with. In a tier 3 or tier 4 data centre, for example, security and redundancy features will be more advanced than in a tier 1 data centre.
So whether an organisation is new to the cloud, or has a well developed cloud maturity roadmap, it's worth reviewing current best practices around security when making decisions about cloud migration and use.
Vendor/user demarcation. It's important to understand who's accountable for what when it comes to securing the cloud platform, so ensure roles and responsibilities are clearly defined. Check that your IT team has the skills they need to play their part, and address any areas of weakness with appropriate training. Verify, too, that your cloud provider has the right skill set, relevant certifications, and experience of your industry's compliance requirements. You should also make sure there's a defined and documented support and escalation path to follow, should any issues arise.
Data encryption. Ask whether your cloud provider uses encryption to secure data at rest and in transit.
Access control. As for any environment, you need to establish and control who has access to what. Best practice is to develop access control polices according to aspects like job function and business need. You'll also want to be able to track who's accessing what resources, so check whether your cloud provider can deliver the reporting you need to support this.
Security monitoring. Ransomware and phishing attacks are at an all-time high, and remote users are at particular risk as bad actors regard them as softer targets. To protect against these and other attacks, you'll want to be sure that security technology like virtual firewalls, endpoint protection and security incident and event management (SIEM) are in place; and that server patching is carried out promptly. For additional protection, consider round-the-clock monitoring of your cloud environment, ideally provided by a specialist partner.
Employee training. No matter what security tech you implement, people remain the weakest link. Ensure your people receive regular security awareness training so that they understand the risks and how to avoid them.
