Cloud storage services offer options -- such as advanced security configuration, automated encryption and access...
control -- that can strengthen cloud-based data security. The problem is that many organizations fail to implement data security correctly, they don't test their security configuration, or they leave the burden of data security to the cloud provider. But to reduce the probability of a data breach or compromise, organizations must take seriously the need for cloud data security. Best practices for securing an organization's data within a cloud provider's system include levels of data encryption, distributed access control, centralized management and general employee-based actions.
Apply existing best practices
As an organization moves confidential data to the cloud, it's essential to know where the data is stored. Data centers in the United States are more secure because they are regulated and subject to consequences for data exposure. If possible, IT teams should verify that their organization's data is stored in U.S.-based data centers. If they use a data center in a foreign country, they should know the center's location and the applicable country's laws pertaining to access and security.
Data must be encrypted, whether it's in flight or at rest. A best practice is to encrypt data the same way in storage and in transfer. Plan encryption needs by fully mapping out data flows through all applications and the tables that store the resulting data. Think of a data encryption security plan in the terms of T-shirt sizes: small, medium and large. A small plan is basic encryption for stored data. Data may be compromised, but encryption ensures minimal damage. A medium plan means encrypting data in flight and at rest. Securing data during transfer is essential to deflecting breaches. A large plan means advanced security, including encrypting data in storage and during transfer, tracking data usage by attributes and users, and monitoring all changes to the data. Advanced security also means making effective and accurate use of a cloud service provider's security system. Verify the organization's cloud security configuration with third-party security testing to ensure the configuration is effective and to find any gaps that need to be addressed.
Data security remains the same as it's been for many years, but as confidential data moves into cloud systems, basic data security provisions remain effective and relevant. In other words, apply existing best practices to provide the cloud data security the organization needs.
Secure the cloud architecture
Developers, architects and DevOps (development and operations) personnel can take several steps that add data security to the cloud architecture in use. The first step is to use the same distributed access control used on the application and apply it to data when it moves outside the organization's system or over the public Internet.
Next, as a team, centralize the management of data and application deployment and updates so both use the same tools in similar ways and within the same control location. If possible, add federated identity management to verify every user at each interaction point and track usage data. Add the same access control around the data as the application has. In other words, if application access includes security based on role, then add the same role-based security layer to control access to data. Within the application code, consider supporting verification of access to both the application and the data for each request.
To follow another best practice, never specify the data location within the application code. The data location is configured to a location only when deployed, and the location information is accessible only to certain, defined user roles. When dealing with data from multiple customers, the data should be stored separately so customers cannot access each other's data without proper authorization. Work with the organization's cloud provider to verify that customer data is separated, both at rest and while in motion. Consider adding this requirement to the vendor service-level agreement and confirm compliance over time.
Ensure that employee access is secure
Any employee who uses a computer, mobile device or personal computer to access an organization's network must have secure access. It's critical to ensure that devices and access are controlled at the same level, no matter where employees are accessing the network from.
Organizations must be aware of all data contained in documents shared with others. Whether it's from engineering, marketing or finance, all sensitive data is in danger of being exposed unknowingly through cloud-sharing applications that are easy to access and use. Any data that may contain confidential or sensitive information must be secured, and employees at all levels must be aware of usage and security restrictions and have access controlled by role. Users need access only to the data required to perform their job and nothing else. To ensure security remains effective and enforced, data usage at all levels should be tracked and monitored.
Most engineering staff believe that all data is backed up routinely by the IT or DevOps group. However, this is often not the case. Developers need to define explicitly what data must be backed up and set up regular backup. Make sure data is accessible from backup should the organization need to replace or access the data virtually or physically in the event of a system crash or successful hacking event.
Cloud system vendors provide a valuable service and are an asset to business success. However, an organization shouldn't relinquish all control to a cloud provider or let fate take its course. Be aware of security issues and use existing best practices to secure data in the cloud, both in transit and in storage. Know where data is stored and back it up. Monitor internal data access and data sharing, and proactively enforce it with all employees. Data must be kept secure and its usage and state tracked continuously.
How to deal with big data security issues in the cloud
Limit cloud data leaks with these strategies
Data in the cloud: Is it safe?