12 Best Practices to Maintain Cloud Security

Where there are many elements of an effective cloud security strategy, they tend to fall into three main categories:

1. Safeguarding the data itself
2. Managing the behavior of users
3. The ongoing monitoring and awareness of the wider cloud environment.

Securing your data

Information is the most precious asset any business possesses, and the threat of data breaches often comes at the top of many enterprises' overall risk assessments. Insights for Professionals' cloud security report shows one in three businesses have experienced a cloud data breach in the past year. Therefore, safeguarding this should be a top priority for any firm operating in the cloud.

1. Identify your most sensitive data

An essential part of cloud security is identifying your most sensitive and mission-critical data. Not all data will need the highest levels of protection, so organizing your assets into tiers and applying differing policies to different tiers helps streamline processes, and can also identify data which shouldn’t be migrated to the cloud at all.

2. Ensure you encrypt your data

Full end-to-end encryption, in addition to the protections put in place by your provider for data when it’s at rest on cloud servers, ensures data remains protected when it’s being transferred, regardless of the network used and the end device. Putting your own encryption solutions in place ensures you aren't left relying solely on what the CSP has to offer.

Learn more: Cloud Tokenization vs. Cloud Encryption: What's the Difference?

3. Have a clear deletion policy

As well as ensuring you remain compliant with regulations such as GDPR, having a deletion policy in place protects you should you ever migrate data away from your current cloud provider. Knowing how your CSP handles data - such as any duplications and backups it creates for ease of use and security - helps ensure you aren't retaining unnecessary data.

4. Manage your sharing settings

Increasingly, data isn't just being stored and viewed on cloud services, but also shared. In McAfee’s 2019 Cloud Adoption and Risk Report the sharing of sensitive cloud data increased by 50% compared with the previous year. To prevent this, ensure only those with a genuine need to share and edit documents are able to do so, and restrict how this can take place.

Managing your employees

Human error is a leading cause of data breaches, with one estimate suggesting as many as two-thirds of incidents can be traced back to the actions of employees - whether inadvertently or maliciously. This means keeping a close eye on your workforce is vital in maintaining cloud security.

5. Crack down on shadow IT

The use of unauthorized cloud services, such as consumer file-sharing tools like Dropbox, can be a big risk if IT doesn't have visibility into it, or hasn't approved them for their security. It's essential there are easy-to-use approved tools in place that people can use easily for any of their key workplace activities, to prevent them from having an excuse to operate outside the IT department's oversight.

6. Tighten your verification

Access control is only as good as the verification processes you use to access it. As well as promoting the use of strong passwords, requiring two-factor authentication from your users is essential, while you should also have various levels of user permissions that ensure people can’t access data or make changes they’re not supposed to.

7. Secure your endpoints

Endpoint security can be another weak link for cloud security, especially if users are connected via personally-owned mobile devices through unsecured Wi-Fi networks. Consider creating a whitelist of approved devices or IP addresses to restrict access, as well as using mobile device management (MDM) tools to protect items such as BYOD devices.

8. Train your workforce on security

To protect cloud data, effective user training is vital. For example, all the good security work in the world can be undone if an employee carelessly exposes their login credentials due to a phishing attempt, or reuses a password that has already been compromised on another platform. Be sure your users are all trained in how to avoid data breaches when using cloud services and test them on their knowledge frequently to make sure they aren't slipping back into bad habits.

Understanding your cloud environment

Having a comprehensive insight into your cloud environment covers a range of factors, including having a full understanding of your provider's shared responsibility policy, monitoring your operations to spot any suspicious activities, and ensuring your technologies are correctly set up and updated regularly.

9. Study your SLA closely

The service level agreement (SLA) between you and your CSP will spell out exactly what responsibilities they’ll take on and which are left up to you. It should also detail exactly what will happen if anything goes wrong, what backups and compensation is available, and what will happen should you terminate the service.

10. Monitor your cloud resources closely

Making use of monitoring tools that keep a full record of what’s going on in your cloud environment, including who’s accessing what data at what time, and from which device, ensures you have a full audit trail of what's gone on, and can also allow you to more proactively identify unusual activity and block potential data breaches before they have a chance to do damage.

11. Have a schedule to audit your solutions

Running frequent audits of your cloud services allows you to spot any errors and vulnerabilities that could compromise your security. McAfee claims the average company using IaaS tools has at least 14 misconfigured instances running at any given time, resulting in an average of nearly 2,300 misconfiguration incidents per month. Putting in place a robust system to review your cloud environment can help spot and correct these before it's too late.

12. Test your defenses

The best way to find out if all these efforts are successful is to test them on a regular basis. Running penetration tests can quickly identify where any gaps may exist and allow you to close the hole before it gets discovered by a real threat. If you don't have the resources or expertise to do this in-house, there are many security providers who can do it for you, but it's best to check with your CSP beforehand to determine if you need prior approval to run such activities, and ensure you're abiding by the terms of their acceptable use policy.

Further reading:

• 5 Cloud Security Gaps Keeping CIOs Up at Night
• The 11 Most Important Questions to Ask Any Cloud Vendor
• What is a Cloud Access Security Broker and How Does it Protect Your Data?
• CSPM 101: How Does Cloud Security Posture Management Work?