In nearly every conversation I have with clients about “the cloud” and their business, the No. 1 trepidation for further migration to the cloud is concerns around security. For many years this was truly legitimate, and it has only been in the past few years where we have seen dramatic advancements in both security and compliance coverage, in particular for the large public cloud providers (AWS, MSFT, Google). In fact, I would argue that the larger cloud providers today now offer more security options than can even be achieved with local and regional data centers.
That said, cloud security is still inherently complex, so I thought I would breakdown some simple steps to leverage the cloud safely and securely.
Implement Multifactor Authentication
In my opinion, multifactor authentication (MFA) is one of the most concrete guards against cloud-based security risks and, where supported by the cloud application provider, should be implemented immediately. While MFA is not a new technology, the simplicity and ubiquity of smartphones has made MFA a seamless extension of the user access protocol. Long gone are the days where a user has to carry a randomizing FOB that must be replaced, has battery challenges and requires server-side management to keep up to date and integrated with the company account management policy. Today, anyone with a smartphone has the MFA client and basically ready to comply with a fundamentally sound security and cloud access policy.
Ensure Internal Systems Management and Monitoring is Strong
Large cloud providers invest extraordinary resources to protect themselves and their clients from cybercriminals. The reality is that cyberattackers are not going to attack the most hardened resources when they are clearly aware that the easiest path of entry is through the small- to mid-size business. Consequently, it is just important that you are keeping a close watch on internal technology systems and controls as that is most likely the least secure point of entry on your way to the cloud. In addition, many cloud implementations still incorporate private VPNs to allow direct and controlled network access, so the importance of the following basic systems management disciplines are critical:
- 100 percent internal device management
- 100 percent patch management (PCs, servers, network devices, etc.)
- Storage management
- Network access control
- Managed security
- SIEM tool
- Web filtering
- DNS filtering
While this may seem like a daunting list of items, chances are you have some form of these for cloud security either in a managed services relationship or internal tool set you already own. The key is discipline in management and metrics/reporting of either the provider, or the internal IT team.
Train End Users
At the end of the day, the human in front of the screen continues to be the weakest link in the entire cybersecurity chain of interaction. We have countless tools to deploy for protection, scanning, filtering, etc., but equipping the day-to-day workforce with the understanding of modern digital threats may just be the best weapon we have in our arsenal. Consider this: The velocity of technological change combined with the evolution of threat vectors simply forces us to train our users to keep a keen eye out for anomalies, particularly when dealing with external or cloud systems. User training is a simple, reasonably cost-effective way to breakdown and educate our workforce on modern security risks.
While none of these items are silver bullets for eliminating cloud computing risk, they take large strides in mitigating the risk associated with the cloud. The cloud offers a wealth of benefits and when delivered and used appropriately, can offer the same or better security protections than a local computing environment. However, there are appropriate safeguards and measures that should be adopted and followed for cloud security, such as a training regimen, to ensure ongoing security compliance with cloud-based delivery of technology.