For all the benefits cloud services offer, they also create a new set of security concerns. While you no longer have to personally secure server racks, that doesn’t mean handling data over the cloud means you don’t have to worry about protecting it.
In this article, we’ll dig into some key tips on how businesses can maintain security on the cloud.
Implement a Strong Password Policy
The proliferation of cloud services has only rendered passwords more critical than ever. Even if you keep your data on the cloud, a set of stolen credentials can enable an attacker broad access to sensitive data and assets.
A strong password policy means more than just requiring employees to use complex passwords. With multi-factor authentication in place, for instance, a stolen password is no longer enough for an attacker to break in.
Andreas Grant, network security engineer and founder of Networks Hardware, encourages businesses use single-sign on (SSO) authentication as well:
A great way to reduce human error would be to assign single sign-on (SSO) authentication. Requiring people to update their passwords regularly is a risk we shouldn’t take. Our cybersecurity hygiene is questionable and I am not immune to it either.
Control Access to Sensitive Data
Cloud security doesn’t stop once a user has been authenticated. From there, robust access controls should limit how users can interact with resources on a system, with particular care given to limit access to sensitive data and assets.
As Andrew Dale, Technical Director at Cloud24, describes:
Make sure you have the right permissions to keep important company data safe. Some files and programs shouldn’t be shared with the whole staff. Access controls are necessary to protect sensitive company information from theft or tampering. If employees don’t have distinct levels of access, a hacker that successfully phishes any low-level employee will effectively gain full access to the entire network.
Many organizations go a step further, and implement a zero-trust security framework. Per Jimmy Chang, Chief Product Officer at Workspot:
Zero-trust means trusting no one (either inside or outside the organization), including the vendor running your virtual desktops. One key aspect is conditional access – a set of guardrails that require a user to prove their identity before giving access to company data. What is the user’s role? What do they need to accomplish? Where are they located? What device are they using? What network are they on?
Once this context is achieved, IT can set and enforce policies around what actions the user can take – Should they be allowed to print or take a screenshot? Should they have access at all? These conditional access guardrails will mitigate the risk of an insider security breach, whether malicious or accidental.
For more information, see our complete guide to access controls.
Train Employees to Spot Phishing Attempts & Other Attacks
Many of the most common attacks, such as phishing, rely on social engineering to exploit human error. To that end, one of the best things an organization can do to combat cyberattacks is to implement continuous phishing awareness training.
As Tim Parker, Director of Marketing at Syntax Integration, puts it:
It’s possible that your own staff poses the largest indirect threat to the safety of your cloud storage. With regular, in-depth training, however, your staff will be able to recognize phishing attempts and avoid them. Continuous anti-phishing training is recommended for maximum effectiveness. Effective training is not a one-and-done deal, but rather a series of repeated, steady efforts over time.
Maintain a Strict Offboarding Procedure
One of the last things a business wants is a disgruntled former employee running amok with their full access privileges still intact. For that reason, you should have a clear offboarding procedure in place – and follow it to the letter, immediately upon termination.
As Andrew Dale describes:
Any permissions to use data systems, including cloud services, must be revoked. Former workers will have no responsibility if they sell your sensitive information to the incorrect parties after they leave your company. Therefore, it is imperative that you have a thorough off-boarding procedure that blocks former employees’ access to the cloud.
Keep an Eye On Your Network
An IT team that cannot adequately monitor their network cannot be expected to adequately protect it from threats. Many businesses use SIEM (security information and event management) systems to watch out for threats.
Jimmy Chang offers a picture of how cloud services can fit into these existing systems:
If an organization is considering cloud native, SaaS applications, like cloud desktops, understand the capabilities that each vendor can provide relative to not only desktop performance and availability, but additional data that can sync with SIEM systems, such as log-on attempts, user locations, and other security events. Ensure that your IT team has complete, real-time visibility into your IT landscape.