Security in the Cloud-In nearly every conversation I have with clients about “the cloud” and their business, the No. 1 trepidation for further migration to the cloud is concerns around security. For many years this was truly legitimate, and it has only been in the past few years where we have seen dramatic advancements in both security and compliance coverage, in particular for the large public cloud providers (AWS, MSFT, Google). In fact, I would argue that the larger cloud providers today now offer more security options than can even be achieved with local and regional data centers.
That said, cloud security is still inherently complex, so I thought I would breakdown some simple steps to leverage the cloud safely and securely.
Implement Multifactor Authentication
In my opinion, multifactor authentication (MFA) is one of the most concrete guards against cloud-based security risks and, where supported by the cloud application provider, should be implemented immediately. While MFA is not a new technology, the simplicity and ubiquity of smartphones has made MFA a seamless extension of the user access protocol. Long gone are the days where a user has to carry a randomizing FOB that must be replaced, has battery challenges and requires server-side management to keep up to date and integrated with the company account management policy. Today, anyone with a smartphone has the MFA client and basically ready to comply with a fundamentally sound security and cloud access policy.
Ensure Internal Systems Management and Monitoring is Strong
Large cloud providers invest extraordinary resources to protect themselves and their clients from cybercriminals. The reality is that cyberattackers are not going to attack the most hardened resources when they are clearly aware that the easiest path of entry is through the small- to mid-size business. Consequently, it is just important that you are keeping a close watch on internal technology systems and controls as that is most likely the least secure point of entry on your way to the cloud. In addition, many cloud implementations still incorporate private VPNs to allow direct and controlled network access, so the importance of the following basic systems management disciplines are critical:
- 100 percent internal device management
- 100 percent patch management (PCs, servers, network devices, etc.)
- Storage management
- Network access control
- Managed security
- SIEM tool
- Web filtering
- DNS filtering
While this may seem like a daunting list of items, chances are you have some form of these for cloud security either in a managed services relationship or internal tool set you already own. The key is discipline in management and metrics/reporting of either the provider, or the internal IT team.