Cloud security: Five things you need to get right

The popularity of cloud applications and software has risen significantly in recent years. But while using cloud services can be beneficial for businesses and employees, it also carries new cybersecurity risks.

Special Feature

Securing the Cloud

Cloud computing is now a business essential, but keeping your data and applications secure is vital. Find out more about cloud security in this ZDNet special report.

Read now

The ability to log in from anywhere using cloud applications is convenient for employees, but it's also a potential new opportunity for cyber criminals, who, with a set of stolen passwords, could gain access to sensitive information. There's even the prospect of hackers abusing cloud services to launch ransomware attacks and other malware campaigns. 

But there are steps that can be taken -- and mistakes that must be avoided -- to ensure your organisation's cloud security strategy both delivers a productivity boost and keeps users and the network safe from cyberattacks and incidents.

1. Don't leave cloud accounts exposed and without security controls

Cloud applications and services allow users to access files and data from anywhere -- something that makes them a prime target for cyber criminals. Remembering passwords can be difficult, which is why many users use simple, common or re-used passwords.

While this approach reduces the chances of users being locked out of their accounts, it creates an open goal for hackers – particularly if breaching an email address or another corporate application that's part of the cloud suite provides intruders with an opportunity to escalate their privileges and gain additional control over systems.

ZDNET SPECIAL FEATURE: SECURING THE CLOUD

• Cloud computing dominates. But security is now the biggest challenge
• Cloud computing security: Where it is, where it's going
• Don't let your cloud cybersecurity choices leave the door open for hackers
• Why cloud security matters and why you can't ignore it

In many cases, businesses don't realise that a cloud account has been abused by cyber criminals until it's too late and data has been stolen or ransomware has hit the network.

It's vital that any cloud accounts are secured properly, using a complex, unique password and that they are also equipped with multi-factor authentication, so even if the password is breached, leaked or guessed, there's an additional barrier that helps to prevent the account being taken over and abused.

Organisations should also consider providing staff with password manager software, so users don't need to remember passwords, leaving them free to create longer, more complex passwords that are less likely to be breached.

2. Don't give every user the keys to the kingdom

Cloud applications and services are convenient, providing users with a variety of tools they need to be productive, all in one place. But different users have different needs and most users don't need high-level privileges – particularly when that access could easily be abused by an unauthorized user who has hacked or otherwise taken control of an account with admin rights.  

It is, therefore, imperative for IT and information security teams to ensure that administrator privileges are only available for those who really need them – and that any account with administrator privileges is properly secured, so attackers are unable to gain access and abuse high-level accounts -- to create additional accounts they could use to secretly go about their business, for example. It's also important that regular users don't have the power to escalate their own privileges or create new accounts. 

3. Don't leave cloud applications unmonitored – and know who is using them

Companies use a wide variety of cloud-computing services, but the more applications that are being used, the more difficult it is to keep track of them. And that could provide a gateway for malicious users to enter the network undetected. 

SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the web

It's vital that IT departments have the necessary tools to keep track of what cloud services are being used – and who has access to them. Enterprise cloud services should only be available to users who are working for the organisation. If someone leaves the company, the access should be removed. 

It's also important to ensure that cloud applications aren't misconfigured in a way that means they're open to anyone on the internet. This open access could lead to attempts at brute-force attacks, or cyber criminals could attempt to use phished or stolen credentials to access cloud applications.  

In the worst-case scenario, a misconfigured cloud application facing the open internet may not require login details at all, meaning anyone can gain access. It's vital that organisations are aware of how their cloud services interact with the open web and that only those who need these services can access them. 

4. Don't ignore security updates and patches – cloud software needs them, too

One of the most important things you can do to improve the cybersecurity of your network is to apply security updates and patches as soon as possible. Cyber criminals regularly look to exploit known vulnerabilities in applications to breach networks and lay the foundation for cyberattacks. 

Cloud software is no different. Vulnerabilities can be uncovered and they will receive security patches, which need to be applied.

IT departments that run large, cloud-based networks might think that security is taken care of by the cloud service or application provider they use, but that's not always the case – cloud software and applications need patching too, and it's vital that this work is done promptly to ensure the network is resistant to cyber criminals trying to exploit vulnerabilities.

5. Don't rely purely on cloud for storing data – keep offline backups in case of emergency  

One of the key benefits of cloud software is that, in many cases, it's available at the touch of a button – users can access data stored in the cloud, from wherever they are and from whatever device they're using.  

But that doesn't mean that data stored in the cloud is necessarily accessible 100% of the time. Systems can suffer from outages and it's also potentially possible for cyber criminals to tamper with data. 

If the identity controls protecting cloud accounts are breached by cyber criminals, the data could be deleted or held hostage – a common tactic used by ransomware gangs, for example, is to delete backups stored in the cloud. 

No matter how strong your cybersecurity controls are, protecting cloud accounts is particularly important. Data should be backed up and stored offline because, if the worst happens, and data in the cloud is lost or inaccessible, there's the possibility of restoring from backups. 

Not only is it important to regularly save backups – so the restore point is as recent as possible, meaning everything is as close to being up-to-date as it can be – those backups should also be tested regularly. After all, there's no point keeping backups if it turns out that they don't work when they're actually needed.

MORE ON CYBERSECURITY

• Hackers are using tech services companies as a 'launchpad' for attacks on customers
• Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breaches
• Terrible cloud security is leaving the door open for hackers. Here's what you're doing wrong 
  
• These researchers wanted to test cloud security. They were shocked by what they found 
  
• Unsecured servers and cloud services: How remote work has increased the attack surface that hackers can target