How will you secure The Cloud?
With Cloud adoption on the rise, how will you secure your Cloud-bound data? And, whose responsibility is your data security--the provider's, yours or a combination? In my opinion, the provider has the ultimate responsibility for network, system and physical security but you have the responsibility for password maintenance, application integrity and data access security. It's common for customers to blame providers and for providers to blame customers in a compromise situation. No one wants to admit a missed patch or a programming flaw that allowed a hacker to break in and steal data. How will you handle security and your responsibility?
Security is a major pain point for providers and would be converts to the technology. The FUD associated with Cloud runs rampant--especially among the ill-informed. The question is, "Is The Cloud less secure by default than other technologies because of its scale?"
The answer is "No, it isn't."
The sheer scale of cloud computing does provide a larger attack surface but it doesn't necessarily mean that it's an easier target. There are five things that you can do to prevent compromises and a single caveat.
Selecting a Provider
Your first step in maintaining security is to carefully and thoughtfully select your provider. You should spend time interviewing a technical representative from your down-selected provider list. Ask about physical, network and system security. Ask about patch cycles. Ask about firmware updates. And, find out what measures your provider takes in maintaining security vigilance and mitigation. You should also ask what type of insurance they have in case of a compromise.
Listen to the answers and be sure that you understand exactly what the provider's responsibilities are. And, find out if the provider carries any regulatory compliance certifications or compliance levels (HIPAA, SOX, PCI).
Tip: The provider should be sympathetic with your requests and open with information and data concerning security. If they aren't, take your business elsewhere.
Secure Programming
"Your application isn't secure." If your provider finds no evidence of a network or system compromise, you'll probably hear this as the reason for your information theft or hack. Perhaps the compromise most often blamed for data loss is SQL Injection. Hackers count on lazy programming so that they can send a malformed string to your database for processing. If this happens, you could lose data or provide the hacker with a list of usernames, passwords, credit card account numbers or the entire contents of a table or database.
Application security is your responsibility. If a hacker steals data from your database via SQL injection, you have no one to blame but yourself (your programmers). Select your programmers carefully and remember that you often get what you pay for and programming is no exception. Choosing the cheap labor option is not what's best for your customers or the longevity of your company.
Tip: Have a third party perform a penetration (pen) test on your applications before you deploy them and then again after each update.
Secure Connectivity
This point shouldn't be taken lightly by you or your provider. Require that anyone who connects to your Cloud-based systems or data has to do so via a secure connection. A secure connection is an absolute necessity to prevent man-in-the-middle attacks or "wire sniffing" techniques employed by hackers to grab your info as it travels to and from those remote Cloud systems. Use a VPN connection and secure protocols (SSH, SFTP, HTTPS) to transmit any data between you and your systems. And, provide your customers with an authentic and updated certificate and HTTPS for web transactions.
You can't trust that every customer will have an updated, virus-free, spyware-free system, so you have to do as much as you can to prevent their data from leaking out through a non-secure connection.
Tip: Purchase certificates from a legitimate SSL Certificate Authority (Thawte, Network Solutions, Verisign, GoDaddy, etc.).
Physical Security
This point has shared responsibility between you and your provider. They have the responsibility for maintaining physical security at the data centers that they use and you have the responsibility for the physical security of your office, your home, your car, your backpack and your computer. You expect that the provider will ensure physical security. The provider makes no such request of you, although maybe he should, since many compromises originate from a lost or stolen device.
System locks, disk encryption, short idle-to-lock times and personal vigilance are key to preventing theft and data loss from mobile systems. Hard drives, flash drives and SIM cards should all be wiped or destroyed prior to disposal.
Tip: Training and periodic reminders are significant factors in preventing loss through negligence, carelessness or device theft.
Passwords
Passwords: The bane of our modern existence. No one likes to choose a difficult-to-type password, when it's much easier to use a kid's name, a pet's name, a phone number or a simple dictionary word that takes a hacker less than one minute to guess. We have too many passwords. We can't use the same one for multiple sites or accounts. And, now you can't even use ones that were OK to use just a couple of years ago.
The solution is to convert users to a two-factor authentication key so that the user only has to remember a single password for everything. The single password changes often (monthly or more frequently) but the associated key changes constantly.
Tip: Before a switch to better technology, the best advice for companies is to setup a password policy that requires users to adhere to a strict password maintenance program that includes length, complexity and lifetime.
The Caveat
Now, the fun part. No matter what you do, there are going to be compromises. You have to learn to accept a certain amount of risk. Operating systems are vulnerable. People are vulnerable. And, there's no perfect system. Full-blown compromises are rare but close calls are common.
Some people assume that data is safer in their own data centers or server rooms but they're wrong. Your data, when exposed to the Internet, is vulnerable. Even if you do everything correctly, you're still only about 80% protected. The leftover 20% is the part you have to worry about. Vigilance is your best deterrent for the remaining 20%. Unfortunately, that's the most expensive 20% to protect. That's the 20% that hackers target.
New exploits, undocumented vulnerabilities and unhappy accidents comprise that 20%. You have to accept it.
The Cloud, contrary to popular folklore, isn't less secure than any other technology. People are sensitive to security issues. Your house isn't 100% secure. Your car isn't 100% secure. And, your data isn't 100% secure, no matter where it is. It never will be. It's unfortunate but true.
But, like most people, hackers aim for the low-hanging fruit. Do everything you can to keep that vulnerability sweet spot as far out of reach as possible by adhering to the five simple measures that I've given you. If you do, then you can feel secure and put your faith in The Cloud.
How will you secure the Cloud? Talk back and let me know.