I can barely remember the last time I installed a
physical server at a company. These days, most companies have switched the
majority of their services and information over to cloud services. There are
many reasons for this, ranging from cost to practicalities — like trying
to avoid buying hardware that will later become obsolete or lose its value,
avoiding the costs of maintenance and energy, or simplifying the work of the IT
department. Another advantage, from the perspective of smaller businesses, is the
ability to add a server or a specific service at the touch of a button.
While this – now not so new – solution has made
things much simpler for small and large companies alike, it has also led to new
discussions and considerations about security.
If you have migrated your services and information
to the cloud, or are thinking of doing so, here are a few considerations to
keep in mind that could help you avoid a bad experience.
1. Know your service provider
With so many cloud computing services on the market
these days, the first step is deciding who to entrust with your company’s
information and systems.
To make this decision, it isn’t enough merely to
consider which services and platforms the various providers offer; rather, it
is also important to take into account their reputation and to carefully
read the terms of their contract. Is the company responsible with the
information it handles? What security measures do they apply? Do they have
security certifications? Have they had any incidents? If so, how did they
handle them?
A more prestigious company’s services may be more
expensive than those of a smaller, less known company. However, we need to be
aware that the maintenance tasks involved in keeping an infrastructure secure,
requires time and energy, and this often translates into a higher cost for the
customer. Remember, when it comes to security, what appears to be cheap can
turn out to be very costly.
2. Understand your business and your needs
We have applied this tip to countless
circumstances: Designing a security policy, certification of a
standard, backup models, and the implementation of new technologies.
The point is, before you make any important decision, you always have to think
about how it will affect your business, and consider what your company’s
goals are.
If you need a fast connection without lag or
latency between your office and the cloud services, you could be in for some
disappointment. Perhaps the ability to store files in the cloud and access them
from anywhere is a tempting solution, but if we are talking about database
queries, the response time could have an impact on your business.
If you deal with large volumes of information in
real time, it may be worth considering an optimization option before
taking those services to the cloud.
3. Encrypt your information
Encrypt data stored in the cloud as well as data in
transit; basically, encrypt everything that can be encrypted! While this may
require extra effort and increase the complexity of operations, what is certain
is that doing so adds an additional layer of security to all your confidential
information.
Remember that if you decide to take out services in
the cloud and deposit your data there, you will also be delegating, to a large
extent, the protection of this information. As secure and reliable as a
provider might be, it is not a good idea to be completely dependent on one, and
it is never overdoing it to encrypt critical data so that, in the event of a
security breach, the data is not exposed.
4. Control access to the cloud
Although your data and applications may no longer
be located physically within your organization, it does not mean you can simply
wash your hands of all management tasks. Your service provider may supply you
with an array of security controls, and keep the infrastructure protected, but
if you leave the door open, it will all be in vain.
Restrict access to the information, just as you would if
it were located within your organization. Segregate functions and restrict user
connections. In fact, it is highly recommended to use extra protection measures
like two-factor authentication when starting a session on a
cloud-based platform.
5. Back up your information
Today, backups are one of the most basic and
fundamental protective measures in any security system. While this service
tends to be included in the contract and forms part of the tasks performed by
the provider, we must remember that it is not only a matter of safeguarding the
information — but also of being able to recover it.
For this reason, it is recommended that you
regularly restore the backed-up information. This way, not only will you be
able to check that the provider is fulfilling this aspect of the contract, but
also that the information will be complete and available when you need it.
6. Read the terms and conditions of service
carefully
Pay special attention to the sections that talk
about the handling of information, and about privacy and
liability with regard to the information you store on the cloud. You would
not be the first to come across phrases like: “You give us the right to access,
retain, use, and divulge information from your account and your files for the
purpose of providing you with support and resolving technical problems” or “We
do not guarantee that your files will not be subject to misappropriation, loss
or damage, and we will not be held liable if this should happen.”
Also check the response times and SLA
(Service Level Agreement) promised by the provider and ensure that they are
within the time frames and commitments you have with your customers. Avoid
having these surprises crop up when an incident occurs, or when you make a
complaint.
7. Remember: The cloud can get infected too
It is a common mistake to think that malware cannot
affect equipment in the cloud. In fact, we have seen a number of variants of
the Crisis malware, which infects equipment running VMWare
systems. Just as there is malicious code out there that is designed for
attacking virtualization platforms, like Venom, we also need to
take into account the known threats that continue to spread through operating
systems.
Having your infrastructure in the cloud does not
exempt you from the need to use a good comprehensive security solution
that includes protection for servers and services, as well as for
the hardware which accesses that infrastructure.
Of course, the cloud can offer great
advantages for your company, and it will depend on your individual
business when it comes to the type of services and information you decide to
migrate to this platform. Whatever your circumstances may be, don’t forget these
tips to keep your information protected and to make your migration as secure as
possible.