When talking to small businesses about cloud services, one of the top concerns I hear about is security. This is a valid concern, as your critical business information, files, and processes are run on someone else’s servers.
In Part 1, I reviewed some of the documents that you need to obtain from any prospective cloud service providers. This time I'm going to provide some practical advice.
You do not have to look hard to find examples of security breaches of cloud providers. The real question is, what is the extent of breach and what can you do to protect yourself?
For the most part, reluctance to use cloud services comes down to:
- Lack of control that you have over the physical and logical devices hosting your information
- Lack of trust in the provider.
However, in a great majority of cases, you are often more secure using a cloud provider than attempting to run a service on a server in your network and opening firewall ports so that your employees can access data from anywhere. Even assuming that you properly open only the ports required for the service(s), each of those open ports is a potential liability.
Each one will be picked up within seconds of being opened and subjected to a constant bombardment of probes and exploits. Unless you put the proper packet inspection, firewalling and log review processes in place, you might as well be posting a sign that says "Hack me!".
Vivek Kundra, the federal government CIO, recently said that cloud security issues are exaggerated because it preserves the status quo. In some ways, this is true. But I believe that many small businesses simply lack the information and best practices to make themselves more secure in the cloud. Let's look at what those might be.
What Are Cloud Security Breaches?
I'm sure most people think of cloud security breaches as an army of hackers in some other country constantly trying to log in to your services and get access to your information, profile, and credit card details. This is certainly true, and often the attacks are coming from other cloud providers.
But an easy target for these hackers are small business networks that lack sophisticated firewalls, IP blocking, deep packet inspection, and the ability to prevent distributed denial of service (DDos) attacks. This is an area where cloud providers have the economies of scale to secure data and networks that serve hundreds to thousands of customers.
Most cloud security breaches that I have heard about come from a lack of physical security. A visitor or vendor has access to building areas they shouldn’t, they are able to connect to networks where they should not have permission, and they perform some seemingly innocent behavior that creates a security risk. A recent GoGrid breach is an example of this.
When you move your data to the cloud, most of the physical security problem is transferred to the cloud provider. Once again, those companies have the economies of scale and incentive to put proper physical security in place. But note that the physical security issue is not completely transferred to the cloud provider. You still must ensure that networks and systems are accessed by only proper personnel and that passwords and / or security tokens are not secured.
What to Expect from your Cloud Provider
If you are using a cloud server provider that is offering you hosted virtualized servers, you should verify they are SAS 70 Type II Certified. This is a set of auditing standards and tests to ensure the appropriate policies, risk assessment, and controls are in place to secure your data. Cloud providers that are SAS 70 Type II Certified can provide you with a report that details the processes and tests performed. Here is a sample report cover letter from an auditor on SoftLayer, a cloud service provider.
Your cloud provider should have an up to date secure sockets layer (SSL) certificate for the pages where you are entering sensitive data. If you don’t have an SSL connection, anyone that is in between your computer or device and the cloud provider could potentially have access to information that is entered. Other options exist to help secure your information, such as a virtual private network (VPN) connection.
There are three simple steps to determining if you have a SSL connection:
- You see HTTPS instead of HTTP in the address bar of your browser for the web site
- Your browser shows a ‘lock icon’ in the address bar
- You do not see any “security certificate” warnings or errors
Some web sites have expired or improperly implemented SSL certificates, so you may see a security certificate warning on a legitimate site. Proceed with caution when entering payment information on these sites! It is often best to contact the company directly and wait until they resolve their SSL certificate issues before using the site.
For software as a service (SaaS) that is commonly accessed over a web browser, you should expect them to use SSL as much as possible. Some services may not have implemented SSL for their site, which means they don’t consider the service suitable to be used for sensitive business information. So you should not either!
Credit card payments are the standard payment method for cloud services. So the cloud provider accepting credit card information should be PCI compliant. This is a set of standards and a certification process to endure that credit card information is transmitted and stored securely, and that only a certain group of operations users have limited access to this information for very explicit purposes.
Key Steps To Ensure Your Own Security
Your cloud provider is incentivized to provide the best security controls to protect you and your business. However, small businesses should also take these simple steps to reduce risk when using cloud services.
Passwords and authentication
- Use strong passwords and use different passwords for different cloud providers, changing them every few months. This is a great site for checking the strength of your password, and it provides feedback as to what makes a good password: http://www.passwordmeter.com/
- Don’t share your password with anyone, as much as you can help it. If for whatever reason, you need someone to access your system, see if you can create an account for them and restrict their access. If all else fails, and you absolutely must share your password, change it temporarily to a simple password and change it back as soon as they are done. I hate suggesting this as an option, but I know people who insist they must share their password, and this procedure still provides some additional security. Perform at your own risk.
- Where available, try and use two-factor authentication for your most secure data and services. This process uses two mechanisms to login to the service, such as an RSA token or an SMS or call to your cell phone. Financial sites like Etrade have services like this available, but it is not common for most cloud services
- Use a password management tool. LastPass (www.lastpass.com) stores all of yoru passwords on their server and logs you into other sites automatically. While this might not seem secure, the key benefit is that you can have LastPass generate a random password for you that you never need to know. This removes the need for Step 2 above, each site has an extremely unique and random password that only LastPass knows about
Encryption, Data, and Disaster Recovery
- Only enter information in a web form if the site is SSL protected with an up to date certificate. It is easy to click-through and ignore expired certificate warnings, but that could be a sign of a compromised connection or provider. As long as you follow the directions above and don’t see a “security certificate warning”, you can be sure the SSL certificate is up to date
- If you are using a cloud storage or backup provider, encrypt your data where it is stored. It is one thing to have SSL in place for data that is transmitted to the cloud provider, but then what? Is the data stored so anyone can access it? What happens if your service provider removes a hard drive with your data on it and does not properly dispose of it? What about backups of your data?
Most providers have both active and offline backups, so that a spreadsheet containing customer contact details may be stored in multiple places. All of this information can potentially expose you or your customers' sensitive information. By encrypting data that is stored on the provider’s servers, only you have access to decrypt it and make use of it. TrueCrypt is one option.
Another option is to see whether your cloud service provider encrypts your data before upload. Some vendors also offer the option of a private key that only you have.
- Create a policy for you and your company as to how you are going to manage sensitive data and information. These policies are called Data Lifecycle Management (DLM) and Information Lifecycle Management (ILM). Having documented policies in place, and procedures to enforce them, make it easy to determine where you are exposed and help you manage the lifecycle of data by properly archiving or destroying files or records that are no longer of use to your company.
DLM and ILM also facilitate compliance requirements such as Sarbanes Oxley or HIPPA. This is a complex topic, and there is a wealth of information, tools, and providers out there to assist you. You can get started with some simple guidelines for your own, such as archiving customer order details 12 months after they have completed
- Make your own periodic backups and exports of files and records that are stored on cloud providers. In the case of a breach, you can cancel your service, have access to your data, and know exactly what might have been compromised. It also facilitates the switch to another cloud provider if your current provider is not meeting your needs. You can take a backup, encrypt it, and store it on another cloud provider like Amazon S3 or SoftLayer CloudLayer storage. Backups can also be made onto high-capacity removable drives and securely stored offsite.
This is by no means everything that you need to know to secure your data with cloud service providers. But if you take the steps I've described, you'll be well on your way to staying secure in the cloud.
Disclosure - Russell Wurth is Vice President of Product Management at Verecloud, a reseller of cloud services.