As more organizations move their data to cloud-based platforms, best practices for protecting sensitive assets continuously evolve. One of the biggest stumbling blocks IT professionals face with cloud security is purely conceptual—fail to understand the cloud and you will fail to understand the threats your assets face.
Let’s explore four ideas about the cloud that have clear security implications, both good and bad…
Emulate the biggest cloud user
The single biggest user of cloud storage—and thus the biggest stakeholder in keeping it secure—is the US federal government. More than 50% of government organizations now store their data and applications on a cloud-based platform and almost US $2 billion is spent each year keeping these cloud services functional and secure.
So what does this mean for you? It means that, of all places, the US government may be one of the most worthwhile organizations to emulate when it comes to best practices for data security in the cloud. In fact, the White House’s cloud-computing strategyprovides an excellent template for safely migrating sensitive data.
20% of data center devices are obsolete
Growing demand for cloud services has led to a virtual epidemic of providers upgrading their infrastructure in a haphazard, inefficient manner. In fact, data from the Uptime Institute indicates that one-fifth of all cloud servers are “obsolete, outdated or unused.”This widespread inefficiency represents a serious hidden security risk—many cloud users have had their sensitive data unknowingly exposed through systems that are improperly monitored, security resources that are stretched too thin, or improper offloading of old drives, servers and other hardware.
In this case, being vigilant about whom you work with is the best way to stay safe. Compliance with SSAE 16 or ISO 27001 usually indicates that a data center is prepared to meet the challenges associated with growth.
Data encryption does not equal privacy
Data encryption is a major selling point of many cloud services, and most of us have been brought up to believe that encrypted data is inherently safe. That changes in the cloud, however. If your encryption keys are being held by your provider, are your assets really secure? Whether it is a malicious insider or a government operative working under the auspices of the US PATRIOT Act, encryption keys are surprisingly accessible by third parties.
Instead, practice two-factor encryption of sensitive data—encrypt it before sending it to the cloud to make sure it cannot be accessed by an outsider.
The biggest threats may be from within
According to research conducted in February 2012 by IBM and the Ponemon Institute, the single biggest threat to sensitive data is user error. More than viruses, data breaches or insecure application programming interfaces, your own employees pose the biggest threat to the security of your cloud-stored data. Simple mistakes like improper password storage or forgetting to log off a shared workstation jeopardize countless assets every day.
For many organizations, the best investment that can be made in cloud-data security is training. Team members who have to access important data need to know proper safety techniques and these techniques should be implemented and enforced on a day-to-day basis.
Director of Technical Account Management—BlackStratus