According to a study from CDW, 73 percent of small to midsize businesses were using the cloud in some capacity in 2018. The advantages of the cloud, such as low capital expenses, less IT maintenance, scalability and flexibility, align with SMB business priorities, making the cloud a natural fit.
One sticking point for many SMBs involves a lack of understanding about security responsibilities. To be clear, data in the cloud is typically more secure than data in an on-premises IT environment. That’s not the issue. The confusion lies with responsibility.
Organizations often assume cloud providers are responsible for securing the entire cloud environment. While cloud providers are indeed responsible for their own physical infrastructure, your virtual machines, applications and data are your responsibility. In other words, cloud security is a shared responsibility. Cloud providers typically offer security tools and services to their customers, but it’s up to the customer to implement and configure these tools and services correctly.
Two years ago, the data of up to 6 million Verizon customers was exposed. Verizon had partnered with a third-party service provider to manage call center operations and store data from customer calls. The provider was using AWS to store the data but configured the service to allow external access. This allowed unauthorized users to access the data. Similar data breaches that are traced back to misconfiguration are almost always preventable.
There are certain steps organizations can take to improve the security of their data, applications and virtual machines in the cloud.
1) Know Your Responsibilities. Your responsibilities could vary depending on the cloud provider and the type of service. For example, one cloud provider will protect your applications, but another may not. Find out which security controls are available and which ones are your responsibility. Then make sure the necessary controls are implemented.
2) Control Access to Cloud Resources. Security breaches often occur because sensitive data is stored in a public cloud environment and left open on the Internet. User permissions are often configured incorrectly and credentials are left unprotected. Major cloud providers offer tools to address these issues. The key is to configure them properly and assign the minimum privileges that users require to perform their jobs.
3) Encrypt Your Data. Not only is data accessible on the Internet, but it’s often unencrypted. Encryption uses an algorithm to convert your data into unintelligible code. When authorized viewers access data, encryption keys automatically “unscramble” the data. But if an unauthorized user accesses your data in the cloud, they won’t be able to exploit or make sense of encrypted data without the encryption key. Having multiple layers of security tools provides added protection in case one tool fails.
4) Monitor Activity. Most cloud providers allow you to monitor and generate reports on both legitimate and unauthorized access attempts, as well as the source and time of those attempts and the parameters of each request. In addition to helping you identify threats and plug holes in your security strategy, monitoring can help you manage resources more effectively and respond to compliance audits.
If you’re thinking about moving more applications to the cloud, don’t make the mistake of assuming your data is secure. Let us help you take the necessary steps to protect your business assets and avoid a preventable data breach.