Working off an external network in the cloud brings the benefits of offsite storage backup, but also comes with some dangers: Viruses, spam, malware and identity theft are among the threats you may face.
Along with the dangers of sharing your data externally with outside parties comes some security benefits as well, according to Eran Feigenbaum, director of security for Google Apps. Although companies now allow cloud vendors access to their data, “just sharing a document and not an entire infrastructure is a tremendous benefit,” he says.
“You don’t have to figure out multiple security zones, only one front-facing connection,” adds Treb Ryan, CEO of OpSource, a company that provides data management and data-transfer backup for software-as-a-service and Web companies.
Here we provide some tips from experts on how to keep your
Watch what you open
Cloud provider Salesforce warns on its
Ask your provider about incident response, Balding advises. The provider should be able to help in the event of an intrusion attempt, he says. You should also ask if the company will take an image of the machine or whether you must do this yourself.
When you open files, make sure your network access is encrypted, suggests Craig Balding, a technical security lead at a Fortune 500 firm and author of a blog on cloud computing security. Balding notes that Amazon doesn’t encrypt data for its Web Services business. On its trust site, Salesforce.com recommends two-factor authentication techniques such as RSA tokens or Smart Cards.
Protect your cloud API keys
You want to make sure your cloud API keys are secure, Balding warns. “If someone gets hold of your access key, they’ve got everything,” he says. “Require the provider to give you keys for different sets of data and risk classification,” Balding suggests.
He also advises putting your production data in one account and your development data in another account. This will lessen the risks of someone breaking into your less secure development machine, he says.
Pay as you go
To avoid competitors running up the bill, pay for cloud services as needed, Balding advises. “It’s good to have a threshold if usage goes way up, he says.
Google’s Feigenbaum stresses the importance of data replication across multiple data centers. In the event of a disaster in the Northeast, for instance, data could still be accessed from other regions. “If something bad would happen to the Northeast such as a snowstorm, and cut off power, your data would be served from another data center, and no one would really know,” Feigenbaum says.
Reduce endpoint reliability
“The concept of the cloud is to store minimal data on your endpoint devices,” Feigenbaum says. “Endpoint devices are hard to secure — you’re taking security out of the experts’ hands and putting it into the users’ hands.” The FBI reports that 1 out of every 10 laptops is stolen in its first 12 months since purchase. And though USB keys are convenient, they’re easily lost.
“Don’t overlook client-side security,” advises Joe Krause, director of product management for information security consulting firm Trustwave.
Ensure proper compliance and certifications in data transactions
OpSource’s Ryan advises that transactions involving credit cards should be PCI compliant. “If our system is not PCI compliant, the system breaks and you don’t have a secure transaction of Web data,” Ryan explains.
Ryan says in corporate environments, enterprises should follow SaaS 70, a safety protocol.
Meanwhile, health care companies need to heed HIPAA regulations as medical data travels in the cloud.
Understand vulnerability management
Trustwave’s Krause says providers need to be able to manage the vulnerability of a single piece of data to affect a large number of clients. “A single vulnerability has the potential to expose the critical assets of a large number of their clients,” Krause says. “Cloud computing providers have to be able to show that they’re aware of the vulnerabilities of the cloud and that they’re not waiting for someone else to show them there’s a vulnerability,” he explains.
Keep a forensics and Web log
Providers need to know where their customers’ data is at all times, Krause says. “There’s got to be a way to follow the audit trial, where the data was at any point in time,” he says. A forensics and Web log accomplishes this, he says. “Enable logging so you get visibility on how people are using your services you put in the cloud,” Balding suggests. “You might detect some attacks that way. If you don’t turn on the logging, you’re not seeing any of the bad stuff or hacker potential,” Balding says.
Also check with IT to see if other divisions of the company have already signed up for the cloud service, because if they have, a security breach can occur. Balding says to confer with the finance department to see if anyone else in the company has spent money on that service. It’s a company hazard if the same information is in the cloud twice, he says.