Cloud computing and all the many varied advantages it offers for a business’ digital realms is definitely here to stay, and access and storage convenience, consolidation, and capacity are front and centre as to why that’s the way it is. Most of us have benefited greatly from the advent of the cloud, and we wouldn’t want to go back to the way it was.
Here at 4GoodHosting, as a quality Canadian web hosting provider we’re just as enthused as most of the rest of you about what the future holds in as far as cloud computing is concerned. So while it’s perfectly natural to be keen on getting more out of the cloud, we need to ensure that our sensitive data is key entirely safe while it’s perfectly suspended ‘up there.’
So today we’ll discuss some considerations for setting yourself up so that there’s no unexpected disappointments as you enjoy this wonderful 21st century advance in computing technology.
Priority 1 is Secure Code
While we’ll get to code in a moment, it is important that you trust in the security model of your cloud service provider. Understand what information the service provider will deliver to the customer (vulnerabilities/exploits discovered, patched, requirements from customers, security bulletins etc.) and what is your (the customer’s) responsibility. There are many cases where the provider takes the appropriate measures but the customer is neglecting to take care of their end. It is important to know all these beforehand.
Alright - code. If you’re developing code, making sure it’s 100% secure is your responsibility. Code that has not been thoroughly tested - inside and out - can be a big time risk. It’s something that if you don’t have a capable tester on staff then it’s something you should outsource to someone who IS proven capable.
One that you can check out is uTest. They employ testers worldwide and provide impressively detailed reports. Your code can be tested by teams of people on very different platforms and they’re more likely to dig up bugs and vulnerabilities as compared to the average in-house testing team.
Identity and Access Management
Next up is the important of identity and access management. Your cloud login information is essentially the key to your front door, and the nature of the arrangement is your door -locked or not - is immediately visible to many more potential enterers. You need to have a policy for access management. Start with consideration of obvious security risks:
- ex-employees
- outside parties (vendors, consultants etc. who have outside access)
- employees (weak passwords) - a more legitimate issue than you might think
Address first two there with a policy that insists on a temporary check of people and / or organizations who have been granted temporary access. Accounts that have expired should be removed from the central directory – Active Directory, LDAP etc. Many people would be shocked with the the extent of the problem wit rogue logins with “password never expires” option set in companies directories.
Next, we can understand the importance of updating systems. First and foremost, keep your systems at the latest patch levels as much as possible. You’ll be able to patch security holes as well as enable your applications to use the secured APIs/DLLs to make them MUCH more secure. And don’t concern yourself overly with ‘breaking’ things. If your application / system is being broken just because a security patch, it’s an inferior product and should be replace anyways!
Log Management
In today’s workloads, logs primarily serve two purposes. That’s troubleshooting and security (access logs). But they become even more important if they are aggregated. Aggregating logs with an IT analytics tool is highly recommended, as it will enable you to monitor for malicious activities and undertake detailed analyses to dig up the root cause of any such vulnerabilities. You’ll have a big-picture view of your infrastructure as a whole, from patch levels all the way to application behaviours.
A quality IT analytics tool serves functionally as a tool kit to aggregate logs and further to be extended with additional tools. A holistic view of your IT architecture is a must, and it’s smart to have the relevant tools in place to cover all the bases; firewalls, anti malware applications (end point security), intrusion detection, valid certificates and so on.
As one last tip, keep up on the latest security information. There’s plenty of available detailed information on the vulnerabilities, zero-day attacks, proposed temporary solutions etc to be found on the Internet. Cloud-security conscious webmasters learn about what type of breaches, exploits are happening in their specific industry, and learning about ways to secure their infrastructure and keeping one step ahead when it comes to security matters / concerns.
There is no such thing as 100% security when it comes to the Cloud - the nature of what makes it so great and versatile is exactly what makes it perennially insecure as well. But there’s plenty you can do to stay as secure as possible while enjoy all the benefits of Cloud storage and access. Not like we’re going to be regressing anytime soon, so just be smart about it.
