Moving to the Cloud has many benefits and a big one is lowered maintenance costs compared to on-premise solutions. While this is true, security is a paramount concern for many companies and it is still their responsibility. Today we discuss the key four security measures that need to be reviewed regularly:
- Review Access Rights
- Review Cloud Vulnerability and Penetration Testing
- Enforce Customer Data Deletion
- Confirm constant running of Encryption Tools
1. Review Access Rights Regularly
Companies have different identity and access management mechanisms, but it’s not enough to put them in place. People move or change roles, they also leave the company — but do their access rights reflect that?
Periodic reviews (at least annually) of access rights for all employees and vendors need to be conducted to reduce the risk of a security breach by regularly re-evaluating user roles, access rights, and user credentials. An essential part of account management and access control, these reviews limit access to critical data and resources and ensure that the right people have access to the right data.
2. Conduct Cloud Vulnerability Assessments
With so much data transferred into the cloud, this invaluable resource has become a target for bad actors. Cloud vulnerability assessments aim to evaluate the security and integrity of any cloud environment hosting business-critical information in order to identify, classify and manage the critical vulnerabilities.
According to Cloud Security Alliance Report, top threats to cloud computing, ranked in order of significance, include threats such as:
- Data Breaches
- Unsecure system configurations and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access, and key management
- Unauthorized access
- Insider threat
- Insecure interfaces and APIs
- Weak control plane
- Failures in cloud management or application infrastructure management
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services
Vulnerability assessment aims to identify flaws in cloud security. This should include scanning of host nodes (servers, workstations, etc.), wired and wireless networks, applications and databases. Penetration tests are a deeper dive, with specialists looking for vulnerabilities and actively trying to exploit them to assess the risk they pose. They should be conducted regularly, ideally at least once a year, to unveil the main cloud security blind spots and identify updates needed.
3. Enforce Customer Data Deletion
All data has its life cycle — from creation, storage, usage, and sharing to archiving and destroying. At the end-of-data lifecycle, data needs to be destroyed or sanitized to prevent unauthorized access to it. There are three ways to achieve this: physical destruction, cryptographic erasure, and data erasure.
The data’s end-of-life can be determined by different criteria, for example, fulfillment of purpose or validity of consent. This means that once the data is no longer used or the permission for data usage has expired, it must be deleted. Financial institutions are responsible for effective sanitization, especially when it comes to the customer’s personal data they collect and process.
4. Ensure Constant Running of Encryption Tools
When data travels to and from cloud-based applications and storage to authorized users, or when it is stored in cloud-based devices, it needs to be encoded to obstruct external users from potentially accessing it.
For example, encryption encoding and decoding aim to prevent the interception of countless data flows happening each day or from accessing data files when they are saved to cloud storage. With encryption systems, financial institutions can ensure that only authorized users have access to private data. And even more importantly — even if data is stolen, lost, or accessed without authorization, encryption helps ensure that it is unreadable to anyone without the key.
The Benefits of Cloud Maintenance
While this may still seem like a lot of maintenance, the good news is many of these processes can be easily automated in the Cloud. While you still need a maintenance team, Cloud Services make it easier to have a smaller team. Cloud maintenance can also be outsourced to Cloud Managed Services providers like Indellient who will manage your entire cloud presence from security to cost management.