Security in the Cloud: Four Things Your Customers Need to Know
A recent survey of 300 IT decision makers, conducted by research firm Vanson Bourne on behalf of Barracuda Networks, found that 44 percent of the respondents’ IT infrastructure is now on a public cloud. This isn’t a big surprise; after all there are often big cost-savings to moving IT workloads to the public cloud. The trend also suggests that many companies don’t want to deal with the headaches that come with managing on-premises IT systems.
What 68 percent of companies don’t realize (per the survey), however, is that public cloud providers only protect their platforms — not the data and applications that are housed inside. The fact is that the public cloud is built on a shared responsibility model, which means the cloud provider has some security responsibilities, but customers bare part of the burden as well.
This misunderstanding is also leading to some big problems. For example, a recent study by SkyHigh Networks found 7 percent of all Amazon S3 servers are exposed, a problem that is believed to be behind numerous data leaks over the past few months, such as information on 198 million American voters, 14 million Verizon customers, and several Viacom networks.
To ensure your customers don’t become the next victim, educate them about additional security measures they should be taking to protect their data in the public cloud.
What’s safe – and what isn’t – in the public cloud?
In the shared responsibility model used by vendors like AWS, Microsoft Azure, and Google Cloud Platform, cloud providers are responsible for protecting the physical infrastructure, network infrastructure, and virtualization layer that comprise the cloud platform. The user’s share of security responsibility includes: network security, identity and access control, operating systems, and data encryption.
Must-haves for public cloud protection
1. Password best practices. When it comes to identity and access control, inadequate passwords are a top concern in the public cloud — just like they are with on-premises computing. Several studies have come out in the past few years indicating that at least 80 percent of passwords can be cracked within 45 minutes. In addition to turning off password defaults (e.g., “admin”), it’s important to ensure passwords are at least eight characters long with a mix of both uppercase and lowercase letters, in addition to containing numbers and symbols. Apart from being strong and unique, passwords also need to change frequently.
2. Two-factor authentication. Two-factor authentication is another step companies should consider taking to further reduce the chances of getting hacked. This strategy takes identity and access control to a higher level by adding something only the authorized user would have on them, such as a secure code sent to their cell phone that they have to enter before gaining access to the cloud. Using a password management solution, such as Passportal, Certify Enterprise, Dashlane, Keeper for Groups, is highly recommended to ensure these processes are followed consistently.
3. Public cloud firewall. Another resource every public cloud customer should be using is a public cloud firewall, which can protect traffic to, from, and within public cloud services with the same functionality as a physical or virtual next-generation firewall. The firewall should encrypt data so that in the event a hacker steals the data transmission on the way to or from the cloud, it’s unreadable.
4. Data protection. Backups are another important public cloud consideration, especially for companies operating in highly regulated industries with strict data retention requirements. Public cloud providers typically offer 30 days’ worth of data retention, which may be inadequate for some industries.
SMBs are increasingly turning to the public cloud to meet their evolving IT needs. As an MSP and trusted business partner, you need educate your customers about the importance of keeping their workloads secure in the cloud. To provide comprehensive security, you need to understand which applications they’re accessing in the cloud, what kind of data they’re storing there, and what kind of access controls are in place.
Your customers already know how much effort goes into protecting their on-premises data from ransomware, malware, and hackers. Just because some of their IT applications and infrastructure are moving to the public cloud doesn’t mean all these security concerns go away — they just move to another location.