A few years ago, security was listed as one of the biggest reasons people might not want to entrust their data to the cloud. For good reason, companies have been careful and systematic in figuring out what information systems to use; security challenges on the Internet are by no means a new thing. Even back in June 2011, 9 in 10 US firms said that they had suffered at least one data breach within the previous year. That’s right: 90% of companies (out of 583 companies polled) said they had been successfully compromised by an outside party within the past twelve months. Almost 60% said that their firm had experienced at least two attacks within those same twelve months.
A wise and important focus on security was omnipresent in early discussions of cloud computing, and it continued to be a top concern in the years ahead. A survey conducted by IDG and published in August 2013, “Cloud Computing: Key Trends and Future Effects Report,” revealed that the top challenge for an effective cloud plan was security – at 66%, much higher than stability, reliability, and integration at 47%, and concerns over whether the service would deliver on organizational and compliance standards. (The poll gathered responses from 1358 people, all of them in decision-making positions and most with managerial roles within IT.)
Again, this concern has continued through the years. In November 2016, another IDG report came out, the 2016 IDG Cloud Computing Survey, showing that many companies still had similar concerns with cloud. That poll found that firms were moving huge swaths of their environments to the cloud, with 60% in some cloud configuration (public, private, or hybrid). (These figures were based on the responses of approximately 1000 informational technology executives.) Even though cloud was widely deployed, security was still the top concern for 41% of those polled.
The concern with security has resulted in somewhat of a backlash, though, from those who are now convinced that the security of cloud is preferable to what is available in traditional data centers. For instance, David Linthicum reported in 2014 that cloud was more secure than a typical business’s traditional data center. Similarly, deputy technology editor Quentin Hardy noted in the New York Times that most major data breaches in recent years have been from attacks on traditional systems. Data may effectively be safer in the cloud because there are more security precautions in place –since security is a fundamental, core concern of any company that is serious about hosting cloud servers.
7 steps to secure a cloud server
Here is a list of seven ways to secure your cloud server, standard best practices indicated recently by Simility CEO Rahul Pangam:
Step 1: Implement end-to-end encryption for in-transit data.
You want to make sure that any time you are interacting with your cloud server, you do so through secure sockets layer (SSL) protocol (TLS 1.2) so that your message is effectively locked. The termination point of the SSL certificate should be the cloud provider.
Step 2: Implement encryption for at-rest data.
Everyone thinks immediately about data that is in motion. However, data that is in one place must be protected as well. As Pangam puts it, encryption of at-rest data is “the only way you can confidently comply with privacy policies, regulatory requirements and contractual obligations for handling sensitive data.” It is certainly a best practice in an increasingly complex threat landscape.
You want to use the AES-256 standard whenever you store disks within the cloud. Your encryption keys actually also need to be encrypted themselves. There should, furthermore, be a system in place to rotate the master key set at routine intervals.
Your cloud provider will also hopefully allow field-level encryption, so that you can encrypt SSN, credit card number, CPF, and other highly sensitive fields.
Step 3: Conduct thorough and regular vulnerability assessments.
Any company that you entrust to provide you with a cloud service should have strong and carefully strategized incident-response and vulnerability practices and systems in place. One feature that you want in terms of incident response is the ability to completely automate the risk scans that look for any vulnerabilities; you are able to perform critical security audits daily, weekly, or monthly, rather than quarterly or yearly.
You can make a security case for vulnerability testing daily. However, within your own ecosystem, you can decide what frequency makes sense for a particular network and/or device. This testing can be set up ahead of time or run at will.
Step 4: Set up and follow a data deletion policy.
You should have your system configured to automatically delete all customer data for any customers that are beyond the retention window that is listed within their user agreement.
Step 5: Focus on user-level security for better protection.
You want layers of security, and one way to create layers is with the user. A customer should be able to change the editing and access privileges for their information at the level of each user, and it is easy to provide this capability with role-based access control (RBAC). RBAC permits you to create delineation between tasks that is both highly granular and uses access controls as its foundation. The care that you put into setting up your RBAC system will make it easier for you to meet internal data security standards, along with compliance to any external standards such as PCI, HIPAA, or the GDPR.
Step 6: Get a virtual private network and cloud.
In traditional hosting environments, there is a dedicated server, an individual physical machine used by a single organization. A dedicated machine can be divided into either multi-tenant or virtual private servers. In the context of cloud, you want your provider to give you a cloud instance that is yours and yours alone – and to which you would have the sole right to access and control of the data. Customers connect to your datacenter. The traffic that goes back and forth to their virtual private cloud goes to their data center via an Internet Protocol security (IPsec) virtual private network (VPN), a standardized means to send encrypted data.
Step 7: Look for strong compliance audits and certifications.
The two critical third-party certifications that you want to see in your cloud provider are Payment Card Industry Data Security Standard (PCI DSS) and SSAE 16 / SSAE 18 / SOC 1 / SOC 2:
- PCI: PCI DSS compliance, critical to e-commerce solutions, requires a comprehensive audit that is focused on data safeguards during transmission, processing, and storage of data. Note that PCI DSS does have a rather granular focus on payment data, specifically cardholder data, because these standards are designed and promoted by the major credit card brands – Discover, MasterCard, Visa, American Express, and JCB – through the PCI Security Standards Council. Nonetheless, the standard does have strong guidelines and thorough guidelines for highly important security techniques including application development; network design; policies and procedures; and vulnerability management.
- AICPA: SSAE 16, SSAE 18, SOC 1, SOC 2 are related compliance standards as a name change is taking place at the American Institute of Certified Public Accountants (AICPA), which develops all of these standards. These standard are focused on the controls in place at service providers; the audits are intended to help companies find and fix any flaws in their vendor management environments, compliance management systems, and risk assessment programs. These standards demonstrate through third-party auditing that a cloud provider has an infrastructure and set of policies in place that meet strong stipulations, as established by an accounting professional organization.
Launching your cloud server
Do you need a cloud server that you are confident will be fully protected by your infrastructure provider? At Total Server Solutions, our SSAE 16 Type 2 Audit is your assurance that we follow the best practices to keep our data center up and running strong. See our security commitment.