The most common cause of data leaks are not software bugs or hackers’ activities, but administrators’ fault, who either forget to configure security or do it incorrectly (thus facilitate the task for hackers).
In order to minimize the risk, it is worth following the rules below, regardless of whether Amazon Web Services, Microsoft Azure or Google Cloud Platform are used.
It should be kept in mind that most criminals search vulnerable, misconfigured systems, and then attack.
Many entrepreneurs eagerly implement multi-cloud solutions, i.e. cloud services of different vendors. It makes their systems less transparent and more difficult to manage. This, in turn, creates more opportunities to make a serious configuration error of which administrators are not fully aware.
In order to secure data processing in a cloud, it is worth following a few basic rules:
- 1. Knowledge and responsibility
An entrepreneur is solely responsible for securing personal data regardless of solution used. He controls over the infrastructure fully – software, data and application configuration, access control and authentication. An entrepreneur must ensure an implementation and application of a sufficiently high level of data protection.
- 2. Access control
One of the biggest problems while using cloud services is an accidental disclosure of enterprise resources to the public. It is worth considering implementation of tools that allow conducting a quick audit and checking what exactly (and to whom) has been disclosed. Another mistake is allowing SSH connections to be made directly from the internet – allowing unauthorized users to find and exploit cloud service configuration gaps and errors in a cloud.
- 3. Data encryption
Administrators’ serious negligence is to store unencrypted data in a cloud. Applying encryption prevents data from being read – even if it is leaked or stolen. These are the best practices to maintain full control over encryption keys, although it is not always possible, sometimes it is necessary to make them available to e.g. business partners.
- 4. Protection of login data
An entrepreneur is responsible for a sufficiently high level of security for login data. Individual, unique and adequately strong passwords should be created and regularly changed for each application, resource or service. Thanks to this activity, even if there is a leak or theft of data, there is a good chance that hackers will take over an outdated password. It’s also important to precisely assign permissions and give users access only to resources they should have access to. The system should be regularly checked for inactive user accounts – if they exist, should be deleted.
- 5. Multi-factor authentication
Multi-factor authentication is worth using. It significantly strengthens standard security of login and password. Two-step verification is a popular type of multi-factor authentication. It consists of two stages: entering a correct user ID and password for authentication, and then entering a code accessed by an appropriate account holder in a given website.
- 6. Transparency
It is good practice to apply tools to identify potential attack attempts, suspicious behaviour, errors, and other anomalies. The most popular cloud platforms providers offer tools that allow activating secure login, as well as monitoring any failed / suspicious login attempts.
- 7. “Shift-left” in security
At a very early stage of creation or implementation of an innovative solution in a company it is worth planning an implementation of security functions – use of the “shift-left” approach. Most often, however, an entrepreneur implements a solution first, and then adds functions and security tools to it – less profitable, from the economic point of view.