It’s almost a misnomer these days to speak in terms of transitioning to the cloud. Nearly everyone is already there, whether they know it or not. If you use Gmail, Dropbox, Workday, Quickbooks Online or Salesforce.com, you’re accessing a cloud service. Many people can’t even tell the difference between what’s local and what’s on a server in a remote data center.
There are lingering perceptions that the cloud is not secure, but the reality is that cloud service providers are well aware of the negative effects that a security incident could have on their reputations. So more often than not, they take the time to build thorough security measures. This means that by using cloud services, a small to midsize business (SMB) shares the resources and scale of companies like Amazon, Microsoft and Google, who all sell cloud services. They provide the security tools most SMBs can’t support on their own. Therefore, the greater risk is human error, caused by users who are unfamiliar with proper security practices. With that in mind, here are five ways SMBs can stay safer in the cloud.
Use strong passwords and two-factor authentication
Your best protection is the most obvious one: employ secure passwords. Password theft is, by some accounts, responsible for more than 80 percent of security breaches. A Keeper Security study of 10 million compromised passwords found that an astonishing 17 percent of accounts used the password “123456,” and seven of the top 15 passwords on the list were six characters or less. The technology cybercriminals employ today can crack a six-character password in minutes.
A password manager will generate strong, random passwords and automatically fill them for users. This saves them time, frustration and eliminates the need for them to reuse and remember passwords. Good password managers are available to employees from any device and location. All of this makes the entire organization more secure and drastically cuts helpdesk calls to reset passwords.
An increasing number of cloud services now offer the option to use two-factor authentication, which presents a second level of security. By transmitting a code to a second device, using a time based one-time password (TOTP) application like Google Authenticator, or utilizing a FIDO U2F device like Yubikey, your cloud service is made all the more secure. Take advantage of this option whenever you can. The additional steps are more than worth the peace of mind this added security can provide.
Be cautious with permissions
There are many good reasons why the cloud storage market is on track to approach $100 billion over the next five years. By storing data in the cloud instead of on a local disk drive, you can take advantage of built-in features like automatic backup, universal access and nearly 100 percent protection against device failure. SMBs can almost instantly be up and running and get the advantages of scale they could never achieve on their own. Finally, if your cloud provider is no longer competitive, you can cancel your subscription and move to a better one. This flexibility is unprecedented.
Unfortunately, not all security features are enabled by default. You need to be sure to switch on basic security settings like encryption and manage access controls. The headlines have recently been teeming with stories of companies leaving large troves of data open to the public because of a basic oversight. For example, last July Dow Jones left more than 2 million customer records out in the open for this reason, and in February, FedEx was embarrassed when 119,000 documents – included scanned passports, driver’s licenses and other sensitive customer information – were left on an unsecured server.
Cloud storage providers do a good job of protecting their infrastructure from intrusion but, for liability reasons, they leave the task of securing databases and applications in the hands of the customer. That imposes responsibility that some non-IT users may be unprepared to handle. When storing files in the cloud, first become familiar with the basic protections supplied by the provider. Be sure data is always stored in an encrypted state and that secure connections are provided for uploading and downloading data. In most cases that will be the case. If encryption is optional, set the switch to on. There is really no good reason to ever store data in an unencrypted state.
We recommend against giving users unfettered access to consumer cloud storage services. The reason many enterprise IT organizations prohibit the use of such services is because IT has no control over access and no way to retrieve documents that may be needed for legal or regulatory purposes. All major cloud storage providers offer business options that give administrators control over access and passwords, and you should use them.
Identity and access management (IAM) should include password managers designed for business that will work with any application; legacy, native, or cloud. With this option, all passwords are stored and administered centrally so there is never a risk of the database being corrupted or passwords being lost. For SMBs that deploy SSO for IAM, look for a password manager that can integrate using SAML 2.0 as a service provider. The password manager complements SSO by handling all the other applications that don’t support SAML and assets that don’t use passwords. Examples of the latter are servers, databases, network appliances and API that use digital certificates or encryption keys.
Understand regulatory limitations
Depending on your industry, laws and regulations may limit where you can store data. In some cases, you may be required to keep information off of the cloud entirely. Other rules may prohibit cloud providers from moving data to servers outside of the country. A good example is GDPR, going into effect May 25, 2018, that regulates where and how businesses process the personal data of EU individuals. Since many cloud providers have data centers spread across the globe, you want to be sure you have control over where your data is kept, and that you can access it anytime from anywhere. If you’re uncertain about how rules apply to you, consult legal counsel or industry trade associations for advice.
While we’re at it, don’t forget about mandatory retention rules. Because cloud storage is bottomless, it’s tempting to leave files there indefinitely. However, information kept beyond the mandatory retention limit may become a liability if it’s subpoenaed in a legal case or regulatory audit. The same lifecycle rules that apply to on-premise data also apply in the cloud.
Beware of the phish
Phishing attacks – in which criminals attempt to obtain access credentials by posing as a trusted source – have grown with the popularity of cloud services because organizations now keep so much sensitive data in the cloud. Phishing was responsible for more than 40 percent of data breaches according to a recent Verizon report. Spear phishing, in which an attacker customizes messages to appear as if they come from trusted sources, is becoming a particularly serious problem as cybercriminals apply artificial intelligence to their nefarious craft. Attackers have learned to mine social media for information they can use for these attacks.
The only real defense against phishing is employee training. The goal of a phishing attack is to get someone to initiate a transaction or to click on a link, so the best protection is awareness. A very common phishing attack is an email that looks like it came from your cloud provider, like your bank saying there is an issue with your account. You click the link to a website that looks exactly like your bank website and enter your credentials. The problem is that this isn’t your bank and you just handed your credentials to the hackers. Beware of any messages that ask the recipient to immediately transfer money. Another common attack today is an email that looks like it came from upper management (like the CEO) to accounts payable demanding they pay some account immediately. The account is always fake. The same applies to requests for personal information, such as passwords. Legitimate services never ask for such data by email.
Even if the request appears to be legitimate, be suspicious. Check not only the name in the “from:” line, but also the source email address. It’s easy to fake the former, but not the latter. Never click on links without first hovering your pointer over them and checking the link preview on the lower part of your screen. These preventions should be applied to text messages as well. Any text coming from an unknown phone number should be regarded with suspicion. A good rule of thumb is to never click on a link unless you are absolutely certain of who sent it to you.
Use audit records
This is one of the most useful services cloud providers offer, and in most cases, there is no charge. Administrators of SaaS services can log on and see all the recent activity on their accounts, including who has been accessing them, for how long, and even what transactions were performed. Many services will also routinely alert you when your account has been accessed from a new device or location. If such services are available, enable them. They’re not only a great intrusion detection tool, but they can provide a valuable audit trail for your compliance needs.
Small to midsize businesses are some of the greatest beneficiaries of cloud computing. They can enjoy access to the kind of world-class software, powerful computing resources and limitless storage that was once only available to the largest organizations. By taking a few basic security precautions like the ones we’ve outlined here, your experience should be a happy one.
This article is published as part of the IDG Contributor Network. Want to Join?