Following on from our last videos, What Is a Disaster Recovery Plan And How To Insure Against It our CEO, Tim Poultney, will now talk through Securing Cloud Environments in this useful cloud security guide.
My name is Tim Poultney and I am the CEO of Veber. Veber is a company with extensive experience in hybrid, dedicated and cloud hosting solutions. Today, I am here to talk about how you secure your cloud environment from internal and external security threats.
The way we look at breaking down cloud environments and threats is very different from normal security than in the old days where you get a firewall or you get anti-virus. Because the cloud is an environment that you don’t control, we look at things differently. So the first thing we normally try to talk to a client about is what actual data you need to keep in the cloud, what data are you are trying to keep on the server – is it relevant and is it required?
You try not to keep things like security credit card information unless you actually need it there, because anything that is kept in the cloud has a higher risk of actually being copied, cloned, read or stolen. So what we are trying to say is that you should only put information that you need on the servers up onto the Internet or on to the cloud. We always encrypt all of the information that we have got there. A lot of service providers will offer you a level of encryption based within the software or your files. If you add a level on top you should be able to have full encryption that only you understand and only you can decrypt. That means that the supplier of your environment, whether it is Amazon or Microsoft, if they look at your raw data they cannot read it without your encryption keys.
It is a very interesting thing that people believe the Internet is safe. They believe the cloud service providers are all there with the best nature. There are a lot of people in the Internet that might not be there with the best nature. So what we say is always check who you are outsourcing to and why you are outsourcing. So if you are outsourcing to a cloud security as a server’s provider, make sure that they are open, transparent, they give you all the information, they tell you how they are going to encrypt it, they tell you the processes they follow, they give you a copy of their RSO standards or their SAS standards. They have to be transparent with that information.
The next thing that we need to think about when we are looking at security off – cloud environments is that the standard thing is password management policies. I, such as every CEO, get very frustrated if my password changes every two to four weeks. It is frustrating for end users to have their password continually changed, but it is a necessarily requirement. At Veber we normally recommend you to change your password between 6 months and one year. It means that someone can actually get to the point of using the password for long enough and not continually changing it. We recommend a longer password, but not necessarily technically difficult. The reason being as, GCHQ pointed out, lots of people are writing down their passwords. This destroys the whole point behind it. So what we would say is change your password regularly and do not use the same passwords. These are enforced in policies and things like this.
A lot of people believe that the only threats they are going to get are from the Internet and from other things. Well, actually a lot staff can make mistakes that can infect the computer system by bringing a virus in through the door. You have no control over the iPad and the ipads and the other laptops and PCs that are bought in. So what we say is that we believe that staff and employees are a threat and we should always act as if there were not there for the best of the system.
Offer security training – actually teach your staff about security effects. Explain to them about phishing and what people are trying to achieve, tell them on a monthly or a quarterly basis what threats have been seen and get involved with them so they can understand them and see the negatives behind what is in the Internet.
Use a cloud monitoring tool to get to the bottom of this information. If your business is running a web shop, your business might not have any knowledge internally of any of the security things we are talking about. If you are starting to outsource to cloud providers to actually give you information and help you with your services, you can buy a fraction over the cost and doing it yourself.
There is always a discussion around verification. In the early days, verification was always problematic because you had a user name and a password and anyone could copy the password. So then along came whole load of key fobs and other technologies to allow you to do two-step verification of who the user is. Nowadays, you can even get sms text messaging, Google devices, many things that will help you to authenticate that user. But if that user is just a secretary opening a Word document to write it, that two step of authentication might be too much for her. So we need to use this in the areas of maximum risk credit cards systems or bank connection systems, are always the best places to look at for two-step authentication.
Mobiles, laptops and anything that moves. A lot of people would see a laptop as an easy thing because you put antivirus on it, you put your password policies and protection policies. However, a lot of IT departments don’t control the mobile phones. An amount of businesses I’ve been to where they just give you access details for the Wifi, so your mobile phone would work. But that means that you will have to look at how you are going to secure those mobile phones against viruses and other threats. So I would be a strong believer that you have separated networks for mobile devices to devices that are actually on the local network. Make sure you put password policies in to protect your laptops against people coming along.
It is the most important thing we always go back to. If you have a backup with all the files, whatever happens, you can install your business back. It comes to a case where everything in your company can be backed up and should be backed up. It is just the process that your business should be following.
If you would liked our cloud security guide and would like to know more about cloud security and how to protect your business, why not get in touch with one of our friendly team members today.
More Videos From our Cloud Hosting Series
Featured Blog Posts