When I started working in data and analytics 30 years ago, information security wasn’t high on the agenda for organizations. That's changed with the rise of the Internet, and now that cloud is becoming more and more prevalent in organizations, information security is no longer just the domain of specialists and IT professionals. Everyone in the business has to be aware of security and the implications of potential breaches. Nowadays, it's much more common for people outside of IT to investigate and short-list potential cloud providers. As a result, we all could use a good overview of what security looks like in the cloud and what to look for in a cloud provider.
Let's take a look at some of the key points in addressing cloud security, and things you need to consider when choosing a cloud provider.
Is the hosting location physically secure?
It's important to have the right security systems and protocols in place to make sure information access is controlled, but that's irrelevant if the actual location of the data isn’t secure. For example, a large mobile phone provider had a physical break-in to one of their data center facilities back in 2011, resulting in damage to their equipment and loss of services. They had all the latest security technology, such as biometrics and fingerprinting, but that was irrelevant when someone physically broke in and took equipment.
Reputable cloud providers who offer hosting must have state-of-the art data centers with the strongest physical security, and should be regularly audited with the most comprehensive and widely recognized accreditations to ensure that they meet and maintain required standards.
Sometimes, a cloud services provider may also use third-party co-location data centers and providers. When subcontracting any services to a partner, it's important to have a strict, mature vendor qualification process to ensure that partners are up to the same security standards as the provider’s own data centers.
Once you've ensured that your data is physically secure, you need to turn you attention to other types of security.
Are the operating systems, applications, databases, networks, and communications secure?
When choosing a provider, an effective and comprehensive logical security can be attained when these five types of strategies work together:
- Authentication – determining that individuals are who they say they are.
- Authorization – ensuring that an authenticated individual or system can obtain access only to the appropriate resources and data.
- Anomaly detection – the ability to spot activity that falls outside the norm, indicating that someone has, or is attempting to gain unauthorized access.
- Audit – the viewing and/or processing of historical logs, intended to mitigate any vulnerabilities from strategies 1-3 above, and to detect and deter any authorized users from breaking system rules.
- Testing – the automated or manual probing of defenses to ensure they're fit for purpose.
When it comes to logical security, the main point is to cover all potential scenarios, including one where a hacker might get past your perimeter defenses.
The solution will need to be accessed via the Internet. How can that be secure?
There are various methods employed by cloud providers to ensure that data is kept safe from unwanted exposure to the Internet. A lot of systems implemented in the cloud are for use by people outside of the company. However, when they're only intended to be used by their employees, there’s no reason for access to be opened up to the Internet. There are two options to achieve this – either by employing site-to-site VPN or IP whitelisting to ensure that the system is accessible only from agreed client sites.
For most systems, the intention is for use by their employees or users known to the company. Therefore, VPN or IP whitelisting are convenient ways of giving access across the Internet without exposing the system to the Internet.
The advantage of this approach is that all users must be authorized and authenticated through the network of the organization that's using the cloud analytic solution. This gives you the ability to employ your existing security measures.
With a cloud solution, we're entrusting our data to people outside of our organization. How can we be sure they're trustworthy?
We've all heard stories of organizations who, in spite of having fantastic logical security mechanisms to prevent outsiders from accessing their customers' data, have underestimated the potential risks from within their own organization. For example, data has been compromised by employees siphoning their own corporate data, or even just by employee negligence. A research project undertaken by Shred-it in 2018 found that more than 40% of data security breaches were caused by employees.
When choosing a cloud provider, you'll want to make sure that steps have been taken to ensure that the staff is knowledgeable and trustworthy, and that this is tested and rechecked on a regular basis. Here are some of the processes that should be in place to ensure all staff can be trusted with your organization’s data:
- All employees are background-checked before they are hired.
- They are regularly trained and tested on the company policies and procedures.
- Access is granted only to employees as required to perform their duties, with formal management approval and review.
- When an employee leaves the organization, all access is removed in a timely fashion.
- Modern password policies are in place and enforced.
- All personnel who access the hosted solutions do so through two-factor authentication and must pass annual training on such topics as data classification, security, and privacy for their access to continue.
It’s vital to choose a cloud analytics provider that you can trust, and one that's continually updating and improving their security to stay ahead of the game.
For a deeper dive into security in the cloud, you can download our white paper, “Security in the SAS Cloud.