The Comprehensive Guide to Cloud Security

Over the last two decades, a large amount of computing has transitioned to the cloud.

This transition is still ongoing today, with Public clouds, private clouds, and hybrid clouds bringing unprecedented agility. 

Large and small organizations have adopted various cloud platforms and applications as a mainstay of their infrastructure, bringing:

• Reduced costs
• Flexibility of reducing or increasing capacities based on demand

When choosing a cloud service, here’s what you should have in mind the security risks, how cloud security works, and your network security protocols.

This guide will give you a basic understanding of cloud security between your organization and cloud providers, allowing you to look into new solutions more quickly.  

Why do organizations need cloud security?

The computing environment

• Cybersecurity threats continue to increase
• Prevent data breaches and data loss
• Avoid regulatory compliance violations
• Maintaining business continuity

Cloud security benefits

• Centralized security
• Reduce cost
• Reduce administration
• Increase reliability

The 11 best practices for cloud security

This comprehensive guide reflects the essential Cloud Security elements outlined in the ISO/IEC 27003 Standard.

1. Physical Security

First, understand how the infrastructure of the cloud solution is physically protected. 

• Is it mirrored in more than one geographic location? 
• Are the data centers owned by a major company that hardens its physical infrastructure? 

If not, ask further questions.

2. Protection of data in transit

When data enters or leaves any cloud environment, it’s essential to authenticate the connection and encrypt the data in transit. 

• If the data transport is email, implement DMARC and force TLS encryption. 
• If data transport is across the web, through a web browser or API, invoke SSL certificates and force TLS encryption to ensure security.

3. Protection of data at REST

Upon receiving any data, cloud applications must protect it using Representational State Transfer (REST) by encrypting it to prevent unauthorized access or theft.

4. Multi-tenant micro-segmentation

Any multi-tenant cloud environment must store its tenants’ data using micro-segmentation in individual, separate, and private databases.

5. Asset protection

All cloud solution interfaces must be protected behind firewalls using Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Content Delivery Networks (CDN) systems. 

These measures protect and harden the solution and data from external assault.

Also, consider adding a Next-Generation Firewall (NGFW) to: 

• Perform port/protocol inspection and blocking, including application inspection and intrusion prevention
• Access external source information from cloud-based threat intelligence, monitoring, and prevention services (such as Abusix’s blocklist.de).

6. Visibility and Control

Cloud solution security and application management must provide cyber security to monitor systems and user events to detect anomalous activity. 

7. Trusted security partner and network

No other party, including the technical staff of the cloud solution or their hosting company, should have access to your network, sensitive data, or customers.

8. Identity and Access Management

Any cloud environment must provide Identity and Access Management (IAM) with Two-Factor Authentication (2FA) as a minimum to distinguish between authorized and unauthorized users and determine the amount of data accessible to each entity.

9. Regulatory compliance, cloud governance, and cloud security and privacy integration

Regulatory Compliance

Prospects and customers must be able to identify, measure, monitor, and manage their organizational and regulatory compliance risks in any cloud environment.

Cloud Governance

Any cloud implementation should align with the organization’s existing cloud governance and risk management strategy.

Cloud Security and Privacy

Any cloud implementation must consider privacy concerns, as the service provider can access the data in the cloud at any time:

• Cloud solutions should clearly state their legal and policy provisions and the right to end-user privacy in their contracts. 
• Ensure that the data remains the property of your organization.

10. Operational Security

Change and configuration management

Cloud solutions use agile development methodologies, which means their products are released on an iterative, rapid cycle. So make sure you:

• Implement security testing at each solution’s life cycle phase to ensure quality assurance. 
• Open-source software must be subject to technical, legal, and management.

Vulnerability and penetration testing

All cloud solutions must incorporate security updates:

• The internal quality assurance function must have a heightened awareness of cross-site scripting vulnerabilities.
• Have a “defense in depth” approach and consistently vet their practices using internal scans and third-party PEN testing for vulnerabilities and gaps.

Protective monitoring

Cloud solutions must monitor critical network events with intrusion detection systems (IDS) 24/7. 

Their log aggregation systems must provide the ability to identify and address any unauthorized access to assets and data by external and internal users.

Incident management

Your cloud security team needs SIRP (Security Incident Response Processes) to handle any events related to the cloud:

• Tells you who does what
• The criteria for judging an incident’s seriousness
• The steps to investigate and diagnose an incident
• The requirements for reporting an incident. 

If a customer is affected, you must tell them immediately if there is a security or privacy breach. Other important events must be reported to customers within 24 hours or sooner.

11. Personnel security

• Employee Screening: Employees handling cloud data should undergo background checks.
• Terms of Employment: All employees should sign an Information Security & Access Policies for their onboarding. 
• Training: All new employees, both full-time and temporary, must take Internet Security Awareness Training (ISAT) when they start working and every once a year. 
• Termination of Employment: you must have a formal termination process, which includes notifying Corporate IT, Cloud Operations, and Facilities and ensuring the return of assets and access cards.

Working with a cloud provider

As mentioned earlier, the question “how secure is the cloud” is common. Security challenges that cloud computing brings should therefore be considered when adopting cloud services.  

According to the Cloud Security Alliance, the top three threats in the cloud are:

• Insecure Interfaces and APIs
• Data Loss & Leakage,
• Hardware Failure

To be successful with your project, pay attention to the best practices above and:

• Choose a trusted provider.
• Establish a mutual understanding regarding shared responsibilities.
• Carefully review your Cloud Provider’s Contract and Service Level Agreement (SLA) and understand the vendor’s failover and backup strategy.
• Secure all your endpoints and encrypt your data in transit.