If you are worried that cybercriminals will have an easy access to your data in the cloud—think again. If cyber criminals are becoming sophisticated, so are security tools. You can secure your cloud by asking the right questions and implementing the right solutions. So, ask the right questions!
You may wonder: “What are the right questions?” Here are some starters.
What is the kind of perimeter protection are you envisaging? Does the perimeter defense identify intrusions? Does the system merely generate alerts on detecting an intrusion or does it prevent it? Do the system defense mechanisms block malicious files, executables and other items that can potentially damage your security? If the answer is yes, and your cloud vendor has all these defense mechanisms in place, you have taken the first step in the right direction. Your perimeter protection will provide you with a light-weight dynamic view of attacks that are constantly evolving and attempting to gain access into your databases and applications.
But, this protection is not enough. There are vulnerabilities that you may not be aware of, already co-existing with your data and applications. Some malicious files may have been implanted into your repositories, even before you put your security systems in place. These may remain undetected for years waiting for the right trigger to activate them. These need to be detected and eliminated. You need to ask about these threats and secure data repositories immediately.
There are sophisticated tools available for this purpose in the market. Check if your cloud service provider has integrated them with the backup and recovery software. They are popularly known as “defense in depth” tools. These tools use multi-layered approach to secure the system. Policies and tools are deployed in layers—system layer, network layer and application layer–to protect the different layers against attack. This speeds up action against threats and avoids even a small interruption to the business flow.
Encryption offers another layer of security to your data. What kind of encryption protocol does your cloud service provider use? Is the encryption impregnable? Have a close look at the cryptographic model. Some of these cryptographic algorithms are third party certified (for instance, FIPS) and that may give you the confidence you need in adopting the algorithm for your data. However, it is important to ask your vendor about encryption key management. If the key is user defined and user managed, you are on a sure wicket. If the key is system generated and vendor managed, you need to delve deeper into the security arrangements for the key.
See the next post for Part II.