As businesses of all sizes move computing resources to the cloud, new security concerns require careful attention and planning.
Here are four of the most common security mistakes that organizations make as they adopt cloud services, and ways to avoid them:
1. Don’t Publish Sensitive Business Information
Cloud services make it easy to collaborate with other organizations and share information at the push of a button. That convenience can also spell disaster if an employee accidentally publishes sensitive information to the web.
To avoid that, take care to clearly understand access control settings that may allow public access. Put a speed bump in the publishing process, such as a prompt that reads “Are you sure you want to publish this publicly?”
2. Avoid Unvetted Cloud Security Solutions
Ease of adoption is one of the key selling propositions for cloud services. They can be so easy to adopt, in fact, that employees sometimes discover new services and use them to store and process sensitive information without appropriate vetting.
Combine user education efforts with monitoring approaches that watch for the use of unvetted services.
3. Watch Out for Weak Encryption
Organizations using nonsecure encryption protocols risk attackers discovering sensitive information. Ensure cloud providers not only support strong TLS-based encryption using secure ciphers, such as AES, but also explicitly block the use of nonsecure ciphers.
Using outdated technology, including the SSL protocol and DES cipher, is almost as risky as not using any encryption at all.
4. Guard Against Poor Incident Response
When an organization hosts its own services, responding to a security incident is within its control. If the breach occurs at a cloud provider, things become much more complicated.
Work with cloud providers to ensure contracts include specific language about when the provider will notify you about security incidents, the response procedures they will follow and the types of information they will share.