Being on the cloud doesn’t absolve users of the responsibility to protect the data they manage on those services. As more businesses rely on cloud applications for critical business functions, they need to proactively protect business-critical data. This article discusses how to take more control of your cloud app data and strategies to mitigate your risks.
Cloud computing is now so ingrained into our day-to-day lives, we often forget how new the technology truly is. The term “cloud computing†started to appear just before the new millenium and “Software-as-a-Service†only entered our vocabulary around eight years ago. Today, there are thousands of SaaS products just in the marketing space and tens of thousands of software products across hundreds of vertical industries.
The surge in cloud technology adoption has created new industries, as well as new business models. Cloud computing has also helped hundreds of millions of small and mid-sized enterprises (SMEs) meet their business goals. However, there is also a naive level of trust with cloud computing that has permeated our daily lives. Services like Box, Dropbox, Google Drive and iCloud have created the illusion that the cloud is a magical place where your data is easily recoverable and available on all your devices, regardless of what apps you use. Unfortunately, this is not always the case, and businesses that rely on the cloud software to drive their growth are at risk of losing critical data sets without the proper precautions in place.
Limitations of Cloud Computing
To understand why businesses are at risk, you have to consider how cloud software is written. Whether you deploy your product on Amazon Web Services (AWS), Microsoft Azure, Google Cloud, or another Infrastructure-as-a-Service (IaaS) provider, they all follow the same “Shared Responsibility Model†for data security and storage.
Image Source: Awsstatic
The crux of this model is that IaaS (infrastructure as a service) providers will do their best to ensure their infrastructure is
always operating and protected from security threats and data disasters. However, this is where their responsibility ends.
The moment you deploy your cloud software onto this infrastructure, you assume the responsibility for all aspects of your use of this infrastructure – from the application code to your customer data. In other words, you are on the hook for the resiliency of your software and all of its associated data.
This model permeates up from the IaaS provider to most Platform-as-a-Service (PaaS) and SaaS products. This means that while a SaaS/PaaS product will own the responsibility of ensuring their services are always operating and protected from security threats and data disasters, as a user of a SaaS/PaaS product, you are responsible for the data you manage in those services. If anything is deleted or compromised, there are absolutely no guarantees it could be recovered. It could be lost forever.
Learn More: How Companies Can Manage IT Tool SprawlOpens a new window
The Perfect Storm of Cybercrime & Cloud Computing
Over the last decade, there has been a steady stream of headlines about major brands facing some type of cyber attack. Multinationals like Adobe, Sony, Target, Equifax and MarriottOpens a new window have all been compromised in some way. The pace and frequency of attacks is increasing, and there is no end in sight. Cases of ransomware, for example, have risen by an incredible 500 percent according to research firm Forrester.
Criminals are also finding new ways to wreak havoc. Global consulting firm Accenture’s report, Cost of Cyber CrimeOpens a new window , identified more than half a dozen techniques being used by criminals to comprise or delete data:
Source: Accenture
Additionally, if you thought small- to medium-sized businesses could fly under the radar of cybercriminals, you would be wrong. According to the National Cyber Security Alliance, over 70 percent of small businesses were attacked by cybercriminals. Of this group, one in 10 were forced to close their doors for good. The widespread adoption of PaaS and SaaS has helped SMEs drive efficiencies and increase the bottom line. However, this same reliance on cloud computing has created a perfect environment for cybercriminals to take advantage of unprepared companies.
6 Best Practices To Protect the Data That Drives Your Business
Here’s the good news: There are strategies you can put in place to mitigate the risks to your business. It’s best to have more than one data protection processes in place. Here are the most common ones for cloud applications:
1. Principle of Least Privilege
Typically, the larger the company, the larger the number of people who use the online tools that are needed to run your business. The strategy of least privilege ensures that you limit access to business-critical tools. Only the people who need access, get access.
Taking it a step further, sometimes access is only needed on a temporary basis. Without a proper procedure to limit, audit and remove unnecessary access, you are exposing yourself to fault and malicious behavior. So if your tools have a permissions feature, always ensure you provide the fewest permissions needed to complete a task.
2. Better Secrets
This data protection strategy is often avoided because it’s more convenient to reuse passwords that are easy to remember. If you don’t have a policy in place that requires complex, difficult-to-remember, and unique passwords, you’re doing it wrong.
Don’t stop at better passwords either. Many services offer a password recovery mechanism that involves providing answers to questions like “What is your mother’s maiden name?â€. Instead of revealing some personal information about you and your family, provide a complex, difficult-to-remember, and unique string for these questions as well.
Now that you have a long list of difficult-to-remember passwords, you still need to remember them somehow. Sticky notes on your monitor and files on your computer are not the answer here; neither is relying on your internet browser. Use a password manager like 1Password or LastPass. Password managers are fantastic tool that will help save your time and sanity by keeping secrets private, encrypted, and locked away from unauthorized eyes.
Learn More: Avoiding the Next Cloud Outage: Keeping SQL Server Up and Running Through DisasterOpens a new window
3. Embrace Two-Factor Authentication
It’s quickly becoming the norm to have “multi-factor†or “multi-step†authentication (MFA). This strategy uses a unique code sent via SMS text or using an authenticator app with your mobile device. A significant number of software platforms have this security method built-in, and you absolutely should be using it. Both of those password managers I mentioned above can act as an authenticator app so while you’re working at making your secrets more secure, be sure to enable multi-factor authentication wherever you can.
Also, if you have the choice between SMS text and an authenticator app, I recommend you always go the authenticator app route for a couple of reasons. First, many authenticator apps are not tied to any one device – allowing you to access the MFA code if your phone isn’t close by. Second, there are creative ways for hackers to steal your mobile phone number and therefore steal any MFA codes being texted to you.
4. Knowledge is Power
- So much cyber crime starts with identifying the vulnerabilities in the target. Unfortunately, the biggest vulnerabilities in your organization are your people. None of the previous strategies protect you from a hacker that can successfully fool someone into giving them the information they need to get at your data via phishing attacks. Educate people in your organization about how to avoid different phishing attack methods:
- Verify suspicious emails and texts with the sender via an alternate channel like a new email/text message that you initiated or go old school and pick up the phone.
- Ignore and delete unsolicited emails/texts from people outside of your organization; if it was really important, they’ll reach out to you in another manner.
- Never open or click on suspicious documents or links in an email/text; best to validate what was sent with the sender via an alternate channel if you aren’t sure.
- Be suspicious of unsolicited instructions you receive via email/text; if you don’t know why you are getting instructions to do something, best to ignore it.
5. Review All Third-Party Apps
The bulk of online platforms have hundreds of third-party applications. It’s critical to understand how these apps are integrated with your account and what types of data they are accessing. Some apps request the authorization to manipulate or even delete your data when they don’t need to. This strategy emphasizes the importance of reviewing the terms and conditions of these relationships to better understand the risk to you and your business.
Don’t forget to research how accessible and well-reviewed the software is either. A reputable company with an available development team is typically a safer bet than a company with little digital footprint and no contact information.
One quick and simple check that I have is to examine the copyright year on the app’s website. If it’s not the current year, move along. My theory is that if you aren’t diligent enough to keep something as basic as your copyright year up to date, you probably aren’t diligent enough in your development process either.
6. Backup Cloud Dat
a
I saved one of the most important for last. If you ARE compromised, having a copy of everything will help you cut down on the time and effort it will take to restore everything. While it may seem straightforward, in reality, there are different methods for protecting data beyond the cloud. Some are more advanced than others. Let’s take some time to walk through them.
Learn More: How to Create a Successful Cloud Migration StrategyOpens a new window
Not All Data Backup Strategies Are Made Equal
The first and most common method of protecting data, outside of the cloud, is leveraging the export abilities of a SaaS product to download your data. It’s straightforward but can also be cumbersome and time consuming if the export capabilities are limited. You may get to the point where you are manually managing and organizing hundreds of files. If you are saving these files on the same server as your cloud applications, then your data can still be compromised.
The second option is to build your own backup software in-house. It is essentially the opposite of manual saves. However, depending on the accessibility and volume of the data, this may not be a simple or cheap solution by any means. Outsourcing it can be expensive. And for companies that are technically savvy, you will still likely need to devote full-time internal resources to managing what you’ve built. The reason: Cloud applications are always making changes to their systems and APIs, so you need to change with them. If your custom-built solution stops working, then you will find yourself back at square one.
The final option is an off-the-shelf, third-party product. It provides an automatic software backup at a fraction of the price of a custom one. However, as I mentioned earlier, you need to research and find companies that have a strong history and success record of building these products.
Protecting Data Means Protecting Business Continuity
With cybercrime on the rise, it is a question of when your company will be attacked, not if. Take more control of your cloud app data now. Begin auditing the weaknesses of your cloud computing data strategy as soon as possible and start ensuring your company is proactive. Any data disaster will disrupt daily activities, but a prolonged recovery can also shake the foundations of your business.
Let us know your thoughts about this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!