6 Essential Tips for Securing your Cloud Environment
Security is one of the most prominent things that cloud engineers need to take care of. Organizations move their applications and data to the cloud to reap the benefits of productivity against significant concerns about compliance and security. Security in the cloud is not the same as security in the corporate data center. Different rules and thinking apply when securing an infrastructure over which one has no real physical control.
When leveraging cloud services, enterprises need to evaluate several key factors, including:
- Data encryption capabilities for both data in transit as well as data at rest
- Data security, especially in a multi-tenant cloud environment
- Privacy controls on who can access your data, how long it will be used, storage etc.
- Maintenance and management controls and other measures the service provider has taken to ensure that the system is always protected
Many security professionals are highly skeptical about how secure cloud-based services and infrastructure are. In this post, we will discuss some best practices and guidelines that can be used to secure your cloud environment.
End-to-end Encryption of data in transition
All interaction with servers should happen over SSL transmission (TLS 1.2) to ensure the highest level of security. The SSL should terminate only within the cloud service provider network.
Encryption for data at rest
Encryption of sensitive data should be enabled at rest, not only when data is transmitted over a network. This is the only way you can confidently comply with privacy policies, regulatory requirements and contractual obligations for handling sensitive data. Data stored in disks in cloud storage should be encrypted using AES-256, and the encryption keys should themselves should be encrypted with a regularly rotated set of master keys. Ideally, your cloud service provider should also provide field-level encryption. Customers should be able to specify the fields they want to encrypt (e.g., credit card number, SSN, CPF, etc.).
Rigorous and Continuous Vulnerability testing
The cloud service provider should employ industry-leading vulnerability and incident response tools. For example, solutions from these incident response tools enable fully automated security assessments that can test for system weaknesses and dramatically shorten the time between critical security audits from yearly or quarterly, to monthly, weekly, or even daily. You can decide how often a vulnerability assessment is required, varying from device to device and from network to network. Scans can be scheduled or performed on demand.
Defined enforced data deletion policy
After a customer’s data retention period (as specified in a customer contract) has ended, that customer’s data should be programmatically deleted.
Protective layers for user-level data security
The cloud service should provide role-based access control (RBAC) features to allow customers to set user-specific access and editing permissions for their data. This system should allow for fine-grained, access control-based, enforced segregation of duties within an organization to maintain compliance with internal and external data security standards.
Rigorous compliance certification
The two most important certifications are:
- SOC 2 Type II: Helpful in internal risk management processes, regulatory compliance oversight, as well as vendor management programs, SOC 2 certification confirms that a cloud service is specifically designed and rigorously managed to maintain the highest level of data security.
- PCI DSS: To achieve this certification, a SaaS provider has to undergo detailed audits to ensure that sensitive data (e.g., credit card data) is stored, processed and transmitted in a fully secure and protected manner. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.
Both certifications can offer useful comparative information for the cloud service providers you may be considering. These are just some of the key security provisions that any cloud service provider should build into its cloud service.