As many B2B companies start to move to the cloud and the many possibilities it offers, it’s time to talk about safety and security.
The move to the cloud brings with it not only changes in the IT department, but it changes the power this department will have in the future.
Many cloud providers say they have a high level of security, higher than private networks. They stress that the cloud is the next step in technology, providing platforms that are cheaper, scalable, and are easier to manage than a local network.
For most B2B businesses when computers shut down, so does the business. An example just happened in the U.S. On Aug. 9, 2016, Delta Airlines computers crashed because of a fire in the servers’ room and not enough backup power. It caused the whole network to go down and the company to cancel 2,100 flights over 3 days.
The main resistance point for businesses moving to the cloud can be boiled down to this; the cloud based models force a company to divert all of its databases to the cloud. What is typically the biggest asset of a company, it’s information, is now managed by a third party. Despite the cloud’s many advantages this seems to be the psychological hurdle businesses have to overcome. Now it becomes a board room issue, not an IT issue. Hence, the change in IT department responsibilities and decision making.
There are statutory and regulatory issues when it comes to dealing with healthcare, financial services, and insurance industries. But not for other industries. Not yet, anyway.
The Cloud Security Alliance (CSA) holds summits in many cities where these issues are discussed. Lately they held a conference that resulted in some interesting insights: As with any other transmission method, the cloud has its problems with safety and security.
The always open and shared nature of the cloud introduces a possibility of new security breaches. Cloud services enable users to bypass organization wide security policies and set up accounts without bothering with regulations. That can endanger others, sharing the same app for example.
Cloud computing has many of the same characteristics of traditional corporate network, but because of the huge amount of data stored in the cloud, it is now a more desirable target.
Here are some of the treats facing cloud computing these days:
Cloud providers use security controls to protect their environment, but ultimately it’s the businesses that are responsible for protecting their own data in the cloud.
When a data breach occurs companies may face criminal charges, lawsuits, or fines. But the data has been already breached, and a fine is no compensation for data lost.
CSA recommends using multifactor authentication and encryption.
Compromised Credentials and/or Authentication Breach
Data breach can happen due to lax authentication, weak password, and poor key or certificate management. Businesses sometimes struggle with allocating permission appropriate to the user’s job. Most often breaches are caused by not removing user access when a person changes position or leaves the company.
The solution? Multifactor authentication such as one-time passwords, phone-based authentication, and smartcard provide protection against stolen password. Anthem, the health insurance company, suffered a breach and 80 million customer records were exposed. It was the result of a stolen user credentials.
The problem also exists in the development of apps and programs when developers make the mistake of embedding credentials and cryptographic keys in the source code and leaving them in public repositories.
Keys need to be appropriately protected, and a well-secured public key infrastructure is needed.
CSA suggests rotating the keys periodically to make it even harder for attackers to use keys obtained without authorization.
It is the businesses responsibility to protect the identity of its customers. It is imperative to know what security measures the cloud provider is providing.
Insecure Interface and API
Almost every cloud service these days offers APIs. IT teams use interface and API to access and manage programs to serve the company better. These API’s need to be secured as they are playing an integral part in many of the execution. Weak API exposed the company to security issues related to confidentiality, integrity, availability and accountability.
API must be designed to protect against accidental and malicious attempts.
The CSA recommends controls that will be the first line of defense and detection. It also recommends security focus code review and penetration testing.
System vulnerabilities exploit
Bugs in the program that can be exploited are not new, but they get a bigger part in the cloud because of the proximity to one another.
Attacks, the CSA says, can be mitigated by basic IT processes and the costs are relatively small compared to other IT expenditure and potential damage.
Account or Service Hijacking
Unauthorized access gained by attackers to control the business’s account. Attackers can eavesdrop on activities, manipulate transactions, and modify data. They are also used in cloud application to launch other attacks.
Businesses should prohibit sharing or exchanging of account credentials. Service account should be monitored and traceable to make sure transaction are done by a human being.
Malicious insiders can steal the company and user’s data, obtain passwords, cryptographic keys, and files. The attackers can be current or former employees, system administrators, contractors or business partners.
The way to avoid such attacks is to treat passwords seriously, segregate duties and minimize access. Effective monitoring system and auditing administrator activities are critical. Some of those breaches can happen innocently by an employee doing a routine job and copying something by mistake, so proper training is required.
Advanced Persistent Threats
APT, as they are called, infiltrate systems and establish a foothold. They sneakily extract information over a long period of time. They are difficult to detect because they blend in with normal traffic. Most cloud companies apply advanced technics to prevent it from happening, but businesses have to be diligent as well.
Common entry points are USB drives preloaded with malicious code, phishing technics, direct attacks, and a third party network that has been compromised.
The best way to combat it, CSA says, is to train employees to recognize phishing attempts. Reinforce the rules of safe communication and have an IT department that is current on new threats.
Permanent Data Loss
As cloud providers have become more sophisticated, cases of permanent data loss as a result of a catastrophe in the cloud are extremely rare. But they could happen due to natural disasters or an act of war.
Cloud providers recommend distributing data and applications across multiple zones for added protection. That, and adhering to best practices in business continuity and disaster recovery.
Although the cloud providers are doing their best to prevent data loss, if a company encrypts data before uploading it to the cloud, then they have to be very careful to protect this key. Once the key is lost, there is no access to the data.
Denial of Service is not a new trick and it’s been around for years. Systems start to work slow or time-out because the attacks consume a large amount of processing power. Something the business will have to pay for.
Cloud providers are in a better position to combat those attacks, but businesses must have a plan to mitigate the attack before it happens, so administrators have access to them when the need arises.
Cloud services share infrastructure, platforms, and apps. If a vulnerability exists in any one of them it will affect the others.
“A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud,” CSA says in its report.
CSA recommends an in-depth defense like multifactor authenticating on all hosts, host based, and network-based intrusion detection systems.
Cyber security threats are a cat and mouse game that is ever changing. As one IT guy finds solutions to a problem, others are invented. The nature of cyber security is reactive. An attack happens and solutions are orchestrated. As a business owner, it is better to be active than reactive.
As a B2B business owner there are a few questions to ask yourself to make sure your disaster recovery and business continuity are ready to go:
- Have you performed a business impact assessment? – What do you really need in order to survive in a disaster? A thorough audit will identify those. An audit maps the critical business processes you absolutely need to continue in operation.
- If you don’t have an in-house IT department, have you discussed it with an expert? Make sure that whoever builds your disaster recovery plan knows how to operate it, and can pass it on to someone else when the need arises.
- Did you cover all the bases? – have you invested enough in resources, budgets or time? Smart recovery plan can make or break a business when a disaster
- What will be your alternative line of communication? If the phone lines are down, cell phone communication crashed, and your employees are scattered everywhere, what would you do? Plan a number of communication scenarios.
- Are your plans current and accurate? Things change very quickly in the world of computing and communications. Is your plan adjusted to the new technology? And, you don’t want to rely on employees that have long left your business. Your contact list has to be up to date.
- Have you tested the plan? If you do it once a year, you may find things that are not working as they should or things that need to be updated.