by Carol Vercellino, CEO of Oak City Labs
Are you following suit with the rest of the world and moving your data to the cloud?
Cloud storage can eclipse a traditional on-premise data warehouse when it comes to speed, reliability, flexibility, and security. But is your data really secure in the cloud? Many people are worried about security when they move to the cloud.
So, let’s look more closely at cloud storage security and the three things you need to consider when migrating your data to the cloud.
What are you storing? Where are you storing it? And what’s the structure of that data and who needs to access it? These are all very important things to think about because you’ll want to design access controls into the storage infrastructure of the data in the beginning to make it easier to scale in the future.
For example, if you’re housing patient information, you may have critical protected health information (PHI) located in part of the cloud that you don’t want everyone to have access to, such as a developer.
However, you can break out your data into different environments. For example, in software development, it’s good practice to have several different environments for your work.
You might have a development environment, a Quality Assurance environment for testing, a staging environment to test changes before they’re promoted to production, and then finally production. Production should only be accessed by a limited number of individuals.
By separating your environments, you can gain control over the security of your data.
Also, the data in development doesn’t need to be the same data as in production – it just needs to look like it. In theory, your code – or the application you’re working on – should be the same in all those environments. And that can be a very helpful way to limit access to data while also helping with patching vulnerabilities when they pop up, whether it’s in the software itself, or it’s on the operating system you’re running these things on.
According to one report, 60% of breaches involve vulnerabilities where a patch was available, but not applied. And a lot of that is because people are scared to do patching; they’re afraid it’ll break production.
By having multiple environments you can test your patches at each level, and then you’re reducing the risk that that patch will cause a problem in production while creating secure environments.
Documentation & Procedures
Documentation and procedures are very related to your data concerns. Not all startups will have much documentation, but in a more formal environment, like healthcare or government, you’ll have a ton and will want to get started on it very early on in the migration process.
Here are some documentations you need to think about:
Change management procedures and control
When a change happens, who’s notified about it? And who’s able to make that change and document that change?
Incident Response Plan
You’ll need to have a plan for what happens if you do have an incident. What kind of response does your team need to have? And what kind of documentation do you need to have a long way? An Incident Response Plan is especially important in healthcare.
A Patch and Vulnerability Plan
What is your patching schedule? How do you coordinate it and keep an audit trail of all the changes?
People. Humans. They have access to all this data.
And social engineering is used by most hackers in order to gain access to systems, whether it’s them trying to guess the password or sending out emails. In fact, 94% of malware is delivered by email.
Our team members, our employees, our vendors…they need to have awareness and training on secure procedures and a way to think about security.
For example, if my organization is training people on security, I would train our team members to think twice about opening emails from the Prince of Nigeria who’s sending an Excel File about our company’s finances. Instead, they should not open the file and notify either the IT department or a security engineer or professional in our organization.
It’s also important to think about physical entry to buildings. While your data and/or applications are in the cloud, if somebody was to gain physical access to your facility or office, then they could hack somebody’s account and get access to the cloud.
In fact, there’s a story of a hacker who bought a $4 CISCO t-shirt and showed up at an organization saying he was the new CISCO engineer who was there to fix the phone system. They let him in, and he and another person were able to penetrate their network – company wide. Yikes.
So, physical security can be incredibly important as well – even while we’re all working from home. Having security awareness and training plans within your organization can help you tremendously.
Are you ready to migrate to the cloud?
It’s no surprise most companies are moving to the cloud – it’s flexible, reliable, and scalable. And, also very secure.
Many of the concerns we talked about here are not specific to the cloud; they’re specific to data in general. So, if you spend time focusing on your data, documentation, and people, you can feel confident in your secure migration to the cloud.