It wasn't me, it was the Cloud.....
- Peter Hawes
- Jan 22, 2018
- 2 min read
Cloud Security Guide
Why am I writing a guide to cloud security when there are already great guides available? It's because people are starting from the wrong point - and getting to the wrong destination. They are trying to map a single policy to a technology that is fluid with many different
Start with Data!
If you're Data is out there, it probably doesn't need securing. You should just let it be.
However, if the platform allows you to share data, deliberately or inadvertently it's a risk - and should be controlled. The only way to effectively do this is to understand what your data is, and where it is, across all Internal and Cloud sources. With GDPR coming knowing your data Is not a nice to have, but a must have!
Most organisations don't try and control people's logins to personal banking, In certain countries privacy laws mean you have to bypass any examination, and yet you are rightly concerned about password re-use in unsactioned applications.
So protect your own systems and people from themselves by using two factor, or newer identity models.
Cloud - What Cloud?
Indeed. What Cloud. Everyone knows it's not a cloud. But it's a convenient way to say someone else's problem. They are responsible for the security of my data whist it's there - Not True! Yes there may be contractual obligations around this, but not all cloud services are created equal, and not all are suitable for all applications and services. It's your responsibility to manage your customer and staff data, regardless of where you put it so get smart and perform the necessary due diligence.
Broadly - There are 3 types of Cloud Service
SAAS - Software as a Service (How is this certified, where do they store my data, is it obfuscated at rest and in transit)
PAAS - Platform as a Service (How is platform maintained, patch schedules, fail over plans, regional considerations)
IAAS - Infrastructre as a Service (It's your responsibility for everything, just like it's in your DC.)
Understand your Risk….
Really my main point would be if you don't understand what services you are using, what those services are being used for you can't expect to secure them effectively. Either insufficient protection for valuable data, or over protecting services which aren't a concern.
Once you understand what you have and how it's used, you can decide an appropriate plan and policy. If you are reading this it's already to late to try and set a policy and follow it, you already have shadow IT and data in a number of locations, not controlled by you. Get a NG Proxy, or a CASB, get some visibility into your real world and regain control.
Thanks
Peter
Comments