The cloud is undoubtedly the future of the computing industry. Consumer adaption of the cloud is at an all-time high which effectively means more data is being stored in the cloud than ever. As this trend continues, hackers have shifted their focus from traditional attacks to attacks that are focused on extracting data from the cloud. What are the best practices involved with ensuring the cloud is secure?
The number one rule for storing data in the cloud is that you should always encrypt your data. There are several different methods of encrypting a file once the file is created and many of the encryption methods are free. You should ensure that your data is encrypted while it is at rest and while it is being moved within the cloud. Any transfer of data between a user and a cloud system should incorporate Secure Socket Layer (SSL) or HTTPS encryption.
Exploiting Existing Software
Hackers seek out to find what you have installed on your cloud server and how it was installed. This helps them plan their attack method accordingly. The absolute worst thing you can do is spin up a new VM with all of the default settings in place. You should take the time to research the latest exploits and install patches and updates as needed.
One of the most popular attacks on the cloud involves hackers gaining access to one database or one virtual machine within a cluster, and using their access to exploit the hypervisor and break outside of the shell. If a hacker can achieve this, they can often see everything that is stored on the bare metal server itself.
Setup a Strong Firewall
If you are running on a public cloud, the only thing in between your infrastructure and the internet is the firewall. Most firewalls are pretty easy to setup and you should always follow the best practices for the specific firewall you have setup in your environment. Your vendor may have recommendations or provide you with a firewall to use.
Password security should be obvious. You want all of your users to have super strong passwords. What many administrators do not account for is that many cloud security threats are internal, not external. What does that mean? It means that your organization should have policies in place where employees never share passwords or give access to another user for a resource that they don’t have access to in the first place. You should always have something in place such Active Directory Federated Services or OpenID that facilitates Single Sign On.
Types of security listed in this article are a good starting point for anyone wanting to harden the security of their cloud. Another popular point of attack that administrators need to be cognizant of is any application APIs present in your environment. Make sure that these are always up to date.
Cloud security is a hot topic within the tech community and there are several different courses and seminars on the topic. The most notable method of extending your knowledge on cloud security is to pursue the Certificate of Cloud Computing Knowledge. Obtaining this certification means that a person is certified by the Cloud Security Alliance. The certification is vendor neutral and someone possessing this certification will know all of the best practices that involve security and the cloud.