Every second user of enterprise cloud services asks the question, “Why should I be confident that the provider won’t hand over my data to intruders?” But, as practice shows, such situations are out of the realm of fiction. Kaspersky Lab experts assert that 9 out of 10 cloud leaks are due to human error and user error.
In order to debunk the old myth about local environments taking precedence over clouds in security issues, let’s look at typical mistakes made by cloud providers’ clients that account for the lion’s share of incidents. Based on the experience of over 2000 cloud projects, we can say that most of the incidents are caused by human factor, usually due to inattention or ignorance of the basic principles of working with data.
Below are six of the most common situations related to information security risks, which meanwhile can be easily prevented. Let’s find out if cloud storage can be a substitute for physical media, how users can protect their information in the cloud, and whether cloud services can be considered secure.
Open Ports in Infrastructure
Scanning of such ports by cybercriminals occurs continuously and automatically in order to break in and get additional capacity or create botnets for subsequent DDoS attacks. Therefore, even a (seemingly) unnecessary isolated “account” in the cloud for trainee administrators to learn how to run virtual machines may one day come in handy for hackers.
Tip: make sure that server and network ports are closed, limit the ability to connect to them.
It takes less than a week for hackers to crack a simple password such as “mother’s maiden name” – and that’s if detecting such a password is not in their plans. Often a bad password protection becomes the cause of a global leak and can cause irreparable damage to a company’s reputation. In 2019, for example, biometric data used by 5,700 organizations around the world was compromised because of open access to the BioStar 2 database. Tip: Use strong passwords, or better yet, two-factor authentication (2FA) to strengthen data security.
Refuse to encrypt data in the cloud Encrypted data is a pile of garbage for cybercriminals because it takes years to decode.
Opt out of encrypting data in the cloud
Encrypted data is a pile of garbage for cybercriminals because it takes years to decode. Large cloud providers use secure cryptocurrencies; this can protect against data interception, but does not always provide a one hundred percent guarantee against leaks, because the bottleneck is outside the cloud perimeter, in the customer’s local infrastructure, where the customer can migrate data.
Tip: Encrypt data and use proven security features on local workstations: leak prevention systems, anti-viruses.
Refuse to mask data
In the majority of cases when user databases become publicly available due to incorrect work with test casts of these databases. They are used for developing information services. There is nothing criminal about this, except for the cases when the real data of the citizens is not masked, i.e. when the original information is replaced with a set of meaningless symbols.
Tip: When developing applications and client services, always replace real data with fictitious data.
Refuse to use backups
Backups in the cloud are an additional cost. Sometimes they can double the cost of cloud services. For this reason, many customers refuse to back up their data and then get very upset when they can’t recover it after an accidental deletion. In fact, there are many different schemes – for virtually any wallet. It can be a backup from another provider, a backup in a local infrastructure with a secure link to a data center, or an “active-active” site with continuous replication based on cloud data centers.
Tip: A bad backup is better than no backup. Back up your data.
Discontinuing the use of specialized cloud protections
In addition to traditional solutions, services are offered to protect against specific cloud threats. For example, it can be a cloud infrastructure monitoring service in a software format that does not need to be installed on hardware. There are also technical means for preserving the integrity of configurations. They are used, for example, to protect personal data of categories 1 and 2 in a private cloud. The system blocks unauthorized operations, and access to data is restored only after the data center administrator is contacted. After the administrator receives a justification from the company management, he will restart the equipment.
Tip: In addition to standard security measures, always use specialized cloud solutions.
The cloud is not the same as the cloud. Therefore you should not rule out that some cloud provider will not take all the necessary measures to protect your data, and leaks, DDoS-attacks, and data destruction will be their fault. However, most major service providers have a complex, multi-stage incident detection and prevention system in place – from the level of physical access to the data center to regulatory documentation that captures all technical and organizational aspects of working in the cloud. It is quite easy to verify this. All you need to do is request certificates confirming that your infrastructure complies with the strictest Russian and international security requirements. Such documents may be ISO 27001 and PCI DSS standards. The second of these certificates, although mandatory only for companies engaged in payment transactions, can characterize a cloud platform as the most reliable. This document prescribes protection requirements for each layer of infrastructure and procedures for testing the platform for the isolation of virtual environments – pentests.
Ideally, such vulnerability tests with the participation of independent “white hackers” should be conducted at least twice a year. In turn, for companies working with personal data of clients and employees, conclusions on cloud compliance with the requirements of Federal Law № 152-FZ are relevant. To obtain such opinions the provider also needs to conduct a special audit and prove that all organizational and technical measures to ensure the correct and secure storage and processing of personal data have been taken. Finally, the provider, concluding a contract with the client, signs a SLA and a confidentiality agreement. In them, he undertakes, among other things, to ensure data protection, and if these requirements are not met, he answers head on – both financially and reputationally. A cloud service provider that is willing to provide the customer with all of these documents actually guarantees that its cloud reduces information security risks to zero.