In the 1950s, the mainframe was so big and expensive that organizations could not afford to purchase it. In fact only a few can put up their own mainframe systems for their use. In response, the “time sharing” method was developed, finally enabling multiple users to access data and CPU. This was known as the “client-server systems.” This development became the catalyst for the development of the Cloud.
J.C.R. Licklider developed the Advanced Research Projects Agency Network (ARPANET) to enable access to data and programs from any location in 1969. This became the predecessor that we all now know as the “Internet Thirty years later, Salesforce introduced its own multi-tenant application over the internet. Amazon followed suit, offering online services to websites and client-side application.
Since then, the cloud has grown bigger and today, millions of organizations rely on cloud services to market, sell, develop products, and manage supply chains.
The Promise and Perils of Enterprise Cloud Services
Enterprise Cloud services unlocked scalability, flexibility, and mobility that were once very expensive for businesses. It’s essentially the CEO’s dream machine – by using web-based applications, businesses can operate and collaborate across the enterprise that are spread geographically at probably half the cost of using traditional hardware and software systems.
The problem, however, is that the public cloud is not as secure as we initially thought. For criminal minds, the cloud environment is no different from any other IT system. If it’s connected to the internet, then it can be hacked, especially now with the aid of Internet of Things.
Not only that, the free for all capabilities of the cloud opens up massive vulnerabilities – end users can adopt all kinds of services, making it impossible to implement separate security controls and policies for each. According to a recent report, more than half of IT leaders say that shadow IT – under the radar adoption of cloud services – make it difficult to keep the cloud secure.
On top of this, cloud service providers themselves may not be aware of their own vulnerabilities. In 2011, security flaws of Amazon Cloud Services were revealed by a research team at Ruhr University Bochum. Last year, thirty security issues affecting Oracle’s Java Cloud Service were released by Polish firm, Security Explorations.
Experts agree that there is a clear need for a centralized control system. However, there is a caveat – service providers can’t use tools that access the customer’s VMs. This breaches the boundary between the customer and the provider. Thus, customers themselves have to be the one to adopt the necessary technology to protect their cloud environments.
Here are three key steps to prevent and mitigate vulnerabilities in your system:
Analyze your stack.
Take a close look at your cloud environment and identify the layers that need to be protected. The infrastructure contains different contents and components and the common areas in the cloud environment include:
- Virtual storage
- Virtual networking
- Automation control pane
- Software-defined networking (SDN) components
- Redundancy and Data Recovery Options
Choose the right tools.
Choose the right tools and methodology to protect each layer. Generally, the next step would be to define firewall or proxy boundaries. The rest of the task would involve monitoring, debugging the system for suspicious activity, and protecting it from malware. For the application layer, make sure that your applications, databases and access controls are in place.
Adopting the right technology to do this would depend on the needs of your business. Rolf Haas, the enterprise technology specialist at Intel Security, suggests two-factor authentication, data leakage prevention, encryption or perhaps security certificates.
If you have a large infrastructure in a public cloud, a security-as-a-service (SECaaS) would enable you to implement security and compliance across multiple providers and environments.
Develop and implement a Cloud security management strategy.
Developing strategy will standardize your efforts and ensure that the process is maintained. IT security can be tedious work that entails a dose of paranoia and skepticism, but it will take more work when systems are comprised. Here are the best practices that every company should never forget regardless of size:
- Regular Software Updates and Patching – Criminal hackers don’t need malware anymore to steal data from your system, as they are mostly used to gain a foothold in your network. Once in, they use networking, administration, and remote desktop tools to find and transfer assets to the attacker. Regular updates and patches ensure that these vulnerabilities are fixed.
- Regular Scheduled vulnerability testing – Criminal minds can erase their tracks, and you wouldn’t even know that you’ve had a data breach until your valuable information is sold on the black market. Moreover, they’re increasingly getting more sophisticated, as if security tools inadvertently bolster their skills. Security testing enables you to identify weak spots before somebody else does and keep your cloud secure.
- Develop a task force – Assemble teams, process, and tools to monitor and evaluate activity. Data breach can happen anytime as criminal hackers find the best moment to launch their attack. A centralized system in place will ensure immediate response and remediation. Include monitoring and tracking changes to identify malicious activity.
- Governance – A third-party or internal IT auditor should review these activities regularly to ensure compliance and adjustments made as appropriate. A chief information security officer or someone in charge of general IT audit will greatly help in steering your strategy in the right direction. More importantly, this automatically turns IT security into a priority and not just a complementary task by your IT department. Include training and awareness programs for the staff as part of the overall strategy.
In the digital age where technology keeps us increasingly tethered to the Internet, it’s increasingly becoming easier for criminal minds to spot exploitable entry points or vulnerabilities. No system could ever be truly secure unless it’s meticulously maintained.
Businesses, no matter what the size, should always keep IT security in mind, even if you’re just using a handful of web-based collaboration tools. Data is the currency of the digital world and as long as you have them, they can be used for financial gain.