According to the report of the American research company Gartner, by 2020 due to incorrect configurations and not optimized business processes, cases of information leakage from public clouds will increase to 80%. Therefore, companies using cloud services need to think about enhancing security now.
In this article, we will take a closer look at the five most popular ways to protect data in the cloud: encryption, infrastructure monitoring, data access restrictions, backups, and disaster recovery plans.
But before that, interesting statistics:
- 64% of companies consider cloud systems more secure than on-premises systems;
- 75% take additional measures to ensure safety;
- 61% encrypt their data;
- 52% have introduced a policy of access control to information systems;
- 48% conduct regular checks of information systems for compliance with security requirements.
To ensure security, you must implement a specific encryption policy. But encrypting all the data does not make sense — in this case, the disadvantages associated with the encryption processes will outweigh all the possible advantages. Therefore, you need to find out what data is in the cloud and where the traffic is going, and then decide which of these needs to be encrypted. For the effective use of encryption, it is necessary to compare the cost of introducing such measures and possible losses from information leakage. Besides, you should analyse how encryption will affect the performance of information systems.
Data protection can be performed at different levels. For example, all the data that users send to the cloud can be encrypted using block encryption algorithms. The next level is data encryption in a cloud system, which has three ways:
The first one is to independently encrypt data on the computer, and then send them to the cloud. So you can make backup copies of any projects. In parallel, it is worth downloading encrypted files or crypto containers to an external hard drive, since there are examples where data from unreliable cloud storage is permanently deleted without the consent of the owner.
If there are many files, you can use services that encrypt data before sending it to the cloud. Some of them even encrypt file headers. Thus, if attackers gain access to the cloud, not only the contents of the file, but also its name will not be available to them.
One such service is Boxcryptor. The main advantage of Boxcryptor is its support for popular cloud storage services such as Dropbox, Google Drive, OneDrive, Box, Amazon, iCloud Drive. The service also supports all popular platforms, including iOS and Android mobile operating systems. The product has a free version, but it has some limitations. For example, you can work with only one cloud. The paid version allows encrypting file names and works with an unlimited number of cloud providers.
Attackers can almost always find a way to hack a system. Therefore, to prevent threats, it is necessary to ensure that attacks do not spread to other vulnerable systems. This is possible if you block unauthorized connections between workflows and prevent dangerous connection requests.
There are many products on the market for monitoring infrastructure that allows to get a complete picture of network activity: see everyone who connects to the network and set rules for users (what specific users can do and what access rights they should have).
Monitoring systems also allow getting statistics for each user and related events and threats. Services such as Zscaler allow sending logs to a customer’s SIEM system to receive reports that include data from various sources. Zscaler provides users with a collection of predefined and custom logs. It includes the following types of reports:
- Executive Reports (a brief security report for managers, including the number of detected threats or violations of rules for a certain time);
- Interactive Reports ;
- Scheduled Reports (regular distribution of standard and custom reports);
- Company Risk Score Report (calculation of a risk assessment for a company included in the Business and Transformation package, and available for a fee for the Professional package);
- Industry Peer Comparison (compare the performance of using Zscaler in your organization and in other organizations in your industry);
- System Audit Report (system report on the status of GRE tunnels, PAC files, etc. If there are problems, the report will give recommendations on how to fix them);
- Security Policy Audit Report.
Restrict access to data
Many are already accustomed to the fact that each user logs into the information system with their username and password. Usually, password data is stored as a hash in a database in a closed-form. To avoid theft of a session of authorized users, the login and password hash is checked at the loading of the system’s each page. In case of an authentication error, the user will automatically log out. But in addition to the traditional system of protection using login and password, cloud services offer several more information protection methods.
Recently, a role-based security model (also called role-based access control) has become widespread. This model is based on user identification using a login. When a user is identified, roles and decisions are automatically assigned to him.
A role-based access control model complies with security policies adopted by various organizations. It allows organizing features such as a hierarchy of roles and operational separation of duties.
Role Based Access Control (RBAC) considers all information as belonging to this organization. In such a system, users cannot transfer access rights to information to other users. This system is based on a decision on access based on information about a function that a user performs within a given organization based on his role.
The definition of membership and the distribution of authority to a role in a role-based access control system does not depend on the system administrator but the security policies adopted in the system. A role can be understood as the actions set that a user or users’ group can use. The role concept includes a description of responsibilities, responsibilities and qualifications. Functions are assigned to roles by the system administrator. Access to the role is also determined by the system administrator.
The role policy allows to distribute the authority between the roles under their official duties, and the administrator’s role is supplemented by special powers that allow the administrator to control the operation of the system and manage the configuration. Ordinary users’ rights are limited to the minimum necessary to run specific programs.
The roles number in the system may not correspond to the number of real users — one user, if it has different responsibilities that require different privileges, can fulfil several roles, and several users can use one role if they perform the same work.
Cloud systems such as Amazon EC2 make extensive use of RBAC to fine-tune end-user access to resources. Microsoft Azure also uses RBAC for access control to cloud resources. Therefore, as an example, we give some actions that can be performed using RBAC:
- granting one user permission to manage virtual machines in a subscription, and another — to manage virtual networks;
- granting the DBA group permission to manage SQL databases in a subscription;
- granting the user permission to manage all resources in the resource group, including virtual machines, websites and subnets.
Applications that run in the cloud are only protected to a certain extent. Stories periodically appear as one or another unreliable cloud provider erased virtual machines or files in storage. To fully protect the data generated by cloud applications, you will need to back up to the customer’s data centre (DPC) or another cloud.
In small-scale scenarios, users can copy files, for example, from Office 365 to a local volume or an external drive. But this is a manual process that can be unreliable and difficult to scale.
For large files and larger applications, such scenarios are very rare. Enterprises using the IaaS-based cloud can use the application system interfaces (APIs) provided by cloud providers to develop their backup software, or third-party backup software to local servers, network-attached storage (NAS), or own data centre.
Cloud-to-cloud backups promise the business several advantages over local backups, including lower infrastructure costs, faster backup and recovery, and greater flexibility.
As part of the cloud backup service, users can back up important data (files, databases, operating system configurations) to the cloud. To do this, they install special agents to back up the data of the required applications. The presence of agents allows to guarantee the integrity of the data in the backup, and the transfer of the reserved data itself is carried out via the Internet via VPN channels.
Disaster Recovery Plan
Disaster Recovery Plan helps protect your business from disruptions in IT infrastructure and potential data loss.
A traditional restoration plan involves creating a backup site, preferably in another area or even city. For its organization, it is required to purchase the same set of equipment as on the main site, provide the site infrastructure and purchase backup software. In this case, the cost of creating and maintaining a backup site may be the same as the cost of the main site. This means that up to 50% of the entire IT budget can go to ensure business continuity. While the cloud backup service provides the ability to quickly increase or decrease the volume of consumption and does not require initial capital expenditures.