Security is Still Your Responsibility in the Cloud
Over the next 14 months, 80 percent of IT budgets at organizations throughout the U.S. will go to cloud computing services, according to a new global study from Intel Security. As sensitive data is moved to the cloud, it is becoming more obvious that the cloud still has its risks. According to the study, only 13 percent of IT security professionals completely trust public cloud providers to secure sensitive data, and 66 percent of them believe senior management does not completely understand the risks of storing sensitive data in the cloud.
When assumptions are made about cloud security, some risks are overlooked. Organizations need to be aware that encryption and redundancy are not enabled by default in the cloud, and access to cloud resources still needs to be managed.
The biggest infrastructure-as-a-service (IaaS) cloud is Amazon Web Services (AWS), which hosts big hitters like Netflix, Expedia and Adobe. Other players like Microsoft’s Azure and Rackspace are also great solutions and are catching up, especially among small and medium-sized organizations, but AWS’s documentation is easier to follow and better organized.
Extending Your Controls to the Cloud
Each year, AWS undergoes an examination of the design and effectiveness of their controls environment and receives a SOC 1 (Service Organization Controls) audit report on the adequacy of their controls. AWS also has control expectations of its customers so that AWS can achieve its control objectives for the audit. For instance, to satisfy its control objectives, AWS requires customers to implement certain policies, procedures and controls, including:
- Encrypting sensitive data at rest as well as in transit over the network — Encryption and redundancy are not the default in AWS. If you are storing sensitive customer information in the cloud, you should be encrypting it. Typically, column-level encryption does the trick for most small to medium-sized organizations.
- Data stored on Amazon EC2 virtual disks should be proactively copied to Amazon EBS and/or Amazon S3 for redundancy — AWS does not backup your data for you unless you contract for that as a separate service. You should not store all of your data in one spot or rely on just one copy. If you are hosting a web application with AWS, you should be frequently taking a snapshot and backing it up somewhere else. You could also send these backups to your locally-hosted servers.
Organizations are also still responsible for identity and access management to the cloud. Some best practices to keep in mind to secure access to your AWS environment include:
- Lock away your AWS account (root) access keys — The password to the root account gives access to the keys to the kingdom. It should be a long complex password, locked away and only accessible by a limited number of people. Day-to-day administrative tasks should be performed under individual accounts, rather than the root account.
- Enable MFA (multi-factor authentication) for privileged users — Since the AWS console is web facing, you’ll want to enable multi-factor authentication to mitigate the risk of an attacker brute-forcing or resetting your password.
To learn more about IT security or request your copy of "5 Reasons Your CEO Needs to Make Sure Your Data Is Secure in the Cloud," contact Bill Gogel, IT Audit Manager, Advisory Services, at 314.983.1363 or firstname.lastname@example.org.