Cloud Security

Are security issues with cloud applications setting your company up for disaster?

In today’s always on, cloud-based IT approach, all businesses need to be aware of the systems they use and take appropriate measures to secure them. Many cloud systems come with more security enabled by default than an on-premises solution. That does not mean they are as secure as possible or that your security efforts are complete. Like the privacy settings in many social media systems, security settings in all cloud systems should be reviewed and set appropriately for your business.

What are the risks involved in not taking your cloud security seriously?

In the past year, the following data breaches or loss were a result of poor cloud security:

  • 60,000 customer records from an unsecured database (Ancestry.com)
  • 23 million customer records were exposed due to a cloud misconfiguration (VIPGames)
  • 300,000 customer records from Hobby Lobby due to a cloud-bucket misconfiguration
  • Wegmans Food Markets has mis-configured databases publicly available on the cloud

While many of these are large companies, they get more reporting than smaller companies. But they occur just as readily, and they may not even be aware their data is at risk.
Why do the cloud providers allow their systems to be insecure? While they continue to make systems more secure, they are in the business of making money from their solutions and if the security is perceived as making the system hard to use, sales are hard. So, they put all the details in agreements that most click agree without reading.

These agreements put much responsibility on you. And unless you have a team of IT specialists who are fully aware of all cloud-based security implications, you’re putting your critical data at risk. That is where working with one of the experienced IT specialists from Experience on Demand can make all the difference. We have helped a wide variety of businesses, in a wide variety of industries transition to cloud-based systems, providing the peace of mind of knowing that your company’s most critical data will truly be secure.

What options do you have to secure your businesses critical data assets?

  1. Use the tools provided by the cloud provider. While they may not enable all the security options, many providers know what the best practices are and provide you built in tools to improve your security. Office 365 provides a secure score to identify areas of security that should be improved. A simple example is the use of Multifactor Authentication (MFA or 2FA). Many cyber security insurance policies now require this technology to provide coverage.
  2. Read your agreements and/or SOC reports. These documents, which could also easily be a cure for insomnia, provide insights into the security areas the provider knows are weak and should be improved. In the SOC report, looking for Complementary user entity controls (CUECs) highlight where the risk has been shifted to your organization. Some are simple (creating unique user accounts, training your users, controlling your passwords), others may be more complex such as enabling MFA, monitoring usage, etc.

But at least my data is backed up, so I’m protected right?

Similar to the security, the providers do have some provisions for protecting your data, but it might not be aligned to your policies or business needs. Do you need the ability to restore an individual email or mailbox? Do you need to be able to restore a file from 6 months ago? Do you have regulatory storage needs for long term storage? These are all items that we will address to assure that your company data will be fully protected in the cloud system to provide the optimal solution for your needs. Depending on the cloud solution, they may offer additional backup options or there may be third party applications that can fill your gap. But not all systems will provide these options. We’ll help you decide if the solution and risk are appropriate or find other options such as exporting and storing your own data.

At least they are always online right?

Unfortunately, not. Despite significant investments in automation and testing, all systems include a human that is part of the process that can make a mistake. A simple misplaced character, running something out of sequence, etc. can create an outage. And even if the system is online, if your internet connection has an issue, it is effectively offline. We’ll help you assess the risks related to these systems to determine how long they can operate without it being online and how to recover in case of a significant outage.

With all these issues should I just run it myself?

Probably not. Most cloud providers have more security and infrastructure than you can develop and maintain for your organization. Most risks outlined above can be mitigated with careful planning and testing. And a well written business continuity plan is required regardless of where the system resides.

If you are using cloud systems and would like to discuss your specific risks and possible solutions, please contact David Berndt by calling (314) 805-5554, or e-mail david.berndt@experience-on-demand.com

David Berndt
Senior Partner
(314) 805-5554
david.berndt@experience-on-demand.com