7 Essentials of Business Cloud Security
Cloud-based data storage and applications let you deploy enterprise-quality IT infrastructure inexpensively. Along with the benefits of cloud computing comes one responsibility: protecting your business data from unauthorized access.
By Mel Beckman
Cloud computing is everywhere, and unless you've been living in a cave, you've at least heard the term. Data breaches of cloud computing resources are also widely in the news. In February, for example, cloud storage provider CloudPets accidentally leaked two million voice recordings, email addresses and passwords for more than 800,000 of its users. (See a Washington Times article about this breach.)
How do cloud computing vulnerabilities affect RV dealerships? Besides having highly sought data-customer credit applications with SSNs, bank account numbers and sensitive personal identifying information - RV dealerships have been aggressive in exploiting the cost advantages of cloud-based IT services. Many dealership inventory-control, point-of-sale and accounting applications have moved to the cloud, letting dealerships give the headache of managing onsite application servers to somebody else.
But wait a minute. What is the cloud anyway, and how can you tell if you're using it? Dealership operators focused on their core business often have only a foggy idea of what cloud computing is. If you are using it, how can you avoid being the next poster child for a cloud security data breach?
I answer those questions in this article and give you critical advice on securing cloud services you may be using. The steps to secure cloud computing are not complex, but they are essential.
Clarifying the Cloud
A short definition of cloud computing is "any Information Technology (IT) service - applications, storage, communications and social media - that isn't provided by onsite equipment within your own business." The term "cloud" doesn't mean services are in the sky (although that's coming) but is rather a metaphor for any place not at your place. All cloud services run on physical servers and storage devices located in brick-and-mortar buildings. These buildings typically locate next to high-speed cross-continent fiber-optic links and have huge electrical power and cooling resources nearby. But a cloud provider isn't defined by size. It might be running in a closet at an accounting firm or in a sprawling data center in the Las Vegas desert. It might even be overseas. Users generally don't care where a cloud service operates from, as long as the service meets its performance promises.
The primary reason businesses turn to the cloud is cost. Cloud computing is a pay-as-you-go turnkey service, ready to use the minute you sign up for it. With the cloud, you avoid up-front purchase of servers, storage, backup, software and the IT staff to run it all. Because the cloud provider buys all these things in bulk and spreads the cost over hundreds or even millions of customers, cloud services ultimately cost less than running your own internal IT department. The cloud provider also gains a huge improvement in reliability and availability, because it deploys massive redundant resources. Not one extra server, but hundreds. Not one spare hard drive, but thousands.
The disadvantages of the cloud are somewhat slower performance, since all your transactions must traverse the internet to reach the cloud provider, and security. A data breach of your own in house server is almost certainly your fault, but a cloud data breach can be anybody's fault.
The performance issue is gradually going away as internet speeds ramp up. Many companies have 10 times more bandwidth today than they did just five years ago,and the speed improvements have no upper limit in sight. But security keeps getting more complex and more expensive. It's where you must pay close attention if you're to reap the benefits of the cloud without getting burned by a breach.
Cloud Security Risks
The No. 1 risk of the cloud is someone you don't authorize getting access to your sensitive company information. As I mentioned in last month's article about securing your dealership's information assets (see "Hackers and Breaches and Espionage - Oh, My!" In the May 2017 Issue of RV News), you have a lot to lose, and a number of laws require you to take positive steps to secure your data.
Secondary risks include an authorized party making changes to your data - a subtler problem that requires special attention - and the complete loss of your data due to human error, malicious act or natural disaster.
These latter risks you can address by using standard IT processes such as transaction auditing and diversely located data backups, as you'll see shortly. But a data breach is the big risk that you should put the most attention on. Cloud security best practices break down into seven rules, the first five for access control, and the last two for data integrity protection. Here are the rules,and I go into detail about each one in the following sections.
1. Use strong passwords.
2. Don't reuse passwords for other services.
3. Employ two-factor authentication whenever possible.
4. Encrypt all data, both in transit and at rest.
5. Know where your cloud service is physically located, and know the provider's security protections.
6. Ensure all data accesses and changes get recorded in an audit log.
7. Backup your data to a location other than your cloud provider.
Five Rules of Access Control
Data breaches are growing in number, but the ways data gets breached have changed little over the years. The primary vulnerabilities hackers exploit are weak passwords and users susceptible to so-called social engineering attacks. You can read about social engineering in detail in last month's article, but the key takeaway is you must train your staff to resist hacker attempts to steal their passwords. Amazingly, last summer's Democratic National Committee breach of executive staff emails was accomplished through a standard social engineering attack called spear phishing (click here to read about that).
Beyond social engineering, hackers can also breach a cloud account by simply guessing the password. Simple passwords such as "letmein" or "mylittlesecret," can be guessed in minutes. Furthermore, hackers are wise to the substitution of letters with numbers, so using "letme1n" and "m4little5ecret" is no safer.
This is where strong passwords pay big dividends. You and all your employees must use strong passwords. A strong password is one that is both long and a has a high amount of randomness, which means the hacker will not succeed with obvious guesses, such as dictionary words. Hackers have accumulated huge lists of known passwords, and they always try these first. These lists drive hackers' automatic password testing tools, called "brute force password crackers," which pummel your account, trying 10 or even 100 passwords per second. This same technique works when hackers manage to steal a site's entire password file containing encrypted passwords. That encryption is of little value for passwords in hackers' lists. The hackers need only encrypt their own list and compare it to the stolen list, and their tools can process millions of passwords per second.
The idea strong password is a completely random string of characters at least 12 long, such as "D*3Onyq.G$rz" (but don't use this one, as hackers have likely added it to their list of known passwords by the time you read this). But such complex passwords are hard to remember, leading users to write them down, which defeats the purpose of a strong password.
An effective alternative strong password technique is described in the web comic "XKCD": Choose four random words and simply string them together, no spaces. You can then create a mental image and attach it to the four words, as shown in the comic, for easy remembering.
Even if you have a strong password, if you or your employees reuse the same password for multiple online services, you can make it easier for hackers to discover.Thus, the second rule of access control is never reuse passwords, because if one of the other places you used the password gets breached and your password is disclosed, the hacker can try that password to eventually break into your more important critical cloud services.
Online services often use email addresses as user IDs, and your email address is not really a secret, so hackers can quickly test your breached password on many popular services. For example, if you use the same password for Gmail and Dropbox (a cloud storage service), a data breach at one is effectively a breach of your account at both. This happens so often that a free service has been created to tell you whether your email address has been leaked in any of the most public data breaches: https://haveibeenpwned.com. The term "pwned" is a hacker idiom for "owned," as in "I own your password, I own you."
The third access-control rule helps you even if your passwords get disclosed.Called "two-factor" authentication, it requires one additional piece of information along with your password in order to gain access. Typically, this information changes every time you log in. You retrieve the token from a small fob on your key chain or receive it via a text message through a smartphone app. Every time you log in, the token is different, and since it can be obtained only by using something in your physical possession, the hacker likely has no access to it. To get two-factor authentication, ask the site's operator.The site operator could be your IT department, or it could be an outside party,such as the bank or credit card company for your online financial services.
Access control rule No. 4 is encrypt all data, both in transit and at rest.This rule is easy to apply, but you must make sure you actually do apply it.In-transit encryption protects your data as it moves from your computer or mobile device to the cloud provider and back. For most cloud services, this protection is automatic, accomplished using standard web-based encryption (HTTPS). Encryption at rest means your data is encrypted on the storage devices in the cloud, so that if a hacker were to steal your files, or the storage devices themselves, they couldn't access the data without the decryption key.That key should be kept only at your end - never by the cloud provider. The same rule for two-factor authentication applies for encryption: Ask, and ye shall receive. If it's not implemented already, you must put the technologists in charge on notice that you require encryption both in transit and at rest.
And this leads us to the fifth and final access control rule: Know where your cloud is physically located, and know the provider's security protections. As a cloud customer, you have a right to know where your data is kept and a right to know about security policies within the cloud data center. You need to know the physical location in order to set up appropriately diverse backups, so that if you cloud is in San Francisco, for example, you put the backups at a safe distance, such as Chicago. You normally should already have on-site backups as well, for speedy recovery, but you need off-site backups in the event a local disaster destroys these on-site backups. Security policies include how data is encrypted in transit and at rest, as well as who in the provider organization has access to your confidential account credentials. You should keep a record of these facts in the event you need to litigate over a future data breach.
Two Rules of Data Integrity
Whether you use a cloud-based application for such things as inventory or accounting,or generic cloud services to archive data or exchange it with business partners, you need to make sure you have a clear record of who did what to your data. An unauthorized change can destroy the integrity of your information, calling into question, for example, your bookkeeping or stock-on-hand. Thus, the primary rule of data integrity is ensure all data accesses and changes get recorded in an audit log. Most cloud providers have a means to do this; you merely have to turn it on. As long as users each have a unique user ID, you can readily identify the person making any change.
Although cloud services are extraordinarily reliable, they are not infallible. Thus, you also have to prepare for the worst-case scenario - total loss of all your cloud-stored information. Standard IT backup functions handle this task, but you are responsible for making sure it gets done and ensuring your backups are stored far enough away from your cloud data center's location that a common natural disaster won't take them both out. Cloud providers understand this need and have capabilities (sometimes incurring additional charges) for backing up your data to a remote location. You should also make sure your backup data is encrypted as well, but that's a built-in feature of standard IT backup utilities.
Keep Your Clouds White
Your mission at this point is straightforward: Identify all cloud services your business employs, and then apply the seven rules of cloud security to them. If you're not using the cloud today, you likely will be soon, so make sure these rules are followed whenever you start using a cloud service.