Have you thought of your approach to cloud security? Here are three quick ways to make sure your security stance is off to a good start.
I normally write about Office 365 and Azure products and strategies, but I’ve begun to see a number of general security deficiencies with a growing number of my clients.
Therefore, I won’t limit this blog to a product or service. Instead, I’ll share a more holistic philosophy.
In the past, most organizations were apprehensive to move to the cloud primarily because of security concerns.
Today, however, when we ask clients how they feel about their security posture in the cloud, they will typically respond with affirmations on encryption, email sanitation, or other security services.
A few questions to consider: Are these services configured optimally and verified regularly? What about additional layers of security like people and information? Let’s explore that.
Cloud Security Policies to Put In Place
A good starting point to ensure a positive security stance would be something like the following:
- An ongoing user education program
- An identity protection program
- An information protection program
These are all items for which a cloud consumer is responsible.
1. User Education Program
Foremost on the list is an ongoing user security awareness program.
Users will help if they know how to help and it is our responsibility as IT Pros to educate them. They not only need to know how to be actively secure, but also why security is important.
The easiest way to do this, like with most IT functions, is to get the proper buy-in and support from the executive levels. With that in place, you can help managers understand why it’s important to have their direct reports involved in the security of the company, its people, and its data.
The simplest way forward is to publish a professional video or videos related to work functions. The end result of this program is that people are aware of what is and isn’t acceptable.
Most people will abide by the security policies in place if they understand the what and why.
2. Identity Protection Program
12345. 12345678. password. Pass@word1.
You know them. And still you are amazed when you find that one of your users is using a password like this.
This has been the case for 30 years (probably throughout history) and it isn’t going to change. It’s easy to remember these but also easy to guess these if you’re a bad guy looking to get in. As an IT Pro you are responsible for helping people protect themselves.
If you have personal accounts for banking or insurance, then you probably already use a second factor of authentication. If you don’t, start doing so now. And protect your employees in the same way by rolling out a multi-factor authentication program of some kind.
Identity protection providers all offer it now, and if they don’t, then select one who does. This is without question the simplest way to protect all your user accounts.
A prompt from an authentication app is a good way to introduce a multi-factor solution that is easy for users to employ.
3. Information Protection Program
Do you know what data you have, where it lives, how current it is and to whom it is being transmitted? The work to be done protecting your company’s information is not a small task.
What locations do you allow, is data encrypted there, is it encrypted when it’s in transit or in use? Most people I talk to aren’t 100 percent sure. Be 100 percent sure.
It’s our responsibility as IT Pros to strike the right balance between what our people can do with information that belongs to the company and what they cannot do.
Are you monitoring shadow IT? If users need to do something that you don’t allow, and they need to do it, they will find a way in many cases.
Actively monitor this activity and adjust policies as needed.
Classify the information you have, archive what’s no longer required daily in a safe location, and monitor sensitive information transmission.
If you haven’t gone through the process of configuring security in the cloud and you’re using default settings, or not sure the settings you have are optimal, fix that now.
Spend the money and the time up front and save the pain of tracking down intruders later.
We offer a service in which we take a look at your cloud environment and verify configuration items and why they are set the way they are. You will be surprised at what you find.