Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

The 10 Best Practices in Cloud Data Security

Published 11/03/2020

The 10 Best Practices in Cloud Data Security

By Branden Morrow from TokenEx

Cloud Data Security Best Practices Overview

What exactly is cloud data security?

Cloud security is the culmination of technologies and procedures that secure cloud computing environments against cybersecurity threats originating externally and internally. With cloud computing becoming a must for organizations looking to improve their capacity for innovation and collaboration, cloud security and other best practices designed to prevent illicit activity are a necessity to keep data in the cloud secure from current and emerging threats.

How do I know if cloud security is right for me?

If you are utilizing the cloud, then you need to secure it. The question should be, “what kind of cloud security should my organization look to implement?” Cloud security varies, and the best way to ensure everything is protected usually begins by understanding the combination of cloud location and cloud service your organization has.

1. Classify Your Cloud Locations and Services

Based on a cloud location, you can determine if a cloud is public, private, or hybrid.

Public cloud:

  • A public cloud is when resources like servers and storage are owned and operated by a third-party provided over the internet. This public cloud tends to be the most popular as it has several advantages including:
    • Lower costs due to the hardware and software being owned by the service provider. This way, you only pay for the resources you use.
    • There is no maintenance because it is covered by the provider.
    • With resources available on-demand, your service and scale with you as your business needs grow.
    • Reliability due to a large network of servers protecting against failure.

Private Cloud:

  • A private cloud is when only a single organization utilizes the computing resources. This cloud type can be located on-site by your organization, or it can be hosted by a third-party provider. However, unlike the public cloud, the services and infrastructure are maintained on a private network and the hardware and software are dedicated only to your organization. There are advantages to a private cloud that include:
    • Flexibility as your organization can customize the cloud environment at will to adjust to your specific needs.
    • Improved security because resources are not shared with other organizations. This allows for higher levels of control unique to your business.
    • Like a public cloud, private clouds still provide high scalability options depending on your business needs.

Hybrid Cloud:

  • A hybrid cloud is when private cloud computing infrastructure is combined with the public cloud so advantages of both can be obtained. With hybrid clouds, data and applications can move between private and public clouds enabling greater flexibility with more options for deployment. Generally, the most important applications are stored on the private cloud, while secondary applications are stored elsewhere. Some of the benefits of a hybrid cloud include:
    • Control for specific assets as your organization can maintain a private infrastructure.
    • Flexibility due to additional resources available in the public cloud when you need them.
    • The ability to scale to the public cloud leads to cost savings as you only pay for the extra computing power you need.
    • Phasing in workloads over time allows for an ease of transition to the cloud.

Based on the service provided by the cloud, you can determine if should be classified as IaaS, PaaS, SaaS, or FaaS.

IaaS (Infrastructure-as-a-Service)

  • IaaS tends to be the most common category of cloud computing services. The idea is that you rent IT infrastructure, like servers or VMs, from a cloud provider for a fee as you use it.

PaaS (Platform-as-a-Service)

  • PaaS is more of an environment for creating and testing software applications. It allows for developing and implementing applications without having to set-up or manage the underlying infrastructure needed for development.

SaaS (Software-as-a-Service)

  • SaaS is a way for delivering software applications over the internet usually via a subscription. It helps to host and manage the application you are using, as well as the underlying infrastructure and maintenance.

FaaS (Functions-as-a-Service)

  • FaaS allows developers to be completely insulated from everything in the stack below their code. This eliminates the need for maintaining virtual servers, containers, and application run times and allows them to upload narrow, functional blocks of code to be triggered by certain events.

Classifying your cloud will allow you to move on to our next cloud security best practice – understanding your shared responsibility model.

2. Understand Your Shared Responsibility Model

Responsibility for maintaining NACHA compliance relevant to stored data can vary between your organization or your cloud provider depending on what services are being utilized. While the buck ultimately stops with the organization, the cloud provider assumes responsibility for some aspects of IT security. This is known as the “Shared Responsibility Model.” Utilizing TokenEx's cloud platform would result in a shared responsibility model similar to this:

Responsibility Matrix

3. Know How Your Data is Being Accessed and Stored

According to the McAfee 2019 Cloud Adoption and Risk Report, 21% of all files in the cloud contain sensitive data elements. It is critical to examine your cloud services and understand exactly what data it is they handle. Most data will probably be living in well-established cloud services, or ones your organization is familiar with, but no single cloud service can guarantee that your data is 100% safe from threat. Therefore, regularly examining the permissions related to your data in any cloud environment is essential. You may find that some sensitive data needs to be quarantined or removed altogether.

4. Establish Partnerships with Reliable Cloud Providers

Cloud service providers who showcase a consistent track record of accountability, transparency and meeting established regulatory standards are identifiable by some highly regarded certifications. These can include but are not limited to SAS 70 Type II or ISO 27001. These service providers generally make accessible reports regarding security audits, results, certifications, and more. It is important to make sure these audits are based on existing regulatory standards and independently conducted to eliminate any potential bias. Although reputable cloud providers should be continuously maintaining certifications and notifying clients of any status changes, it is still your responsibility to understand your organization’s data security needs and compliance requirements.

5. Ask Your Cloud Provider About Security Solutions They Have in Place

A provider may store or host your data, but it belongs to you. Don’t hesitate to ask detailed questions regarding your cloud provider’s methods for protecting sensitive data. Never assume your security measures or those of your provider are impenetrable. A reputable provider should adhere to industry-recognized best practices such as Zero Trust and other data-centric security principles. Different cloud providers’ security solutions can vary depending on their applications and data service specializations. One vendor might be great for highly sensitive data applications, while another vendor might be optimal for less sensitive assignments.

6. Establish and Apply Cloud Security Guidelines

Having a detailed “safe list” will allow your organization to establish guidelines specifying who has access to what cloud services, how they are allowed to use them, and what types of data can be stored in those cloud services. Also, your organization should look to specify which security technologies are necessary to protect data in the cloud. An ideal set up would include automated solutions to ensure everyone is following the same guidelines, whether that comes from a cloud vendor’s security feature or your organization purchasing a separate security solution with policy-enforcement capabilities.

7. Manage Your Internal Security Threats

Employees commonly use cloud services without realizing the potential security risks of these actions. From cloud storage accounts like Dropbox to browser applications for conversion services, cloud applications generally are not vetted by IT security teams before use. Making sure your employees are trained on cloud security best practices can go a long way in reducing risk from within your organization. As previously mentioned, creating a “safe list” of cloud services for use by your employees is a simple but effective way to reduce risk. Knowing what cloud services are being utilized by your employees allows you to set policies around what types of data are allowed in the cloud and the types of cloud services approved for employee use.

8. Train Your Staff

One of the most effective ways to prevent hackers from gaining access to your environment is to train your staff regularly. Technology and tactics evolve and adapt quickly, and your staff needs to be prepared for phishing and spear-phishing schemes among other predatory methods becoming more popular and sophisticated every day. Implement regular training for your employees so they are prepared to identify current tactics or ones on the rise.

9. Minimize the Amount of Data in Your Environment

Reducing the amount of data in your environment is a sure-fire way to improve security while also reducing your scope of compliance with regulations like GDPR and CCPA. With data security regulations becoming increasingly more relevant, anything that allows your organization to reduce compliance scope while increasing security will save you money. Whether it is avoiding costly penalties for not completely adhering to regulations or the costs associated with maintaining compliance on your own, services like our cloud tokenization platform enable organizations to reduce their risk and their scope of compliance while increasing the business functionality of their data in a secure way that adapts and grows with their needs.

10. Perform Regular Audits and Penetration Testing

Whether or not your organization decides to choose a partner for your cloud data security needs, something you should look to implement is regular penetration testing to determine whether your efforts are sufficient. This combined with audits for keeping tabs on your vendor’s capabilities, your access logs to make sure only authorized personnel are handling sensitive data, or any other security initiative is a must to stay up to date with security needs. Avoiding the use of public cloud services altogether to try and be more secure isn’t realistic. Cloud-based workloads often have fewer security issues than those run in traditional, organizationally-owned data centers. If you stay current with cloud data security best practices, you can reduce a significant amount of risk without having to forfeit the benefits offered by cloud computing services.

Unfortunately, there is no “one size fits all” solution to any organization’s data security needs. However, adhering to these best practices in cloud data security should get your organization in a position to understand and address needs specific to them. TokenEx can help provide solutions and improvements to many of the issues that can arise when working toward maintaining better cloud data security practices and the adaptability of our platform enables companies to seamlessly improve business functionality while securing data and minimizing their overall scope of compliance.

Share this content on your favorite social network today!