Eight Steps to Effective Cybersecurity in the Cloud
When we are deploying cloud services for a client, we often find that they believe they will be automatically covered by their cloud providers’ security protections. Nothing could be further from the truth!
While cloud providers typically offer protection and monitoring technologies, they do not necessarily configure those, nor are they responsible for all the other aspects of a strong cybersecurity program, such as protecting the devices you use to access the cloud service, providing user training, and setting up policies and procedures for IT.
There’s a lot you need to do to create an effective cybersecurity program in the cloud, including:
1. Turn on your data center protection technology! While cloud service typically includes antivirus, firewall, etc. for your servers and cloud services, it won’t work unless it is turned on. (In 2017, at least six million Verizon customers had their data exposed because Verizon’s third-party systems engineer forgot to turn on security protections on an Amazon Web Services server.)
2. Configure monitoring, and possibly handle security events. Make certain that you configure the notification; otherwise, you will not be notified of security events. Be sure you know whether the cloud provider is responsible for remediation of a security event, or simply for notifying you of the event.
3. Provide and manage endpoint and network protection. Even using the cloud, you are still responsible for provisioning antivirus, firewall, and monitoring technology on your user devices (laptops, tablets, smartphones etc.)
4. Develop and implement policies and procedures. Cloud providers won’t create policies on user on-boarding and off-boarding, access controls by department and role, notifying users of events etc. It’s up to you.
5. Training users. It’s your responsibility to train users to prevent breaches and to notify appropriate personnel if they notice something awry.
6. Establish disaster recovery capabilities. If a security breach causes your data to be held hostage or destroyed, your ability to recover quickly through a strong disaster recovery program mitigates the potential damage of a cybersecurity attack. Many cloud providers will not automatically back up your data. A disaster recovery program, including provisions for data backup, will also help your organization recover from a variety of other issues.
7. Conduct an annual security assessment. You cannot rely on a cloud provider to identify vulnerabilities (particularly in their own system!) that need to be addressed.
8. Obtain cybersecurity insurance. A cybersecurity insurance policy can help the organization offset the cost and risk of dealing with a security event, including notifying users. It also provides an annual reminder of the importance of maintaining a strong cybersecurity program.
In summary, while using cloud services is cost effective, protecting your information requires more than the services that most cloud services provide.