Oct 05
Cyber Security

6 Security weak points to check when you move to the Cloud

Posted by Nicola on Friday 5th October 2018

Trust in the Cloud – Part 3

6 Security weak points to check when you move to the Cloud

When your infrastructure is totally on-premise, protected by a firewall, and largely accessible only locally, you know where your weak points are and what limitations you have.

Once you start to move things out into the Cloud here are 6 (there are others) weak points to check:

1. Email over Office 365

You can pick up email anywhere in the world, so have you turned on Two Factor Authentication (something you know – password and something you have – mobile phone)

2. Cloud Backups

The magic security phrase is “encrypted in transit and at rest”. No one can make sense of your data as it leaves your building, or while it’s stored on the backup server unless they have the encryption key to unlock it.

3. Secure Portals

Again, “encrypted in transit and at rest” – if you ship sensitive documents out for clients to access from the cloud, you need to be sure random people can’t get access to them.

4. Password standards

The current acceptable minimum for a password seems to be 8 characters long with uppercase, lowercase, numbers and special symbols. P@ssw0rd meets those standards. You can (should!) enforce higher standards than this.

5. Password sharing

Never share passwords between cloud services, if one service is hacked, the rest soon will be.

6. Connections to Cloud services

At a minimum these need to be over HTTPS (that green padlock in a browser means an encrypted connection), but you may want to get your Cloud provider to tighten them further (assuming they can).

For sensitive services, you can ask for a VPN (Virtual Private Network) connection or tie your connections to a few locations somehow.

That’s just the front-end, the shop window.

Other points to consider:

  • How has your Cloud provider done their back-end work?
  • What about the glue between various bits of Cloud infrastructure?
  • The Independent has this article about how Whatsapp’s free backup mechanisms aren’t totally encrypted, despite Whatsapp messages being end to end encrypted
  • Every month, some Cloud provider gets busted for leaving a database unsecured – in August 2018 it was ABBYY document scanning
  • You have limited control of any Cloud service, but under the GDPR, you have a fair degree of responsibility. Make sure you understand the published information about any service you use.

    Have a question about Cloud security? Get in touch. You can call us on 03331 50 60 70 or email info@ntrustsystems.co.uk.

    Trust in the Cloud - Part 1 - It's perfectly safe! It's all in the Cloud!

    Trust in the Cloud - Part 2 - What you need to know about Local and Cloud backup

    Trust in the Cloud - Part 4 - When it's business critical how reliable is the Cloud