Trust in the Cloud – Part 3
6 Security weak points to check when you move to the Cloud
When your infrastructure is totally on-premise, protected by a firewall, and largely accessible only locally, you know where your weak points are and what limitations you have.
Once you start to move things out into the Cloud here are 6 (there are others) weak points to check:
1. Email over Office 365
You can pick up email anywhere in the world, so have you turned on Two Factor Authentication (something you know – password and something you have – mobile phone)
2. Cloud Backups
The magic security phrase is “encrypted in transit and at rest”. No one can make sense of your data as it leaves your building, or while it’s stored on the backup server unless they have the encryption key to unlock it.
3. Secure Portals
Again, “encrypted in transit and at rest” – if you ship sensitive documents out for clients to access from the cloud, you need to be sure random people can’t get access to them.
4. Password standards
The current acceptable minimum for a password seems to be 8 characters long with uppercase, lowercase, numbers and special symbols. P@ssw0rd meets those standards. You can (should!) enforce higher standards than this.
5. Password sharing
Never share passwords between cloud services, if one service is hacked, the rest soon will be.
6. Connections to Cloud services
At a minimum these need to be over HTTPS (that green padlock in a browser means an encrypted connection), but you may want to get your Cloud provider to tighten them further (assuming they can).
For sensitive services, you can ask for a VPN (Virtual Private Network) connection or tie your connections to a few locations somehow.
That’s just the front-end, the shop window.
Other points to consider:How has your Cloud provider done their back-end work?What about the glue between various bits of Cloud infrastructure?The Independent has this article about how Whatsapp’s free backup mechanisms aren’t totally encrypted, despite Whatsapp messages being end to end encryptedEvery month, some Cloud provider gets busted for leaving a database unsecured – in August 2018 it was ABBYY document scanning
You have limited control of any Cloud service, but under the GDPR, you have a fair degree of responsibility. Make sure you understand the published information about any service you use.
Have a question about Cloud security? Get in touch. You can call us on 03331 50 60 70 or email us.
Trust in the Cloud – Part 1 – It’s perfectly safe! It’s all in the Cloud!
Trust in the Cloud – Part 2 – What you need to know about Local and Cloud backup
rust in the Cloud – Part 4 – When it’s business critical how reliable is the Cloud