Companies are increasingly shifting IT services and applications to the cloud to be readily available to employees, empowering their productivity from wherever they are and from any device.
Moving critical business information to the cloud does come with security challenges, with unauthorised access topping the list.
To protect data in the cloud, companies need to have appropriate measures in place to manage and control who has access, based on their credentials. This is according to Charl Ueckermann, CEO at AVeS Cyber Security.
“Before the cloud, everything was hosted on physical servers in your data centre at your premises. If someone wanted access to your data, they had to overcome several security obstacles along the way. A person needed physical access to your server room, bypass a firewall or intrusion prevention services installed on the servers, and outwit any other security controls blocking his/her way into the organisation’s databases.
“There is a misperception that if the cloud is secure, measures to control access like this are not necessary, as the data is in a ‘safe place’, so it must be safe. This isn’t necessarily true. The same level of vigilance is required to control access to data in the cloud than what is necessary with data hosted onsite. It is also essential to control and manage what different levels of employees can do with that data. Lack of access control, as well as the misuse of employee credentials, means data can be accessed by people who are not allowed to see it,” says Ueckermann.
He explains that companies operate in a highly-regulated environment and are obligated to protect their information. To comply with industry or governmental regulations, they should protect their data and carefully control who has access to it.
“Companies cannot rely on usernames and passwords alone to effectively control access to the cloud, as 80% of breaches in the cloud are due to weak passwords. Multi-factor authentication to access cloud services should be non-negotiable. For example, when you use Microsoft’s Authenticator on your smartphone, there are four layers of security. These are: where you are, based on the geographic location from where you are logging in; what you know, being your username and password; what you have, namely your mobile device in your hand; and who you are, which would be your biometric code to access your phone.
“Similarly, you ideally want at least three ways to authenticate your employees before they can access company resources in the cloud. Besides, there should be clearly defined containers to segregate who has access to what information once they have been authenticated. Employees should be granted access only to the information they require to do their work. Authorisation measures should also be in place to ensure that information cannot be downloaded by or shared with people who don’t have permission.
“Monitoring tools can also help to pick up on abnormal behaviours. For instance, geolocation control would detect unusual behaviours such as a login by an employee in Pretoria and five minutes later, a login in Germany by someone using the same login details. Monitoring tools will also detect mass downloads, mass deletes and any other activities that are outside the norm,” Ueckermann recommends.
He stresses that employee education should form part of any organisation’s cloud security strategy.
“People tend to trust too easily and not verify enough when it comes to IT security threats. They open emails, click on links, share information, download information and share their passwords without understanding the potential consequences. For a cloud security strategy to succeed, it is vital that employees understand the risks, how their actions can make data vulnerable, and what they can do to keep data safe.”
Ueckermann concludes with these three tips:
* Implement appropriate governance processes and policies to formalise and govern how organisations manage their data security in the cloud.
* Deploy effective technologies that are specific for the cloud to enable identity management and control access to data.
* Relentlessly continue with user education and awareness to make your employees part of the solution rather than a vulnerability.